The most common type of cyberattack that businesses suffer from today begins with fraudulent emails. According to a report by the United States FBI, worldwide losses resulting from business email compromise scams amount to over 26 billion dollars over the past three years. This figure continues to rise more so due to the COVID-19 pandemic.
Since the onset of the pandemic, researchers have reported an over 30% increase in fund transfer fraud incidents and social engineering, in addition to the rise in the severity of ransomware attacks. Each business email compromise event is said to cost businesses thousands to one million dollars in revenue loss.
1. What is Business Email Compromise (BEC)?
BEC is a form of cyberattack that targets both businesses and individuals. It is referred to as business email compromise as the scam begins with gaining access to a business email.
Business email is email that is specifically used for business. Unlike a personal email address, a business email address contains the company’s name. It is a professional email identification that not only portrays authority but also advertises the company’s brand in every communication. For these benefits and more, organizations use business email hosted by email hosting service providers.
Read more on the benefits of business email hosting services.
2. Business Email Compromise (BEC) vs. Email Account Compromise (BAC)
Business email compromise is also commonly referred to as email account compromise. A business email account is said to be compromised when an unauthorized user gains access to said email and uses various tactics to impersonate the email account owner.
Although both terms are used interchangeably, there is a slight difference between the two terms. The difference comes in with the end game of each exploit.
Business email compromise is an exploit where an attacker hacks into a corporate email account and impersonates the real owner. BEC’s end game is to defraud the company, its customers, partners, and/or employees into sending money or sensitive data to the attacker’s account. However, with email account compromise, the cybercriminal gains access to the email account but does not necessarily alter it. He/she uses the account to;
- Send out large scale phishing campaigns from the compromised account. This is easy to achieve from a trusted source that is now compromised
- Intercepting conversations about wired transfers and inserting themselves to seize the opportunity to steal the funds
- Send more targeted payment requests for fake invoices to employees with the company to do so in your finance department
Additionally, business email compromise exploits are also called man-in-the-email attacks. The name is derived from man-in-the-middle, which implies a situation where a third party intercepts and possibly alters the communication between two unsuspecting parties, usually to defraud the parties involved.
3. The Significance of Business Email Compromise (BEC) Exploits
Why should any organization worry about suffering from a BEC exploit?
Firstly, as mentioned earlier, research estimates that BEC exploits cost businesses between thousands to one-million dollars per event. Such losses can break or significantly stall the progress of any organization.
Secondly, BEC exploits are a targeted email threat. This means that everything about how cybercriminals begin and execute business email compromise scams is designed to attack a specific target. These specific targets can be high-level employees in the finance department and C-suite members such as CEOs.
BEC scams target employees in an organization with access to sensitive information or the power to authorize and request the transfer of funds without raising too many eyebrows. These are usually employees in the finance or human resource departments as well as C-suite members. This is why you will hear terms like CEO fraud, CEO impersonation or CEO phishing surround business email compromise exploits.
Thirdly, as we discussed, the end game of BEC scams is fraud. Cybercriminals will spend days conducting in-depth research on your weakest link – your employees. They commit time and resources in selecting the best staff member after which they will hack into their email accounts. Once in, the criminals use social engineering tactics – we will discuss these later – to impersonate the owner of the account and defraud the company. If you think that is not easily attainable or effective, think again.
Using various forms of spoofing such as email, domain and website spoofing, cybercriminals can pose as that manager with the reputation of a tyrant at your office. He/she says, “Jump,” and you ask, “How high?” If the cybercriminal disguised as your least favorite manager sends an email requesting an urgent transfer of funds, how likely are you to blindly oblige? I would say, very likely.
Cybercriminals depend on the misplaced assurance that high-level employees may have. No one believes they can be hacked. Add the natural instinct we as humans have to obey authority, and cybercriminals have a well-cooked plan of destruction.
4. How Business Email Compromise (BEC) Works
4.1 The research
A business email compromise exploit starts with research. The cybercriminal conducts a deep dive into members of your organization. This includes social media accounts, online buying behavior and other sources of data that are not necessarily publicly available.
4.2 Collecting the data with social engineering
In addition to research, the cybercriminal uses various social engineering tactics that trick your employees into divulging sensitive corporate data when it is not so readily available.
Social engineering, just as the name suggests, is a form of attack that relies on how you and I think and act. It is a tactic that involves tricking unsuspecting users into giving access to restricted systems, download malware or give up sensitive corporate data. This is done by manipulating human behavior. Types of social engineering attacks include vishing, phishing, scareware, pretexting and water-holing.
