BEC - Business Email Compromise Attack Explained

BEC scammers operate by using information about your business, and your employees can defend company resources by fighting fire with fire.

Ivan Stevanovic Image
Updated:

June 14,2022

DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.

Business email compromise attacks have been a problem for quite some time now. They’ve cost plenty of companies and individuals millions of dollars in productivity loss, expenses, employee training, and cybersecurity. 

However, with suitable training, it’s become fairly easy to protect yourself and your company against these attacks. Read on, and we’ll show you how to recognize such attempts and what to do when faced with one.

What Is BEC?

Business email compromise, usually called BEC, is a form of phishing scam, specifically spear-phishing. It’s used to manipulate companies and individuals to access their finances or sensitive information such as account credentials, W-2 forms, or invoices.

BEC attackers usually undertake thorough research before contacting the target, aiming to be as inconspicuous as possible so as to have greater chances of the scam actually working. Targeting the companies’ resources, they tend to impersonate CEOs, CFOs, or long-term clients making changes to their “order” or “accounts”. Until the end of 2021, losses incurred due to BEC fraud have been estimated at $43 billion.

BEC Scheme Techniques

The scammers use three techniques to attain their objective of obtaining funds or information from their targets:

  • Spoofed emails and websites - If they are not able to hack a specific email, the attackers will create a similar email address or website, with an almost imperceptible difference in the domain or spelling (i.e. [email protected] as opposed to [email protected]).
  • Spear-phishing - BEC phishing attempts aren’t necessarily from spoofed emails, although it does represent a mitigating benefit to the attacker. All they would need is sufficiently personalized information they can use in the email to make the victim believe in its legitimacy.
  • Malware - Although less widely used with BEC fraud, malware belongs to the arsenal that scammers utilize for gaining profit from a business email compromise. Malware can be used to infiltrate the company systems, thus gaining access to employee information, company bank accounts, or business strategies.

Types of Business Email Compromise Scams

There are five types of business email compromise scams:

Attorney Impersonation

The attackers are impersonating a target’s attorney or legal representative, requesting confidential information that is supposedly “required” for legal action. This type of BEC scam usually targets lower-tier employees who don’t know the company’s associates and thus fall for the scam.

CEO Fraud

When using this BEC method, the attacker is impersonating the company CEO or some other executive. In this case, the perpetrators commonly target the finance department, requesting a money transfer to an account controlled by cybercriminals. 

Data Theft

With this method, the usual target is the HR department since it keeps files on every employee and company representative. Collecting that information isn’t the main goal of the business email compromise scheme. What they are after is to retrieve tools for future attacks that can prove more fruitful for the attackers in the long run. 

Hence, it’s imperative to know how to protect yourself from identity theft and regularly apply these measures that will keep you and your company safe.

Email Account Compromise

Email account compromise, or EAC for short, is often used as a synonym for BEC because it’s the most common technique used in BEC attacks. Although the names are quite similar, it’s important to differentiate between them.

EAC is a subcategory of BEC that requires a specific email to be breached and taken over, and then used to contact vendors, employees, or anyone else for the purpose of stealing resources or information. BEC doesn’t necessarily require an email to be hacked, as other methods can achieve the same results. 

The False Invoice Scheme

Companies with foreign suppliers are the usual victims of this type of BEC attack. The perpetrators impersonate a known supplier, asking for fund transfers to their personal accounts using bogus invoices.

How To Prevent Business Email Compromise Attacks

As your business might have vulnerabilities, you should learn how to defend yourself against anyone who intends to exploit those weaknesses. Proper business email compromise training will save you time and money and keep your business safe from such attacks.

Some steps that you can take include:

  • Being careful what you share on social media - Individuals and companies are constantly online nowadays, which makes it terrifyingly easy to gather almost any kind of information. Partnerships, locations, professional positions, accomplishments - these things are often shared on our social networks in order to promote ourselves and the business. Regrettably, that same information is how attackers are able to hack emails and engage in identity theft.
  • Training your employees - Every employee at the company, from a sales representative to an executive, should be familiar with and trained in anti-phishing procedures. That way, they will be able to recognize specific BEC phishing red flags and report business email compromise of any kind. 
  • Separating duties - With this method, you would be reducing your chances of falling victim to BEC scams or any other phishing attempts. If targeted, an employee of a certain level wouldn’t be able to make a decision without their supervisor, who will be more competent when it comes to spotting such scams.
  • Differentiating between internal and external emails - Almost all emailing platforms allow customization so they can recognize which emails are coming from within the company and which are not. This is a helpful tool when you’re trying to defend yourself against BEC.

Conclusion

Emails are a crucial business communication tool, although their security is frequently overlooked. That’s why creating a proper workflow, providing adequate training, and informing the employees of BEC security measures will keep your business running smoothly for a long time. With such measures in place, your company won’t give scammers a chance to take advantage of your resources.

FAQ
What is the meaning of business email compromise?

BEC or business email compromise is a type of phishing attack used by cybercriminals to extract confidential information and trick individuals into transferring funds or doing other actions that might jeopardize company resources.

What is the main goal of business email compromise?

The main goal would be to access company funds or classified information that would benefit  the attackers.

Who is responsible for business email compromise?

To be fair, it’s the company’s duty to ensure that its client and employee databases are bulletproof against BEC or any other type of attack. Cybersecurity is indispensable for any kind of business, and the only one responsible for it is the company itself. Every company must have a designated cybersecurity expert in charge of constantly protecting confidential data and updating its security measures.

There are no comments yet
Leave your comment

Your email address will not be published.*