Business Email Compromise

Learn about BEC and protect your organization with resources from Cofense

Cofense: Your BEC Leaders

Business email compromise, often known simply as BEC or Email Account Compromise (EAC), is when threat actors use email fraud to attack commercial, government and non-profit organizations to achieve a specific outcome which negatively impacts the target organization. Basically, BEC’s goal is to deceive people into thinking they have received a legitimate business-related email and convince them into doing something they believe is necessary to help the company.

BEC Corner

Ronnie Tokazowski

If someone whispers the letters “B”, “E”, and “C” somewhere on the internet, chances are that Ronnie’s name comes up. Stemming from the days before APT was a buzzword, Ronnie has spent the last 6 years fighting and advocating for all things Business Email Compromise. He likes pointing to big numbers, says we need to start caring about each other to fix this problem, and can frequently be found posting memes on why the financial losses of BEC are worse than ransomware. (Aside from it being a cold fact, of course.) Follow Ronnie on Twitter and LinkedIn.

Business Email Compromise Overview

Business Email Compromise is up to over $500 billion dollars in fraud. This isn’t Cofense trying to inflate the losses, these are actual losses that can be tied back to hundreds of thousands of victims. Billions lost to unemployment fraudBillions lost to BECBillions lost to romance victims, real estates, advanced-fee fraud, and dozens of other crimes by Yahoo and Sakawa Boys. No single company can solve all BEC, but here’s what we’re doing to help fight the larger problem.  

Spoofing

Something as simple as a “spoofed” email, where the display name in the email is modified to appear as an individual within an organization, when in reality, the return address is actually that of the attacker. The email format allows for a “display name” that doesn’t have to be related to the actual sender’s email address. This kind of format is less difficult to fraudulently use the name of a trusted individual. The message often appears to be sent from a senior staff member to someone at a lower level in the company, and the body of the email will imply a sense of urgency. Spoofing is the most common mechanism for payroll diversion attacks because it simply identifies an individual within an organization and sends an email to the payroll department asking for their bank account details to be updated.

What’s worse, suppliers and customers can be attacked using your organization’s email domain, which greatly impacts relationships, your organization’s reputation, and stakeholder trust.

Other BEC Methods

Then there’s the business email compromise where a legitimate user’s email account is compromised. Attacks can obtain user account details and then use those credentials to log into a user’s account. Sneaky attackers will sometimes set up forwarding rules to monitor a victim’s email conversations following the initial message. That gives the attacker the opportunity to step in at their leisure with urgent messages that appear authentic, making the attack even more convincing.

BEC is Big Money

These attacks pose a significant risk. According to the annual 2020 FBI Internet Crime Report, this phishing tactic has raked in nearly $2B this past year alone. But the damage caused by these attacks reaches well beyond financial losses. Fraudulent invoices, which are the most common of BEC attacks, the recipient gets what appears to be a legitimate invoice from an organization.

According to HelpNet Security, there was a 200% increase in business email compromise attacks focused on invoice or payment fraud from April to May 2020, posing an internal risk to organizations; and a reputation risk. As stated above, if a supplier or customer falls for a BEC attack that claims to come from a known organization, it can harm the established trust in the existing relationship as well.

How to Combat BEC

There are actions you can take to inform your employees to avert this threat. Educate your executive leadership team about this type of threat and discuss business email compromise with your organization at-large — especially those employees responsible for payments/payroll AND suppliers, customers, and clients. Training should include preventative strategies and reactive measures in case they are victimized. See our full checklist for details.

There is no single technology solution to BEC, rather it’s a combination of technology, process and user awareness.

How does Business Email Compromise (BEC) work?

Business email compromise, often referred to as BEC, employs social engineering to target a certain individual or specific employee roles in a chosen business. Attackers typically send a spoof email (or series of spoof emails) that fraudulently represent a senior colleague (CEO or similar), or a trusted customer, with instructions to approve payments or release client data.

What makes an email suspicious?

Malicious email, particularly BEC, isn’t always obvious. Be on alert for formatting and punctuation that vary from you company’s norms. Often the greeting is red flag. For example, “Hi” coming from a CEO whose messages consistently open with “Hello” or another convention should raise suspicion. Be on particular alert for minor variations in the sender’s email address. BEC examples and case studies can also be instructional. Cofense offers case studies and blog reporting on the subject.

What should the business do to guard against suspicious email?

There are actions you can take to inform your employees to avert the threat of business email compromise. Educate your executive leadership team about this type of threat and discuss business email compromise with your organization at-large — particularly employees responsible for payments/payroll and suppliers, customers and clients. Training should include preventative strategies and reactive measures in case they’re victimized. Cofense PhishMe, simulations reflect the latest threats known to bypass standard technologies, empowering your users to become human threat detectors. Cofense Reporter simplifies reporting suspicious email with the click of a button. 

Latest BEC Threats Found

Every week we update this page with a selection of the latest threats our analysts discover in environments protected by Proofpoint and other SEGs.

Filter by SEG

SEG

Tactic

Theme

 

Real Phishing Example: Humane Society of Wicomico County-spoofed emails found in environments protected by Cisco Ironport and Microsoft ATP deliver credential phishing.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 12/01/2021

TACTIC: link

THEME: Humane Society of Wicomico County

PHISHING EXAMPLE DESCRIPTION: Humane Society of Wicomico County-spoofed emails found in environments protected by Cisco Ironport and Microsoft ATP deliver credential phishing.

Real Phishing Example: Humane Society of Wicomico County-spoofed emails found in environments protected by Cisco Ironport and Microsoft ATP deliver credential phishing.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 12/01/2021

TACTIC: link

THEME: Humane Society of Wicomico County

PHISHING EXAMPLE DESCRIPTION: Humane Society of Wicomico County-spoofed emails found in environments protected by Cisco Ironport and Microsoft ATP deliver credential phishing.

Real Phishing Example: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing.

ENVIRONMENTS: Proofpoint

TYPE: Credential Phishing

POSTED ON: 12/01/2021

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Proofpoint deliver credential phishing.

BEC Resources

Gauge the Risks of BEC

Companies, governments, and organizations of all sizes fall victims to BEC attacks. When the attacks are successful, the costs can be substantial.

 

Critical Infrastructure

5th
top cybersecurity risk
Cyberattacks on critical infrastructure were rated the fifth top cybersecurity risk in 2020.
(World Economic Forum)

Federal Government

1 in 15 government employees were exposed to phishing threats in 2020.
(Lookout)

Healthcare

$175
MILLION
healthcare records have been stolen or exposed in recent years.
(HIPAA Journal)

Manufacturing

$54
MILLION
Aircraft parts manufacturer FACC AG lost $54 million from a BEC scam that targeted the company’s finance department.
(Security Week)

Protect Your Organization from BEC Attacks

Follow our checklist to ensure your organization stays protected.

Train employees to identify and report phishing attacks

Use secondary channels or two-factor authentication to verify requests for changes in account information.

Ensure the URL in emails is associated with the business it claims to be from.

Be alert to hyperlinks that may contain misspellings of the actual domain name.

Refrain from supplying login credentials in response to any emails.

Keep all systems updated.

Verify the email address used to send emails, especially when using a mobile device by ensuring the senders address email address appears to match who it is coming from.

Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.

Discover how Cofense stops phish and protects your company against evolving threats.