The Complete Guide to Business Email Compromise (BEC) and How to Prevent It
The fact that criminals are actively using e-mail schemes to defraud public institutions, small and large businesses, and their clients can be considered yesterday’s news. Most corporate financial transactions are nowadays digital and this is leading to an increase in financial crime from cyber fraud.
The BEC term covers a wide variety of malevolent behavior, but all forms of Business Email Compromise have one thing in common: they need to get access to a business email account or to fake it.
What Is BEC?
Business Email Compromise (BEC) is a type of targeted scam in which an attacker impersonates a company executive or high-level employee with the intent of defrauding or extracting sensitive data from the company or its partners. The end goal of a BEC fraud is to persuade the target to make a money transfer or send sensitive data to the attacker while believing they are executing a legitimate and regular business operation.
Attackers achieve this by using different manipulating techniques in order to trick users into providing money or data.
How a BEC Scam Works
Well, like all social engineering attacks, BEC fraud relies on the human factor in order to be successful. This means that the innate human tendency to be a social creature is what will be exploited here.
Because people have a natural desire to be helpful and prove their usefulness, therefore likely to become victims of BEC attacks. The impulse to say ‘yes’ fast to a request from your management overrides the need to double-check if everything is in order with that request in the first place.
In most BEC attacks, there are three major stages:
Also known as the “man-in-the-email” attack, BEC scams start with a large amount of research, with the attacker going through publicly available information about the company, like websites, press releases, or social media published content.
After diligently researching his targets for some time, the attacker will develop a few scam scenarios that might work.
The attacker will try to either obtain access to the email addresses of the influential people in the company or just impersonate them. By creating an email address with a spoofed domain and just adding 1 digit or one letter in the domain name you could become a victim.
Depending on the adversary’s thoroughness, the BEC assault can occur in a single email or throughout an entire thread. To earn the victim’s trust, this communication frequently employs persuasion, urgency, and authority. The attacker then gives the victim instructions to either make a money transfer or send sensitive data.
Most Common Types of BEC Attacks
The Bogus Invoice Scheme
In this specific scam companies working with foreign suppliers are often targeted. The attackers pretend to be suppliers requesting fund transfers for payments to an account owned by fraudsters.
After collecting the necessary data, attackers will behave as the company CEO or any high-level executive and send an email to employees in finance, requesting money transfers to the account they control.
Email Account Compromise (EAC)
An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
There are cases when attackers are pretending to be a lawyer or someone from a law firm that is supposedly in charge of crucial and confidential data. These types of requests are done usually through email or phone and take place at the end of the business day when the victim is tired and less focused.
This type of scam usually targets employees from the HR and bookkeeping departments. The employees are targeted in order to obtain personally identifiable information (PII) or tax statements of employees and executives, important data that can be used in future attacks.
Business Email Compromise Statistics and Examples
In July 2019, the city of Atlanta lost over $800,000 just because of two simple emails from scammers. Using rudimentary phishing techniques, the fraudulent party simply got the city administration employees to wire two huge transfers into their accounts. In our experience, BEC fraudsters have begun to target institutions more and more, precisely because their awareness of Business Email Compromise is lower, and their defense systems tend to be underdeveloped compared to those of businesses.
In 2017, over 77% of all companies experienced fraud via a BEC attack. Since Q4 2017 and Q4 2018, there’s been a spike of 476% in all business email compromise attempts, according to Proofpoint. That’s a pretty explosive growth rate and it’s clearly a growth fed only by how well these tactics work.
In the autumn of 2018, the Australian authorities also reported noticing a significant spike in all business email compromise incidents. In one case, a business owner lost $40,000 by paying a fake invoice to a supplier whose account had been compromised.
Some malicious hackers behind these attacks, like the London Blue group, are continuously specializing in perfecting their technique. Recent March reports indicate that BEC attacks may be moving to mobile lately, under the guise of SMS texts. In any case, the market for BEC opportunities remains ripe and will probably continue growing in the future, since other types of cyberattacks are costlier and require more technical knowledge than the basic BECs.
How to prevent Business Email Compromise?
