24TH AUG 2024
Jane, the finance manager, receives an urgent email from her “CEO” asking to transfer funds for a critical project. Trusting the familiar address, she sends the money. Later, Jane discovers the email was a spoof; the real CEO never sent it. The funds were gone, stolen by scammers. Jane has just become a victim of a BEC attack. If only she knew how to prevent business email compromise from happening….
Business Email Compromise (BEC) is a sophisticated type of cybercrime where attackers manipulate or gain unauthorized access to a business email account to defraud the company or its partners. These attacks are often financially motivated, with cybercriminals targeting organizations of all sizes.
FBI statistics estimate that BEC scams cost have cost $50 billion across 7 years. BEC attacks have evolved over time, with criminals employing various tactics to deceive employees into transferring funds or revealing sensitive information.
Business email compromise works through a combination of social engineering and technical tactics. Typically, attackers start by researching their targets, often using publicly available information like company websites, social media profiles, and online directories. Once they have identified a target, they might use phishing emails to gain access to a legitimate business email account or spoof the email address to make it look authentic.
Once inside, the attacker observes email communications, waiting for the right moment to strike. For example, they might intercept a conversation about an upcoming payment or invoice and then send a fraudulent email from the compromised account, instructing the recipient to transfer funds to a different bank account controlled by the attacker. This method is particularly effective because it leverages the trust and familiarity of internal communications.
This is the business email compromise playbook in a nutshell.
BEC attacks employ a variety of tactics to deceive their victims. One common method is the "CEO fraud," where attackers impersonate a company executive and send urgent requests for fund transfers to the finance department. Another tactic is the "account compromise," where cybercriminals gain access to an employee's email account and use it to request payments from customers or partners.
Attackers might also use "phishing" to gather login credentials or "spoofing" to create email addresses that closely resemble legitimate ones. The FBI has noted an increase in BEC cases, with criminals constantly refining their techniques to outsmart even the most vigilant organizations.
While Business Email Compromise (BEC) and Email Account Compromise (EAC) are related, they are not the same thing. BEC specifically refers to attacks where the primary goal is to defraud a business by manipulating email communications, often involving financial transactions. On the other hand, EAC involves the unauthorized access of an email account, which may be used for various malicious purposes, including BEC.
In a BEC attack, the emphasis is on the business context, targeting employees responsible for handling payments or sensitive information. EAC can be broader, affecting personal or professional accounts and leading to a wide range of cybercrimes, including identity theft and further phishing attacks.
BEC attacks come in several forms, each with its unique approach and risks. Some of the most common types include:
CEO Fraud: Attackers impersonate a high-level executive, often the CEO, to authorize urgent wire transfers or share sensitive information.
Invoice Scams: Cybercriminals intercept or spoof vendor emails, altering payment details on legitimate invoices to divert funds.
Account Compromise: An employee's email account is hacked, and the attacker uses it to request payments or sensitive data.
Attorney Impersonation: Criminals pose as a lawyer or legal representative, often during times of high-stakes transactions, to trick victims into sending money.
These attacks are highly effective because they exploit trust and often appear legitimate to the unsuspecting victim, making it hard how to prevent business email compromise attacks. However, with a little practice, you can learn how to spot them.
According to the FBI, BEC is a growing threat, with billions of dollars lost annually due to these schemes. This underscores how crucial it is for companies to know how to preventing Business Email Compromise.
How to prevent BEC attacks? Here are some key steps to protect your organization:
Implement Multi-Factor Authentication (MFA): Adding an extra layer of security makes it harder for attackers to gain access to email accounts.
Conduct Regular Training: Employees should be trained to recognize phishing emails and the tactics used in BEC attacks. Regular training helps keep security top of mind.
Verify Payment Requests: Always verify the legitimacy of payment requests, especially those involving changes to bank details, through a secondary communication channel like a phone call.
Respond Quickly: If a BEC attack is suspected, initiate a Business Email Compromise response protocol immediately. This may include contacting law enforcement, such as the FBI, which investigates BEC cases and can provide assistance.
Consider Liability and Costs: Understand the cost of Business Email Compromise and who may be liable in case of a breach. This includes considering cybersecurity insurance and legal implications.
What do you do if you have fallen victim to a business email compromise attempt? File a complaint with FBI’s IC3 portal so that they can aid you in possible recovery efforts.
Apart from these steps. businesses can significantly reduce the risk of falling victim to BEC scams by training their employees with game-based security awareness training.
Regularly review and update your cybersecurity policies and protocols to ensure they address the latest BEC tactics. They go a long way in establishing a company-wide culture for how to prevent business email compromise attempts.
This BEC checklist sums up everything you need to know:
The preventive measures to take:
How to respond to BEC attempts:
How to ensure that a BEC attack doesn't compromise your systems:
