In the era of digital communication, email has become the backbone of business correspondence. It’s quick, convenient and essential for conducting operations.
However, a sophisticated threat known as business email compromise (BEC) has become a significant concern for companies worldwide, leading to substantial financial losses and reputational damage.
Understanding what BEC is, its intricacies and preventive measures to safeguard against it are essential for organizations.
Read: The Top 9 Cyber Attacks Your Company Could Face
What Is Business Email Compromise (BEC)?
BEC is a type of phishing attack in which attackers impersonate key personnel within a company to deceive employees, customers, or vendors into taking actions that benefit the perpetrator. The deception takes place with falsified emails, and these scams rely on a variety of techniques, including domain spoofing, lookalike domains and compromised accounts.
The ultimate goal is financial gain, typically through wire transfer fraud or invoice manipulation. However, obtaining sensitive information, like login credentials or confidential company data, and identity theft can be other BEC goals. In 2023, BEC attacks cost almost $3 billion in reported losses, though Toyota lost almost $37 million in 2019 from a BEC attack.
How Does Business Email Compromise Work?
BEC attacks often begin with reconnaissance, where cyber criminals gather intelligence about the targeted victim. This may involve scouring publicly available information, monitoring social media profiles or even hacking into email accounts to study communication patterns and identify potential targets.
Once armed with sufficient information, the attacker crafts convincing and seemingly-legitimate emails to mimic the language, style and even the email addresses of high-ranking executives or trusted colleagues. If the cyber criminal was able to hack into the email account beforehand, they send the email from there, making it appear more legitimate. These emails often contain urgent requests for high-risk actions like transferring funds, making changes to payment details or revealing sensitive information. The message will also request that the victim keep the information about the request secret.
Unlike regular phishing attacks, in which the cyber criminal sends a general message to a wide variety of victims, BEC targets a specific individual. BEC emails also don’t typically contain malicious links and attachments, which allows them to surpass email filters; instead, they contain persuasive, personalized text to get the victim to act quickly and before they can think about the request.
This means that the success of BEC attacks hinges on social engineering tactics rather than technical exploits. By exploiting trust and authority, the cyber criminal can manipulate the victim into bypassing standard protocols to authorize fraudulent transactions or divulge confidential information without first verifying the request.
Variants of Business Email Compromise
BEC attacks come in five different forms, each tailored to exploit different vulnerabilities within an organization:
- Account compromise: An account compromise attack takes advantage of a compromised email account. The attacker can request invoice payments from customers or vendors and then alter the payment details, redirecting funds to their accounts instead of the intended recipient.
- Attorney impersonation: This type is when the cyber criminal takes advantage of the idea that low-level employees will comply with requests from legal representation because they don’t have the knowledge or authority to validate the request.
- CEO fraud: This is when the attacker impersonates the CEO or higher C-level executives, instructing employees to make urgent wire transfers or disclose sensitive information under the guise of a confidential project.
- Data theft: BEC attacks do more than only steal money from a business. They can also target HR personnel to try and steal sensitive information about staff. This information can then be sold on the Dark Web or used in future attacks.
- False invoice scheme: This is when the attacker pretends to be a vendor and requests payment for services performed. They often use a realistic invoice template but change the bank account information to the attacker’s account.
Preventative Measures Against Business Email Compromise
Mitigating the risk of BEC requires a multifaceted approach that combines technology, policies and employee awareness:
- Employee training: Since most BEC tactics involve targeting employees, training them about the tactics used in BEC attacks and best practices for email security is crucial. Encourage a healthy skepticism toward unsolicited requests, especially those involving financial transactions or sensitive data.
- Implement email authentication protocols: Utilize email authentication protocols like Domain-based Message Authentication, Reporting and Conformance to verify the authenticity of incoming emails and detect proofed or fraudulent messages.
- Enforce multi-factor authentication: Enforce multi-factor authentication (MFA) for sensitive transactions or account access to add an extra layer of security against unauthorized access.
- Regular security audits: Conduct periodic assessments of email security protocols, employee adherence to policies and system vulnerabilities to identify and address potential weaknesses.
- Double-check requests with the sender: If you receive a suspicious email from your CEO requesting you wire them money, contacting the original sender and confirming their request never hurts. You can also confirm the email address used. If your CEO’s email is ceo@company.com but the request came from ce0@c0mpany.com, you know it’s fake.
- Make yourself a hard target: BEC attackers often scan social media sites and other publicly available sites for information on their victims. Ensure your social accounts are private and watch what you post online. Avoid sharing information like pet names, old schools, family members or your birthday, as these are often linked to security questions.
- Use a secure email platform: Email apps like Outlook can be powerful deterrents to suspicious emails or unverified email senders. They also allow you to block specific senders and report emails as spam.
Work with Thriveon to Fight Against BEC Attacks
At Thriveon, we know how important it is to keep your confidential data and money safe from cyber criminals. That’s why we offer robust cybersecurity and managed IT services that help fight cyber attacks, including BEC scams.
Schedule a meeting with us now to see how we can help your business.