1. Train your employees
An extremely important step an organization must take in safeguarding against BEC is to provide employees with adequate cybersecurity training.
Employees should be aware of the risks and implications that these attacks hold, as well as how to spot scams and properly respond to an incident of this sort.
BEC attacks have a high success rate not because they are so technologically sophisticated, but because they are exploiting human vulnerabilities, like a response to authority, schedule, or even tiredness.
You can mitigate these risks using clear communication of roles and expectations whilst providing appropriate guidance in the use of IT and accounting controls.
Cybersecurity risks come in a wide variety of shapes and sizes, making it critical to recognize, disclose, and properly respond to a cyber threat.
Although it may seem obvious, human error is responsible for 95% of effective cyber-attacks. Managers should bear in mind that hackers don’t just break into the IT department by sheer force; they look for weaknesses.
As a result, every job in the organization is responsible for cybersecurity knowledge and abilities.
Making cyber security everyone’s responsibility is extremely important, therefore you should include management and IT in your education program, as well as have regular cyber security sessions, and of course create specific rules for email, internet browsing, social networks, and mobile devices.
It’s true that there’s no foolproof method that you can use to protect your business, but educating your employees about security threats and best practices for online behavior and privacy can greatly reduce the possibility of a BEC scam.
2. Encourage employees to challenge suspicious requests
Sometimes employees tend to rush an action or a response, therefore training them to double-check before executing a task could reduce the risk of being compromised by a cyber attack.
Let’s take as an example an email coming from a senior executive in the company in which a large amount of money is requested in an urgent manner.
Employees should understand that it’s better to delay the payment than to be scammed and take the proper steps in making sure the request that came their way is actually legit.
Another aspect that needs to be better applied and understood, especially when discussing larger companies, is to make employees feel comfortable to contact their managers, not only via email but also using alternative communication tools like internal chat systems, SMS, and even phone calls.
Any organization requires effective communication. Organizations must have complete policies and methods for communicating with their constituents, workers, and stakeholders, as well as the general public, in order to be successful.
3. Payments approval process
Organizations should start mapping the existing workflow used for wire transfers and analyze in-depth their processes in order to identify potential weaknesses and enhancement opportunities, for example limiting the amount of money each executive can approve, or using authorization for wire transfers, that also includes a protocol for approvals in the specific cases where senior executives are the initiators of these transactions.
4. Deploy cybersecurity solutions
Raising employee awareness about scams and BEC fraud is always a good idea, but businesses shouldn’t rely solely on this.
What We Are Doing to Help With Business Email Compromise
As mentioned above, the tricky part about BEC attacks is that they aren’t detectable by conventional security solutions. Luckily, we aren’t a regular cybersecurity company either. Since we’re striving to stay on top of the hackers’ game, we thought about what we can do to proactively prevent their plans from materializing.
To help thwart the wave of rising business email compromise incidents, we have launched Heimdal™ Email Fraud Prevention, a new module specifically designed to prevent BEC attacks. The new security layer is powered by 125 different vectors so that no suspicious email can pass its analysis. It can pick up on the slightest alterations, such as a changed IBAN code in an otherwise legitimate string of emails.
Heimdal™ Email Fraud Prevention is a highly specialized solution in detecting email fraud and can work as an add-on to existing Spamfilter solutions or in conjunction with all the other cybersecurity modules we offer.
With the new Heimdal™ Email Fraud Prevention module installed into your company’s systems, you can make sure that all employees within your organization are protected from business email compromise attacks. The BEC shield will signal everyone who’s receiving an email whether that email is legit or not, regardless of how correct the email address seems to be.
This way, you can focus on what really drives your business without needing to worry about business email compromise on top of everything.
Heimdal® Email Security
- Completely secure your infrastructure against email-delivered threats;
- Deep content scanning for malicious attachments and links;
- Block Phishing and man-in-the-email attacks;
- Complete email-based reporting for compliance & auditing requirements;
Lastly, don’t forget that you can keep up with critical security info via our newsletter and alerts, so if you haven’t subscribed yet, do so.