Back to Blog Home
Jul 05, 2021

What Is Business Email Compromise + Why and How to Prevent It

Many of us rely on email to conduct both personal and professional (business) communication. Unfortunately, since email scams have existed for as long as email addresses have, there are people out there that will do anything to exploit that. One such type of scam is a business email compromise attack.

Organizations and security leaders tirelessly work to stop certain types of scams or attacks, but cybercriminals will always try to stay one step ahead of security controls. Fortunately, there are steps and ways to keep these cybercriminals away from our organizations. 

This article will cover what business email compromise is, how it happens, why you need to prevent it, and how to detect and stop these types of attacks. 

business-email-compromise

What Is Business Email Compromise?

Business email compromise (BEC) is a scam common amongst cybercriminals that targets individuals and businesses in an attempt to gain their trust and transfer money from the victim's bank account into fraudulent accounts. BEC attacks are at the top of every list of financially damaging online crimes in terms of economic damage. On average, these crimes cost companies hundreds of thousands of dollars. 

Over the years, these attacks have grown in sophistication. And rather than targeting companies directly, attacks now target:

  • Customers
  • Suppliers
  • HR departments
  • Related accountants
  • Law firms
  • Tax authorities
  • ISPs.

Additionally, cybercriminals have successfully gained control of millions of dollars worth of hardware and equipment, fraudulently purchased gift cards, and diverted tax returns with BEC attacks.

How Does Business Email Compromise Happen?

Generally, a BEC attack will happen as an impersonation technique, where the attacker will rely on social engineering techniques to trick people. Unfortunately, traditional threat detection solutions that analyze links, email headers, and metadata usually omit these attack strategies. This makes a BEC attack incredibly difficult to prevent. 

The criminals do not even need any advanced tools or expertise in the victim’s domain to carry out an attack. It all depends on the attacker’s ability and motivation.

Types of BEC

The types of BEC attacks that can occur are typically the following:

  • CEO fraud — The attacker impersonates the executive or the CEO of a company and connects with an employee in the finance or accounting department. They proceed to ask for a transfer of funds to a fraudulent account.
     
  • Lawyer impersonation — The attacker poses as a lawyer or legal representative either over the phone or through email.  In this scenario, the common target for the attacker usually is a lower-level employee who may not have the knowledge or experience necessary to realize a fraudulent legal request.
     
  • Data theft — HR personnel are the attacker’s target in this case. Attackers obtain personal information about the CEO or other high-ranking executives and use this data for future attacks, as with CEO fraud.
     
  • Email account compromise — An employee’s email account is hacked by an attacker and used to request payments from different vendors. The money is then transferred into the attacker’s fraudulent account.
     
  • Vendor email compromise — In these cases, companies who collaborate with foreign suppliers are common targets. The attackers pose as suppliers to request payment for a fake invoice. The money is then transferred to a fraudulent account.
     
  • Phishing and / or email spoofing — Attackers typically forge the sender address by using slight variations of legitimate email addresses (adding or omitting one letter) as From, Sender and / or Reply-To headers to be undetected by the victim. They fool the victim into believing the fake account is authentic and can either gather data about the organization or request payments.

Phases of BEC

There are different phases that a cybercriminal goes through when attempting BEC attacks:

Phase one: Research to identify the target(s)

Attackers spend weeks, sometimes even months, gathering any information on their victims (names, titles, travel plans, organizational management structure) from social media, websites, and the dark web. A profile on the victim (individual or organization) is then created.

ISPs are especially exposed to these types of attacks because of their numerous customers and have to treat their business and their customers with extra care.

Phase two: Set up the attack

BEC attacks manage to come across as believable and legitimate because the attackers perform activities such as impersonating trusted vendors, creating lookalike domains, spoofing email addresses, or taking over a legitimate account of a victim’s manager or colleague.

Phase three: Execute the attack

The attack can occur in one email or an email thread, depending on the attacker’s thoroughness. This communication strategy often consists of urgency, persuasion, and authority to gain the victim’s trust. The attacker is then free to provide wire instructions to their victim to make payments into a fraudulent account.

Phase four: Scatter payments

Once the money reaches the attacker’s account, it is quickly collected and scattered into multiple accounts to reduce chances of retrieval and traceability. At this point, if organizations are slow to identify a BEC attack, the money will likely not be recovered.

