“Hi, Jane – I’m on a conference call right now. I can’t talk on the phone but let me know when you get this email. We need that payment made today. Thanks.”
John Doe (CEO)
Nobody wants to question the CEO, but this seemingly harmless message could be the opening salvo in a costly cyberattack. Business email compromise (BEC), also known as CEO fraud, is a sophisticated scam that exploits our reliance on email for work communications.
Cybercriminals impersonate trusted figures, like CEOs or vendors, to trick employees into sharing sensitive information or authorizing fraudulent financial transactions. The consequences can be expensive. The IBM Cost of a Data Breach Report found that BEC attacks comprised 9 percent of all breaches with financial losses averaging a cost per breach of $4.67 million.
BEC attacks are continually evolving, with scammers employing increasingly sophisticated social engineering techniques to bypass traditional security measures. Even when good security controls are in place, the human element remains a critical link in the cybersecurity chain. This makes BEC a particularly insidious threat, as it preys on our natural trust and willingness to help others — particularly the senior executive team.
This guide covers the mechanics of BEC attacks, what makes BEC scams so successful, common business email compromise tactics, and offers actionable steps you can take to protect your organization from email security threats.
What is Business Email Compromise?
Business Email Compromise (BEC) is a type of cybercrime where an attacker gains unauthorized access to a business email account or spoofs an email address to impersonate the legitimate owner to defraud the company or its associates. In the example above, the attacker has impersonated the CEO with an urgent request to pay a fraudulent invoice. Another tactic would be to impersonate an IT resource and request the credentials from a privileged user.
- BEC attacks often rely on social engineering techniques rather than technical exploits, making them difficult to detect with traditional security tools.
- BEC attacks can target any individual within an organization, from low-level employees to executives.
- Attackers often conduct extensive research on their targets to make their emails more convincing.
How BEC Scams Work
BEC scams are typically carried out in a few key stages:
The attacker gathers information about their target organization and its employees, often using public sources such as social media, company websites, and even LinkedIn profiles. The attacker’s goal is to understand who would be authorized to request an urgent payment, who could initiate the fund transfers, which vendors the organization may do business with, who would have privileged credentials, or who would have access to sensitive information sought by the cybercriminals.
The attacker creates a convincing disguise, usually impersonating a trusted figure such as a high-level executive, a vendor, or an attorney. This is often done through creating fake email addresses or domains that closely resemble the legitimate ones, or by compromising an existing account. They may also use techniques like phishing or malware to gain access to internal email accounts or networks to gather further intelligence.
The attacker initiates contact with the target, often using a pretext that aligns with the impersonated figure’s role. They may send seemingly innocuous emails to establish rapport or leverage information gathered during the reconnaissance phase to make their communications more convincing.
Once trust has been established, the attacker makes a fraudulent request. This could involve:
Financial fraud: Requesting a wire transfer, change of payment details, or payment of a fake invoice.
Data theft: Asking for sensitive information such as employee records, customer data, or trade secrets.
Credential harvesting: Tricking the target into providing login credentials or other access information.
If successful, the attacker exploits the provided information or access to achieve their goal.
The attacker may attempt to cover their tracks by deleting emails or manipulating records to avoid detection.
Key Elements That Make BEC Scams Successful
Social Engineering
BEC attacks heavily rely on manipulating human psychology rather than technical exploits. Attackers use tactics like creating a sense of urgency, appealing to authority, or exploiting trust to deceive victims into complying with their requests.
Sophistication
Attackers craft well-researched and personalized emails that mimic legitimate communication patterns, making them difficult to detect. They may also use techniques like spoofing email addresses or domains to further enhance the illusion.
Lack of Awareness
Many employees are not adequately trained to recognize and respond to BEC scams. This lack of awareness makes them vulnerable to these attacks, as they may not question seemingly legitimate requests or verify the authenticity of emails before taking action.
Exploitation of Trust
BEC attacks often exploit the inherent trust that exists within organizations and between businesses and their partners. Employees may be more likely to comply with requests from seemingly trusted figures, such as executives or vendors, without verifying their legitimacy.
Urgency and Pressure
Attackers often create a sense of urgency or pressure in their communications, making victims feel compelled to act quickly without taking the time to properly assess the situation. This can lead to hasty decisions and bypass normal security protocols.
Targeting Key Individuals
BEC attacks often target individuals with access to sensitive information or financial systems, such as executives, finance personnel, or HR employees. By compromising these key individuals, attackers can gain access to valuable data or initiate fraudulent transactions.
