Business Email Compromise - Attacks Are on the Rise

$43 billion - That's how much the FBI estimates has been lost to Business Email Compromise (BEC) attacks between 2016 and 2021. What's more, the FBI states that BEC attacks are 64 times more destructive for businesses than ransomware attacks.

BEC attacks are the most expensive cyberattack businesses face today, and worryingly, they're on the rise. Today, more than 70% of organizations have experienced a BEC attack. However, many people are still unsure what exactly a Business Email Compromise attack is or how it works. To protect against these increasingly severe attacks, knowing what they look like and how they occur is essential. With this in mind, let's dive into everything you need to know about Business Email Compromise attacks.

What is a Business Email Compromise Attack?

Business Email Compromise (or BEC) is a type of scam, or more specifically, a phishing attack, where a bad actor targets a business to defraud the company. Typically, the attacker will try to trick an employee, often a senior executive or budget holder, into transferring funds or revealing sensitive information.

Businesses of any size can fall victim to a BEC attack, and BEC scams increasingly target small businesses. In other words, no company is safe.

How Do BEC Attacks Work?

While traditional phishing scams rely on general wording to trick a small percentage of the hundreds or potentially thousands of recipients, BEC attacks work differently.

In a BEC attack, the messaging is targeted directly at an individual or small group within an organization and tailored to encourage the recipient to take action. These emails are often persuasive because they appear to come from someone in authority or a trusted external partner. Usually, the attacker will impersonate a high-ranking person within the organization or partner company to further motivate the victim into carrying out the malicious request.

Attackers can impersonate trusted entities in multiple ways. This can include domain spoofing, lookalike domains, and through compromised accounts. With domain spoofing, the attacker fakes an email domain to fool users into believing the email comes from a trusted source. Alarmingly, around 3.1 billion domain spoofing emails are sent every day.

Similarly, lookalike domains take advantage of characters that people can easily confuse. For example, "" (legitimate) vs. "" (lookalike). These changes can be challenging to spot because our brains often see what we expect to see. By contrast, a compromised account is a legitimate account (that comes with specific privileges) that a threat actor has hijacked.

Hackers often follow many proven archetypes when crafting their malicious messages, including:

  • False invoice scheme: Here, attackers impersonate a supplier requesting fund transfers to an account owned by the attacker. This type of attack often targets organizations with many foreign suppliers.
  • CEO Fraud: This is where the attacker poses as the CEO or an executive and sends an email to finance workers requesting money transfers.
  • Account compromise: This is where a hacker takes control of an employee's account, often a senior employee's account, and requests invoice payments to vendors. The money is sent to fraudulent bank accounts.
  • Attorney Impersonation: Here, attackers impersonate an attorney and ask for fund transfers or sensitive information.
  • Data theft: In this attack, the bad actor targets HR or finance workers to obtain sensitive employee information that they can leverage in future attacks.

Why are BEC Attacks Hard to Detect?

Business Email Compromise attacks are often hard to detect for many reasons. They're low in volume, so don't cause unusual spikes in email traffic that can alert security filters to an ongoing attack. Additionally, attackers use IP addresses with a neutral or good reputation when carrying out the attack. If the email comes from a legitimate account, detection is nearly impossible.

How to prevent BEC attacks

Multi-Factor Authentication

Authentication factors are simply a way of confirming your identity when you attempt to sign into an account. Multi-factor authentication (MFA) requires two or more types of authentication before access is granted. The three most common types of authentication factors are:

  • Something you know (knowledge factor): Like a password, security answers, or a memorized PIN.
  • Something you have (possession factor): Like a smartphone, smart card, or a secure USB key (a hardware token).
  • Something you are (inherence factor): Like a fingerprint, retina pattern, or facial recognition.

Typically, MFA systems will use a combination of these authentication factors to achieve a higher level of security.

The bottom line is, MFA makes it harder for cybercriminals to execute successful attacks. For example, suppose an attacker has managed to obtain an employee's username and password. Without MFA, the attacker can log in to that account from anywhere in the world and leverage those account privileges to request sensitive information or fund transfers from the appropriate department. But with MFA, things get more interesting. While the attacker may have login credentials, they're highly unlikely to have access to the employee's smartphone and won't have access to their biometrics. This means attackers stay locked out of corporate accounts.

Train Employees to Recognize BEC Attacks

Adequate cybersecurity training goes a long way to protecting against successful attacks. Employees should know the risks of these attacks and how to identify the telltale signs of a fraudulent email (a sense of urgency, unusual demands, a change in bank details). They should also be trained in who to contact and how to dispose of the attack email so that it can be taken care of properly.

Advanced Email Security Solutions

Modern email security solutions leverage machine learning and artificial intelligence to identify attempts at account compromise, phishing, or luring high-level targets.

Always Verify Before Sending Funds or Data

Attackers rely on creating a false sense of security by impersonating trusted entities. Still, they also try to develop a sense of urgency to encourage the victim to act quickly, so they don't have time to fact-check the details of the message. Therefore, make it standard operating procedure for workers to confirm requests for funds or data through secondary means, like a call or face-to-face meeting.

Final Thoughts

BEC attacks remain one of the most severe types of cyberattacks businesses face today, and yet, they're not as well-known as ransomware or other types of cybercrime. The key to avoiding this type of attack is deploying appropriate security controls, like MFA, and educating employees about the anatomy of BEC attacks.

About the Author: