Business email compromise, often known simply as BEC, is when threat actors use email fraud to attack commercial, government and non-profit organizations to achieve a specific outcome which negatively impacts the target organization.
Most attacks target specific employee roles within an organization by sending a spoof email (or series of spoof emails) which fraudulently represent a senior colleague (CEO or similar) or a trusted customer with instructions to approve payments or release client data. The emails often use social engineering to entice the victim into making money transfers to a fraudulent bank account.
According to Gartner Research, business email compromise attacks increased by nearly 100% in 2019 and in some cases, resulted in substantial financial losses. Further, BEC attacks will continue to double each year to over $5 billion, and lead to large financial losses for enterprises through 2023.
Business email compromise attacks do not use malware or links in email, rather it is the user who is compromised (an account takeover). Attacks are pretty simple to execute, and traditional email content inspection techniques cannot detect BEC phishing because the emails resemble regular email content; of course, with the goal of exploiting business process errors.
As an example, something as simple as a “spoofed” email, where the display name in the email is modified to appear as an individual within an organization. When in reality, the return address is actually that of the attacker. The email format allows for a “display name” that doesn’t have to be related to the actual sender’s email address. This kind of format is less difficult to fraudulently use the name of a trusted individual. The message often appears to be sent from a senior staff member to someone at a lower level in the company, and the body of the email will imply a sense of urgency. Spoofing is the most common mechanism for payroll diversion attacks because it simply identifies an individual within an organization and sends an email to the payroll department asking for their bank account details to be updated.
What’s worse, suppliers and customers can be attacked using your organization’s email domain, which greatly impacts relationships, your organization’s reputation, and stakeholder trust.
Then there’s the business email compromise where a legitimate user’s email account is compromised. Attacks can obtain user account details and then use those credentials to log into a user’s account. Sneaky attackers will sometimes set up forwarding rules to monitor a victim’s email conversations following the initial message. That gives the attacker the opportunity to step in at their leisure with urgent messages that appear authentic, making the attack even more convincing.
These attacks pose a significant risk. According to the annual 2020 FBI Internet Crime Report, this phishing tactic has raked in nearly $2B this past year alone. But the damage caused by these attacks reaches well beyond financial losses. Fraudulent invoices, which are the most common of BEC attacks, the recipient gets what appears to be a legitimate invoice from an organization.
According to HelpNet Security, there was a 200% increase in business email compromise attacks focused on invoice or payment fraud from April to May 2020, posing an internal risk to organizations; and a reputation risk. As stated above, if a supplier or customer falls for a BEC attack that claims to come from a known organization, it can harm the established trust in the existing relationship as well.
There are actions you can take to inform your employees to avert this threat. Educate your executive leadership team about this type of threat and discuss business email compromise with your organization at-large — especially those employees responsible for payments/payroll AND suppliers, customers, and clients. Training should include preventative strategies and reactive measures in case they are victimized. Among other steps, all employees should be told to:
- Use secondary channels or two-factor authentication to verify requests for changes in account information.
- Ensure the URL in emails is associated with the business it claims to be from.
- Be alert to hyperlinks that may contain misspellings of the actual domain name.
- Refrain from supplying login credentials in response to any emails.
- Keep all systems updated.
- Verify the email address used to send emails, especially when using a mobile device by ensuring the senders address email address appears to match who it is coming from.
- Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.
There is no single technology solution to BEC, rather it’s a combination of technology, process and user awareness.