Most Common Business Email Compromise Tactics
BEC tactics are constantly evolving, and scammers are becoming increasingly sophisticated in their methods. It is crucial for businesses to stay vigilant and implement robust security measures to protect themselves from these attacks. Some of the most common type of attacks include:
CEO Fraud/Whaling
The attacker impersonates a high-level executive, such as the CEO or CFO, and sends an email to an employee with the authority to make wire transfers, purchase gift cards or other types of financial transactions. The email typically requests an urgent transfer of funds to a fraudulent account, often under the guise of a confidential business deal or an emergency situation.
Email spoofing
Email spoofing is a technique where hackers forge the sender’s email address to make it appear as if the email is coming from a legitimate source. Spoofed emails are often used in BEC attacks to impersonate trusted individuals or organizations.
Account Compromise
The attacker gains access to a legitimate employee’s email account, often through phishing or malware. They then use this compromised account to send emails to other employees, vendors, or customers, requesting sensitive information or initiating fraudulent transactions.
Invoice or Payment Fraud
The attacker intercepts or spoofs legitimate invoices or payment requests, changing the recipient’s bank account information or other payment details. This can result in funds being transferred to the attacker’s account instead of the legitimate vendor.
Data Theft
The attacker uses compromised employee credentials to gain access to sensitive company data, such as customer information, financial records, or intellectual property. This data can then be sold on the dark web or used for further attacks.
Attorney Impersonation
The attacker impersonates an attorney or legal representative, often involved in a real or fabricated legal matter. They may request confidential information or payments related to the supposed legal issue.
Vendor Email Compromise
Similar to account compromise, but specifically targeting vendors or suppliers. The attacker compromises a vendor’s email account and sends fraudulent invoices or payment requests to the company.
8 Best Practices for Preventing Business Email Compromise
Preventing Business Email Compromise (BEC) requires a multi-faceted approach that combines technical safeguards with employee awareness training.
1. Multi-Factor Authentication (MFA)
This is a non-negotiable baseline for protecting email accounts. Even if passwords are compromised, MFA adds a crucial extra layer of security, significantly reducing the risk of unauthorized access.
2. Email Filtering and Security Solutions
A robust email security solution is essential to filter out phishing emails, spoofed email addresses, spam, and malicious attachments before they reach employees’ inboxes. This proactive approach minimizes the chances of employees interacting with harmful content. It will not, however, block emails from a compromised account.
3. Comprehensive Security Awareness Training
The first line of defense against BEC is a well-informed workforce. Provide ongoing training on BEC scams, emphasizing the tactics used by attackers and the potential consequences of falling victim to these attacks.
Use phishing simulation tools to test employees’ ability to identify and respond to phishing attempts.
Include phishing simulations that appear to come from business partners and internal email accounts such as those of executives, and staff from IT and finance departments.
Regularly remind employees of company security policies and procedures, and encourage them to report any suspicious activity.
Create a culture of open communication where employees feel comfortable reporting security concerns without fear of reprisal.
4. Create a Culture of Compliance
Training alone isn’t enough to head off BEC. Foster an environment where employees feel empowered to question suspicious requests and report concerns without fear of reprisal. This open communication culture can disrupt BEC scams that rely on exploiting trust and authority.
Benefits:
- Clear protocols: Easy-to-follow steps on how to verify ANY unusual request, especially financial ones.
- Open communication channels: A safe way to raise concerns or ask questions without fear of repercussions.
- Support from management: Leadership actively encourages verification and makes it clear that security trumps speed.
- Normalizes verification: Makes double-checking requests a standard practice, not an exception.
- Fosters collaboration: Encourages employees to reach out to the actual person mentioned in a suspicious email, even if they’re in a different department or at a higher level.
5. Clear Verification Procedures
Establishing and enforcing clear protocols for verifying any unusual or high-value requests, especially those involving financial transactions or sensitive data, is crucial. This should include out-of-band verification through phone calls or other secure channels.
6. Optimized Accounting Systems and Controls
Implement strong internal controls, including transaction limits, multi-level authorization, and separation of duties, to prevent unauthorized or fraudulent transactions.
7. Incident Response Planning
A well-defined incident response plan ensures a swift and coordinated response in case of a BEC attack, minimizing potential damage and facilitating recovery.
8. Regular Data Backups
Routine backups of critical data protect against data loss or ransomware attacks that may accompany BEC scams.
Protect Your Organization’s Email Communications with Defendify
Defendify is an all-in-one cybersecurity platform that can significantly contribute to preventing Business Email Compromise (BEC) attacks.
Security Awareness Training
Organizations should consider partnering with a security awareness training vendor to equip employees with the skills to recognize phishing attacks.
Defendify’s awareness training and phishing simulation modules can educate employees about BEC tactics, reinforce good security practices, and help them recognize and respond to suspicious emails, significantly reducing the risk of human error.
