Business Email Compromise

Learn about BEC and protect your organization with resources from Cofense

Cofense: Your BEC Leaders

Business email compromise, often known simply as BEC or Email Account Compromise (EAC), is when threat actors use email fraud to attack commercial, government and non-profit organizations to achieve a specific outcome which negatively impacts the target organization. Basically, BEC’s goal is to deceive people into thinking they have received a legitimate business-related email and convince them into doing something they believe is necessary to help the company.

BEC Corner

Ronnie Tokazowski

If someone whispers the letters “B”, “E”, and “C” somewhere on the internet, chances are that Ronnie’s name comes up. Stemming from the days before APT was a buzzword, Ronnie has spent the last 6 years fighting and advocating for all things Business Email Compromise. He likes pointing to big numbers, says we need to start caring about each other to fix this problem, and can frequently be found posting memes on why the financial losses of BEC are worse than ransomware. (Aside from it being a cold fact, of course.) Follow Ronnie on Twitter and LinkedIn.

Business Email Compromise Overview

Business email compromise amounts to an estimated $500 billion-plus annually that’s lost to fraud. That’s billions lost to unemployment fraud. Billions lost to romance scams, real estate cons, advanced-fee fraud and dozens of other crimes affecting hundreds of thousands of victims. No single company can solve BEC, but awareness can help.

Spoofing

Something as simple as a “spoofed” email, where the display name in the email is modified to appear as an individual within an organization, when in reality, the return address is actually that of the attacker. The email format allows for a “display name” that doesn’t have to be related to the actual sender’s email address. This kind of format is less difficult to fraudulently use the name of a trusted individual. The message often appears to be sent from a senior staff member to someone at a lower level in the company, and the body of the email will imply a sense of urgency. Spoofing is the most common mechanism for payroll diversion attacks because it simply identifies an individual within an organization and sends an email to the payroll department asking for their bank account details to be updated.

What’s worse, suppliers and customers can be attacked using your organization’s email domain, which greatly impacts relationships, your organization’s reputation, and stakeholder trust.

Other BEC Methods

Then there’s the business email compromise where a legitimate user’s email account is compromised. Attacks can obtain user account details and then use those credentials to log into a user’s account. Sneaky attackers will sometimes set up forwarding rules to monitor a victim’s email conversations following the initial message. That gives the attacker the opportunity to step in at their leisure with urgent messages that appear authentic, making the attack even more convincing.

BEC is Big Money

These attacks pose a significant risk. According to the annual 2020 FBI Internet Crime Report, this phishing tactic has raked in nearly $2B this past year alone. But the damage caused by these attacks reaches well beyond financial losses. Fraudulent invoices, which are the most common of BEC attacks, the recipient gets what appears to be a legitimate invoice from an organization.

According to HelpNet Security, there was a 200% increase in business email compromise attacks focused on invoice or payment fraud from April to May 2020, posing an internal risk to organizations; and a reputation risk. As stated above, if a supplier or customer falls for a BEC attack that claims to come from a known organization, it can harm the established trust in the existing relationship as well.

How to Combat BEC

There are actions you can take to inform your employees to avert this threat. Educate your executive leadership team about this type of threat and discuss business email compromise with your organization at-large — especially those employees responsible for payments/payroll AND suppliers, customers, and clients. Training should include preventative strategies and reactive measures in case they are victimized. See our full checklist for details.

There is no single technology solution to BEC, rather it’s a combination of technology, process and user awareness.

BEC is CEO Fraud

CEO fraud? CFO fraud? Yes, and yes. When attackers reach out via email disguised as a top executive, that’s business email compromise. It’s a ruse threat actors employ using email to achieve a specific outcome that negatively impacts the target organization. Few employees will risk ignoring or reporting an email message directed to them from an executive’s address. The attacker’s goal is to deceive people into thinking they’ve received a legitimate business-related email so they’ll unknowingly, and quickly, do the attacker’s bidding. The best solution is usually advanced security awareness training. Cofense can help.

How does Business Email Compromise (BEC) work?

Business email compromise, often referred to as BEC, employs social engineering to target a certain individual or specific employee roles in a chosen business. Attackers typically send a spoof email (or series of spoof emails) that fraudulently represent a senior colleague (CEO or similar), or a trusted customer, with instructions to approve payments or release client data.

What makes an email suspicious?

Malicious email, particularly BEC, isn’t always obvious. Be on alert for formatting and punctuation that vary from you company’s norms. Often the greeting is red flag. For example, “Hi” coming from a CEO whose messages consistently open with “Hello” or another convention should raise suspicion. Be on particular alert for minor variations in the sender’s email address. BEC examples and case studies can also be instructional. Cofense offers case studies and blog reporting on the subject.

What should the business do to guard against suspicious email?

There are actions you can take to inform your employees to avert the threat of business email compromise. Educate your executive leadership team about this type of threat and discuss business email compromise with your organization at-large — particularly employees responsible for payments/payroll and suppliers, customers and clients. Training should include preventative strategies and reactive measures in case they’re victimized. Cofense PhishMe, simulations reflect the latest threats known to bypass standard technologies, empowering your users to become human threat detectors. Cofense Reporter simplifies reporting suspicious email with the click of a button. 

Latest BEC Threats Found

Every week we update this page with a selection of the latest threats our analysts discover in environments protected by Proofpoint and other SEGs.

Filter by SEG

SEG

Tactic

Theme

 

Real Phishing Example: Fax-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 05/27/2022

TACTIC: Link

THEME: Fax-themed emails

PHISHING EXAMPLE DESCRIPTION: Fax-themed emails found in environments protected by Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Cisco Ironport and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Cisco Ironport

TYPE: Credential Phishing

POSTED ON: 05/25/2022

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Cisco Ironport and Microsoft ATP deliver Credential Phishing via an embedded link.

Real Phishing Example: Notification-themed emails found in environments protected by Cisco Ironport and Microsoft ATP deliver Credential Phishing via an embedded link.

ENVIRONMENTS: Microsoft Defender for O365

TYPE: Credential Phishing

POSTED ON: 05/25/2022

TACTIC: Link

THEME: Notification

PHISHING EXAMPLE DESCRIPTION: Notification-themed emails found in environments protected by Cisco Ironport and Microsoft ATP deliver Credential Phishing via an embedded link.

BEC Resources

Gauge the Risks of BEC

Companies, governments, and organizations of all sizes fall victims to BEC attacks. When the attacks are successful, the costs can be substantial.

 

Critical Infrastructure

5th
top cybersecurity risk
Cyberattacks on critical infrastructure were rated the fifth top cybersecurity risk in 2020.
(World Economic Forum)

Federal Government

1 in 15 government employees were exposed to phishing threats in 2020.
(Lookout)

Healthcare

$175
MILLION
healthcare records have been stolen or exposed in recent years.
(HIPAA Journal)

Manufacturing

$54
MILLION
Aircraft parts manufacturer FACC AG lost $54 million from a BEC scam that targeted the company’s finance department.
(Security Week)

Protect Your Organization from BEC Attacks

Follow our checklist to ensure your organization stays protected.

Train employees to identify and report phishing attacks

Use secondary channels or two-factor authentication to verify requests for changes in account information.

Ensure the URL in emails is associated with the business it claims to be from.

Be alert to hyperlinks that may contain misspellings of the actual domain name.

Refrain from supplying login credentials in response to any emails.

Keep all systems updated.

Verify the email address used to send emails, especially when using a mobile device by ensuring the senders address email address appears to match who it is coming from.

Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.

Discover how Cofense stops phish and protects your company against evolving threats.