Why You Need to Prevent BEC

As was previously mentioned, if BEC attacks are not identified promptly, the money the victim loses is no longer recoverable. Not only that, but seeing as how attackers have upped the ante, money is not the only thing the victim may lose.

Instead of acting only after an attack has occurred, one of the most useful and cost-effective things to do is to educate employees to deploy internal prevention techniques. Focus on frontline staff since they are in the compromised position of receiving these kinds of attacks.

How to Detect and Prevent Business Email Compromise Attacks

It is very important to create awareness about BEC in an organization. BEC attacks are a very significant threat to organizations of all sizes, and anyone can fall victim to an attack. By combining prevention strategies like email security measures and education and best practices, you can help your organization avoid BEC attacks.

Detecting BEC Attacks

Awareness is key in detecting BEC attacks. Below are a few ways to keep attacks at bay:

  • Implement a comprehensive awareness program — This program should be geared towards employees, and it should spell out the details of a BEC attack. It should train users to recognize potentially malicious emails, identify any suspicious requests, and, most importantly, teach employees not to reply to potentially risky emails under any circumstances.
     
  • Set up rules to flag keywords and detect suspicious URLs — flagging keywords  (like “urgent”, “payment”, “secret”, or “sensitive”, which are common in fraudulent emails) can be done by creating specific rules, either in your current mail server or in an external email gateway added in front of it; for suspicious URLs, you can use a URL blacklist service, such as Axigen’s aURIBL.
     
  • Make HR teams aware of attacks — By paying extra attention to job descriptions, organizational charts, and out-of-office details, all of which can be used to facilitate attacks, employees can detect an attack early on.

Preventing BEC Attacks

On top of awareness techniques to detect BEC attacks, we can also prevent them in multiple ways:

  • Guard your domain name against spoofing — Domain spoofing is a very real and common security concern, and companies should prioritize this. Just as with phishing or email spoofing, hackers are able to register a domain that is identical to the organization’s, by adding or omitting a character. Clients or the public most likely won’t be able to detect a copycat website. Organizations can and should register as many domains as possible that are slightly different from the company domain to avoid domain phishing and minimize the risk of email spoofing.
     
  • Do not overshare on social media — Be careful what you post on social media. Security leaders should also advise employees to do the same. Attackers can appropriate seemingly innocent, private information (birth dates, places of residence, favorite foods) to personalize their attacks.
     
  • Use two-factor authentication — There are many options to choose from to help with an added layer of security (such as Google Authenticator). A password and another form of verification are needed in this case, especially when dealing with sensitive information. These tools work on desktop devices, as well as phones and other similar devices. 
     
  • Use strong password policies — Besides using strong passwords, you must require frequent password changes from your employees.
     
  • Establish strict processes for wire transfers — Before acknowledging a wire transfer request, verify the vendor’s identity and the authenticity of their invoices. Confirm this information either in-person or on the phone with an already established phone number. Do not trust the number on the invoice.
     
  • Make sure your mail server / provider is properly secured and analyzes all inbound email traffic — Mail servers have email authentication techniques in place that use DNS records to validate the sender of an email. With options such as Axigen’s Mail Server Security Features, you not only have authentication support which reduces the risk of unauthorized connections, but an encryption method that guarantees secure data transmission over networks, and much, much more.  

Other Types of Phishing Attacks

Phishing attacks, along with BEC attacks, often take advantage of topics that are of interest to people or on the news. During the pandemic in 2020, there was an increase of cyberattacks of 30%, many of which were email scams. 2020 also brought with it losses for government agencies and medical facilities looking to purchase equipment. To their unfortunate surprise, that equipment did not exist, and their money was gone.

Email attacks are not the only routes for BEC attackers. SMS, Viber, WhatsApp are all common targets for these types of attacks. A real-world story of a person who fell for a phishing scam truly showcases the dangers of these attacks. A few seconds of not paying attention could end up costing you a fortune.

Don’t Be Compromised — Stay Secure!

Empower employees and ensure business longevity by safeguarding an organization’s finances and privacy. A compromised email system can seriously damage business interests. BEC attacks can go undetected for a while before an attacker decides to strike. That is why it is important to detect and protect your organization and your employees.

With Axigen, you have total privacy and total control of your entire organization’s confidential data. You can keep BEC attacks in check and not have to worry about not guaranteeing secure reception, transit, and email delivery. Make sure to check out the security features our mail server offers if you haven’t, as well as our blog for all things email.