Awareness Training
- Initial and Ongoing Education: Offer new hires a foundational understanding of cybersecurity through an introductory awareness video at the start of their employment. Reinforce this knowledge with annual refreshers for all employees.
Awareness Graphics
- Visual Reminders: Distribute digital or physical graphics throughout the workplace to serve as constant reminders for employees to stay alert against cyber threats.
Technology Acceptable Use Policy
- Clear Guidelines: Establish explicit expectations and provide comprehensive instructions regarding acceptable technology use in the workplace through a straightforward policy document.
Awareness Videos
- Engaging Training Content: Foster a strong cybersecurity culture by sharing relevant and engaging short training videos on a monthly basis to keep employees informed and vigilant.
Phishing Simulations
After training, employees need to test their skills. Defendify’s Phishing Simulation offerings give your employees a way to practice these techniques in a hands-on environment. Phishing simulations allow your employees to practice spotting phishing emails without the risk of real attacks. Regularly send unannounced fake phishing emails that mimic real malicious emails to employees. If any of them take the bait, it is important to educate them immediately after clicking on the link. These practices allow organizations to see who clicks on what and drive top-of-mind awareness.
Why Choose Defendify?
- Enterprise-grade protection, SMB-friendly: Get the same level of protection as large corporations, without the need for a massive in-house security team.
- Rapid time to value: Get up and running in days, not months, and see a fast return on your investment.
- All-in-one cybersecurity platform: Streamline your security operations with a single, easy-to-use platform that covers all your needs.
- Expert support: Our dedicated cybersecurity professionals act as an extension of your team, providing ongoing guidance and analysis.
- Transparent pricing: No hidden fees or surprises. Understand your investment upfront with clear and flexible pricing options.
Don’t wait for a BEC attack to cripple your business. Take action today and fortify your defenses with Defendify. Schedule a demo or contact our team to learn how we can help you.
FAQs
What is the difference between business email compromise and phishing?
While both BEC and phishing involve deceptive emails, there are some key differences:
Target and Specificity
- BEC attacks are highly targeted, focusing on specific individuals or departments within an organization, often executives or those involved in financial transactions.
- Phishing attempts are less personalized and target a broader audience.
Attack Complexity
- BEC schemes are carefully orchestrated, involving manipulating internal processes and communication protocols within a company.
- Phishing typically uses simpler techniques aimed at quick exploitation, like malicious links or attachments.
Objectives
- The primary objective of BEC is financial gain through manipulating business transactions like wire transfers or payment redirections.
- Phishing attacks may have broader objectives like identity theft, malware installation, or unauthorized system access.
How do you protect business emails?
Protecting business emails requires a multi-layered approach that combines technical controls and employee awareness:
- Technical Controls:
- Implement strong password policies and multi-factor authentication (MFA) for all email accounts.
- Use email filtering and security solutions to detect and block phishing attempts, spam, and malicious attachments.
- Employ anti-virus and anti-malware software to protect against malware infections such as keylogging that can lead to account compromise.
- Consider using secure email encryption for sensitive communications.
- Implement a virtual private network (VPN) for secure remote access.
- Employee Awareness and Training:
- Conduct regular security awareness training to educate employees about BEC and phishing scams.
- Teach employees how to recognize and respond to suspicious emails.
- Encourage employees to report any security concerns.
How do you detect BEC scams and fraud?
Detecting BEC scams requires vigilance and attention to detail:
- Be wary of unexpected or unusual requests: Especially those involving financial transactions or sensitive information.
- Verify requests through a separate channel: Confirm any unusual requests by contacting the sender directly through a known phone number or in person.
- Look for red flags in emails: Pay attention to inconsistencies in email addresses, domain names, or language.
Resources:
https://www.cyber.gov.au/protect-yourself/securing-your-email/email-security/preventing-business-email-compromise
https://staysafeonline.org/resources/business-email-compromise-what-it-is-and-how-to-prevent-it/
https://www2.deloitte.com/us/en/pages/advisory/articles/five-ways-mitigate-risk-business-email-compromise.html
https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise
https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec
https://www.threatdown.com/glossary/what-is-business-email-compromise-bec/
https://www.businessnewsdaily.com/security/business-email-scams
Protect and defend with multiple layers of cybersecurity
Defend your business with All-In-One Cybersecurity®.
Explore layered
security
Learn more about Defendify’s three key layers and All-In-One Cybersecurity®.
How can we help?
Schedule time to talk to a cybersecurity expert to discuss your needs.
See how it works
See how Defendify’s platform, modules, and expertise work to improve security posture.