Business Email Compromise: Examples, Definition, and Safety
It should be no surprise that there are more and more business email compromise assaults, given the surge in phishing scams. Let’s learn more about this popular scheme.
Jan 19,2023 January 19,2023
Business email compromise (BEC) is a sophisticated phishing scam that targets businesses and individuals via email to access financial information or other sensitive data.
To help you protect yourself, this article:
- Defines BEC attacks
- Explains who they target and how they work
- Shows business email compromise examples
- Points out safety measures
So, read on to learn how to avoid becoming a BEC attack victim.
Business Email Compromise: Definition and Methods
The goal of a business email compromise attack is to defraud the company. These attacks target businesses of all sizes and industries, making this scam a significant threat to organizations worldwide.
According to the FBI, BEC attacks are on a constant rise, inflicting billions of dollars worth of damages. There are 64% of companies worldwide that have been affected by hacking attacks at some point or another, many of those being BEC attacks.
These scams use social engineering methods to trick victims into revealing sensitive information that can lead to sharing intellectual property details or sending money away.
Business email compromise scammers usually spoof the email of a senior executive or another trusted individual within the organization to gain access to valuable resources. Sometimes, attackers even hack into an employee’s email account to carry out their scheme.
There are several common email compromise attacks businesses are exposed to, so let’s take a closer look at how they work.
How BEC Attacks Work
Scammers will impersonate a higher-ranking company employee or an otherwise leading individual in the field when executing a BEC attack.
Attackers will often use other people’s corporate emails, leaving two victims behind – a person whose email account has been hacked and the one completing a deceitful request. Sometimes attackers claim to be vendors who request payments. They’ll have unsuspecting victims send funds to their fraudulent bank accounts.
Emails received as a part of the BEC attack will eventually ask for login details while indicating the matter is urgent, resulting in victims reacting quickly. Once a victim provides what was asked, scammers have all the tools to commit the crime.
Recognizing Business Email Compromise Attacks
BEC attacks are challenging to detect because they don’t use malware or malicious URLs. Instead, the attacks rely on impersonation and other social engineering techniques to trick people into sharing protected information. BEC attackers will also use domain spoofing or lookalike domains to make their emails appear legitimate.
The best way to spot BEC scams is to discover something is off with the email accounts or the email body. Pay attention to the following:
- Poor grammar
- Spelling mistakes
- Unusual requests conveying urgency
- Emails containing unsolicited attachments and links
- Sender information that doesn’t match the email address
There are four phases of the business email compromise attack, and they are:
- Victim identification (email targeting)
- Launching the attack
- Exchange of information
- Financial gain
At this stage of the business email compromise scheme, cybercriminals identify key individuals within the company who have access to confidential information or financial records. Attackers conduct extensive research on their victims before launching BEC scams.
They use publicly available information from sources like LinkedIn, Facebook, and Google to obtain sufficient details so they can impersonate upper-level executives in email communication.
Launching the Attack
In this stage, scammers impersonate high-level brass to build trust with the victim. They use spear-phishing, phone calls, or other social engineering tactics to target workers with access to company finances or confidential information.
Once the victim becomes comfortable communicating with a “superior,” an urgent request for sending sensitive data or wire transfer follows.
Exchange of Information
So what is the purpose of these attacks, and what is BEC actually about? It boils down to data breaches and financial gain. Exchanging information with an unassuming victim is the penultimate step in this business email compromise scheme.
In this stage, an unfortunate worker believes they receive payment requests from a high-ranking employee and conduct legitimate transactions. By the time the victim realizes what happened, cybercriminals have likely already gained account information for a wire transfer.
BEC scams can be incredibly lucrative for the perpetrators, as they can be used to obtain large sums of money before being detected. In some cases, the scammers may even be able to make off with the entirety of a company’s bank account.
These attacks can have a devastating effect on businesses, both financially and reputationally. Thus, companies need to be aware of the warning signs and have procedures to prevent such scams. If you receive a suspicious email or link to a website, do not respond and immediately alert your company’s finance department and security team.
Five Common Business Email Compromise Examples
According to the FBI, there are five common BEC attack types:
- Data theft
- CEO fraud or whaling
- Email account compromise (EAC)
- Attorney impersonation
- False invoice scheme
Here’s a brief overview of these attacks:
According to the statistics, a cyber attack happens every 39 seconds, and the most common targets are organizations. Cybercriminals usually target human resources (HR) employees to get personal or sensitive information about the company’s CEOs, executive officers, partners, and investors.
Data theft is known as stealing digital information from computers, servers, or other electronic devices to access sensitive information or violate privacy.
Without the owner’s consent, an unauthorized individual can remove, edit, or prohibit access to personally identifiable information or financial information and proceed with committing a broader cyber attack on the company.