The cybercriminal uses social engineering attacks to manipulate you emotionally. Socially engineered emails will use heightened emotions of fear or excitement to get your employees to react and perform certain actions such as downloading a malicious attachment. They will build a false sense of trust by appearing as a legitimate source you would not question.
4.3 Email account compromise
The criminal now has all he needs to hack into your CFO’s email account, for example. Once he/she gains access to the account, he/she uses spoofing to impersonate your CFO. The cybercriminal spoofs your CFO’s email address or a domain, for example, instructing a wire transfer to Paypa1.com instead of Paypal.com.
4.4 The Fraud
The attacker sends an email to your finance department instructing your personnel to transfer funds to a supplier, client; it could be anyone. The wire transfer destination looks legitimate; you don’t want to keep your boss waiting, and you want to save the day. Your personnel quickly transfers the funds and pats him/herself on the back.
4.5 The painful realization
As is most organizations’ protocol, your staff in accounts are obligated to notify top-level managers of any fund transfers, or better yet, they receive an automatic notification. Sooner or later, you realize that the worst has happened. Your IT department will try its best to recover the funds but the attacker is long gone, vanished into the dark corners of the internet. Nothing more than damage control can be done at this point.
5. Common Types of BEC Exploits
CEO fraud; when a fake email is sent from a business executive’s email account to employees asking for an urgent transfer of funds to the cybercriminal’s account.
The fake attorney scam; here, the cybercriminal sends an email to your employees posing as the company lawyer, for example. He/she claims to be handling time-sensitive confidential matters and instructs an urgent transfer of funds.
The fake invoice scam; the attacker poses as a trusted company vendor or supplier. Using a fake invoice, the attacker asks for payment that is directed to a fraudulent bank account
The HR scam; the cybercriminal wants access to personally identifiable information (PII) and not money. He/she, therefore, poses as a strategic person in the HR department and requests information from your employees.
6. How to Spot a BEC Exploit
There are several red flags that can help your employees sniff out a BEC scam. With awareness training and close scrutiny, the following signs are evident;
- Spoofed sender domain, spoofed email address and spoofed URLs
- Time-sensitive and confidential requests
- Requests to transfer funds immediately
- Urgent subject lines such as payment notice, payment inquiry, bank transfer inquiry, etc
- Use of generic terms such as sir or madam rather than real names
- Unfamiliar invoices
- Unfamiliar bank accounts different from those normally used
- Messages from personal mailboxes or mobile. Usually, the sender pretends to be traveling and signatures indicates it’s coming from a mobile
- Requests that ask you to bypass normal procedures and protocols
Now knowing how to spot a BEC scam, let’s talk about the do’s and don’ts when dealing with BEC or EAC attacks.
7. The Do’s and Don’ts
Do verbally verify all requests for fund transfers or sensitive information. Don’t carry out requests without confirming their authenticity.
Do double check the sender’s email address. Don’t reply to a suspicious email. Contact the sender directly or forward the email to the correct email address.
Do double check links in suspicious emails by hovering over the anchor text. This will reveal the true destination of the link. Don’t click on links or download attachments from suspicious emails
8. How to Prevent Business Email Compromise (BEC) Exploits
- Have email security solutions in place. For example, an effective email filtering system that not only identifies malicious payloads but one that is context-aware and has other social engineering safeguards
- Deploy network controls for your employees’ downloads. This prevents malware from being downloaded into your network
- Train your employees on email security best practices and vigilance. Conduct simulations and trainings to determine if they can identify BEC exploits
- Always verify. Verify payment requests, instructions and invoices before acting on them to ensure they are authentic
- Employ two-factor authentication process for all payments
9. How MailSafi Prevents Business Email Compromise (BEC) Exploits
MailSafi email security includes targeted threat protection and impersonation protection. These not only identify emails with malicious payloads but also scans all incoming emails for phrases such as “urgent wire transfer” and other warning signs of social engineering. It is a comprehensive solution that combats BEC exploits using cloud-based filtering gateways, 99.9% anti-malware protection, secure email options and targeted threat protection.
MailSafi email security prevents unauthorized access of email on all devices. This is especially important for employees working remotely or working from home where personal devices are not as well protected as corporate devices.
Contact us to learn more about how MailSafi Email Security protects organizations from the high cost of business email compromise (BEC) exploits.