What is BEC? Explaining business email compromise attacks
Business email compromise (BEC), a type of targeted phishing attack, is on the rise. This type of attack is known for targeting employees with realistic-looking phishing emails to access their accounts and get confidential information. Let’s find out more about BEC, how it works, and ways to protect your organization.
Table of Contents
Table of Contents
What is a business email compromise (BEC)?
A business email compromise (BEC) attack is a phishing attack where cybercriminals target businesses and their employees by sending fake communication. They deceive victims into sending money or divulging confidential details. Attackers do this by deploying social engineering tricks. They pose as trusted figures – a boss, a regular vendor, or a senior specialist in the office – and send emails that appear to come from legitimate and known sources.
BEC attacks can be hard to spot because of several reasons:
- BEC emails seldom have any malicious links, malware, or suspicious email attachments.
- These emails target specific individuals in the organization.
- The emails are personalized to ensure the intended victim does not pay much attention to the subtle markers that differentiate a phishing email from a normal one.
How do BEC attacks work?
While most phishing emails send out a generic message designed to trick a large number of people, BEC targets people at an individual level. These emails are less technical and more psychological. BEC attackers pretend to be someone with power or authority within a company or an external partner of that company.
Attackers disguise their emails in several ways:
- Email spoofing: Attackers configure their business email account to mimic a trusted contact in the victim’s contact list. For instance, an employee who receives emails regularly from an email address may not look twice when they receive an email that plays a confidence trick.
- Compromised accounts: Attackers gain access to legitimate email accounts through phishing scams or malware. They send emails from the compromised account to access sensitive information or request payments. Since the emails come from a trusted account, the requests seem genuine.
- Lookalike domains: This tactic involves registering domains that resemble the target domain. Visitors may not notice the subtle differences in the domains. Hackers can also create a website with a lookalike domain and trick victims into sharing login credentials.
Types of business email compromise attacks
These are some of the most frequent BEC attacks associated with an email or email attachment:
CEO fraud
CEO fraud happens when attackers hack or spoof a CEO or CFO’s email account to take advantage of the power dynamics in a company. They send an email instructing an employee to take an urgent action. For example, they may send an email with the subject “Pay this bill,” spoofing the CFO’s email with an attachment of a fake overdue bill. Since the email appears to be from a C-suite executive, the recipient is likely to comply with the request.
Data theft
Cybercriminals target people with access to a company’s confidential information, such as the HR department. They may pose as the CEO or a trusted vendor and request information like employees’ phone numbers and email addresses. They may also ask for the company’s financial data as well as information about tenders, business partners, and clients. When hackers breach a company’s data, it’s then easier for them to carry out more BEC scams.
Invoice and vendor impersonation scams
In invoice scams, cybercriminals pose as legitimate vendors and suppliers. They may gain access to the email accounts of authentic vendors or consultants or use email spoofing tactics to send fake invoices. These invoices closely mimic originals. However, they may share fraudulent bank accounts, or the vendor name may be changed. Upon enquiry, attackers may claim that their bank is being audited or they have a new subsidiary.
Usually, they target large organizations with a huge inflow of monthly invoices from multiple vendors.
In this type of BEC scam, cybercriminals match the language and structure to what the victim is accustomed to. However, they add words like “quick,” “urgent,” “important,” “as soon as possible,” or “pay via this link” to get the recipients to act quickly.
What are the signs of BEC?
BEC scams are often simple emails that Gmail security may not mark as spam. However, there are ways to spot and prevent them.
- Unusual payment requests: BEC attacks use subject lines that imply urgency for making a payment. These payment requests generally come from CEOs and other high-level executives, but they can also be addressed by vendors. Always double-check payment requests and email account details to verify authenticity.
- Discrepancies in email communication: Always be vigilant about the email’s timing and content. Some of the common phrases BEC attackers use are:
- “Please process this wire transfer today.”
- “I need you to complete a task for me discreetly.”
- “Share your phone number; I need your help with a task.”
- “Purchase gift cards and send the codes ASAP.”
Look out for email messages that hint at urgency, request help, offer the promise of individual gain, or use an authoritative tone of voice.
Examples of BEC attacks
These BEC attacks defrauded big tech companies of millions of dollars.
- Ubiquiti – Vendor fraud of $46.7 million: Cybercriminals posed as legitimate vendors and sent payment requests through an employee’s email. They got the company’s finance department to approve invoices, and the money flew into overseas accounts. Ubiquiti only learned about the fraud after being notified by the United States Federal Bureau of Investigation.
- Facebook and Google – Vendor fraud $100 million: A 50-year-old Lithuanian, Evaldas Rimasauskas, tricked Facebook and Google into making payments for non-existent computer supplies. Rimasauskas impersonated Quanta Computer, a Taiwanese electronics manufacturer, to send fake invoices from 2013 to 2015. He moved the funds to different bank accounts around the world, such as those in Latvia, Hong Kong, Lithuania, Cyprus, Hungary, and Slovakia.
- Snapchat – Payroll information breach: In a BEC phishing scam, attackers impersonated Snapchat’s CEO Evan Spiegel’s email to expose payroll information to the outside world, compromising employee identities.
Why are BEC attacks dangerous?
BEC attack dangers range from financial loss to irreparable reputational damage. Because these attacks exploit people’s built-in trust in business communications, the consequences of a successful attack can be severe.
- Financial loss: According to the FBI IC3 report, BEC attacks led to financial losses of $2.7 billion in 2022. The report also found that fraudsters frequently target custodial accounts of cryptocurrency exchanges.
- Data breach: BEC attacks that steal financial and personal information can lead to legal and financial implications. Not only does the victim company lose its reputation, but it may also have to deal with compensating the people whose information is leaked.
- Damaged professional relationships: A BEC attack can easily strain a company’s relationship with suppliers, customers, and employees. Being tricked into sending payments or sharing sensitive data is seen as the company’s inability to protect its assets and customer information.
How to protect against BEC
As sophisticated as BEC attacks may be, you can prevent them using various strategies.
- Always be suspicious: Forward suspicious emails to the IT department to check if your email is hacked. Also, use additional forms of communication, such as chat or phone calls, to verify the email with the sender.
- Deploy machine learning algorithms: With a high enough budget, companies can leverage ML analysis to identify bot activity, unusual requests, and atypical traffic patterns.
- Use anti-phishing software: NordVPN offers an anti-phishing solution that flags suspicious content.
- Multi-factor authentication: One of the benefits of multi-factor authentication is that it prevents suspicious sign-in attempts to email accounts. It adds an additional security layer where users receive a code to access the account.