CEO Fraud or Whaling
It’s not uncommon for scammers to impersonate the CEO or other high-positioned executives online to gain the employees’ trust. After establishing rapport with lower-ranking employees within the company, the attackers will inevitably ask them to transfer funds to fraudulent accounts or share sensitive information.
Email Account Compromise
Email account compromise or an EAC is a standard BEC method in which the attacker mines the employee’s contact list in search of vendors, suppliers, and other valuable connections. After that, cybercriminals send messages to these contacts to request invoice payments to bogus vendors.
False Invoice Scheme
This scheme involves a cybercriminal impersonating a supplier or a fellow employee of a company worker. The attacker pretends to be the supplier and requests funds to be transferred to a fraudulent account.
Attorney impersonation is a BEC fraud that involves fraudsters pretending to be the company’s legal representatives. Bolder scammers have been known to try and trick CEOs and ask for wire transfers of funds.
Still, lower-level employees are typical victims since they may lack relevant knowledge to question a request to transfer money. Furthermore, experienced cybercriminals tend to contact their unassuming victims on Friday afternoons, as that is when employees tend to pay the slightest attention.
Now that we listed typical BEC examples and pointed out their methods and goals let’s see how you can protect yourself.
Effective BEC Protection Measures
BEC protection should encompass multiple layers to help you separate an illegitimate from a legitimate request within the company. There are more safety tactics against BEC attacks, so let’s review the most common ones.
Two-Factor Authentication for Business Email Accounts
Two-factor authentication, also known as 2FA, is an additional layer of security used to protect sensitive online accounts from cyber threats. When 2FA is enabled, users must provide two pieces of information before accessing their account.
These two factors can be something the user knows, like a password or a physical token. Even if scammers obtain a user’s password, they can’t do any damage without the second protection layer. Some standard authentication tools requiring a smartphone are Google Authenticator and Duo Mobile.
Email Security Measures
If your organization is looking to up its security game, it’s good to know what is the best business email compromise strategy to protect a brand. All-encompassing security involves a few measures:
- Sender Policy Framework (SPF) is a protocol that creates records in DNS to show which email servers are valid. The protocol’s primary goal is to prevent cybercriminals and spammers from sending emails.
- DomainKeys Identified Mail (DKIM) proves that outbound mail is valid by adding a signature. It allows the recipient to verify an email is from a specific domain and, thus, a trusted source.
- Domain Message Authentication, Reporting, and Conformance (DMARC) use DKIM and SPF to create robust email security. It sets verification rules that inbound mails must meet to avoid rejection.
BEC fraud doesn’t involve malware, yet anti-malware protection improves overall cyber security. Having anti-spyware, anti-virus, and other tools installed for premium security certainly can’t hurt.
Finally, verifying requests for fund transfers is a significant step to add to your protocols to ensure data safety. The best way to do so is by calling the person who allegedly sent the email. If you still have doubts about the request during phone confirmation, don’t hesitate to hang up and contact your supervisor.
Additional Security Practices
There are additional security practices you and your organization can implement to prevent damage:
- Employee training against BEC attacks raises awareness and teaches workers to separate an email sent from a legitimate account from an illegitimate one. Training through phishing simulations and other tactics can highlight common tricks scammers use and keep employees vigilant.
- Establish hard-to-break passwords and send regular updates on cyber security.
- Have an updated mailing address and infrastructure, including network tools and operating systems.
What if You Responded to a BEC Email
If you suspect you responded to a BEC phishing attempt and revealed some contact details or other privileged information, do the following:
- Immediately report the incident to your organization’s IT/cyber security team
- Request from your bank to suspend all transactions
- Change passwords for email and financial accounts
- Look through account statements for any suspicious activity
- File a police report
- Notify your bank, credit card provider, and financial institution of the scam
What if You Fall Victim to a BEC Scam
If you fall victim to cyber criminals’ business email compromise scam, act quickly to remedy the consequences of data breaches or an “urgent wire transfer.” Your best course of action would be the following:
- Get in touch with your financial institution immediately and report the fraudulent activity
- File an incident report to your local FBI office
- File a complaint through the FBI’s Internet Crime Complaint Center
Now that you know what the BEC scam stands for and cybercriminals’ goals and methods, you are better equipped to protect yourself and your organization. No company is safe from scammers unless it takes security protocols and practices seriously. Following the tips in this guide can reduce the risk of falling victim to BEC attacks.
The BEC scam definition specifies that the attacker uses email for financial or other gains. Thus, a business email compromise is also known as a “man-in-the-email attack.”
A business email compromise attackers use social engineering to learn information on high-level executives or other authority figures. Cybercriminals gain confidential information that helps initiate fraudulent activities by impersonating these people.
Yes, BEC attacks are a type of phishing scam. If we take a closer look at some business email compromise examples, we’ll see they all entail elements of social engineering, the principal characteristic of a phishing attack.
Your email address will not be published.*