What is Business Email Compromise? Types, Examples & Prevention
A sophisticated social engineering attack attempt is emerging in the form of a Business Email Compromise (BEC) where people are losing confidential company information and other sensitive data to hackers. If you ask how common is this attack? Then, as per official records, it’s marked as one of the costliest cyber threats. Globally, companies lose thousands of dollars due to BEC attacks. You can just presume by looking at the high impact of how consistently the scam is being carried out by the attackers. It is a serious matter of concern that needs to be addressed.
Let’s put some light on this advanced scam.
Brief Introduction to Business Email Compromise
Definition – Business Email Compromise or BEC is a sort of phishing attack where attackers target a business entity to steal corporate data. One of the online scams that causes the most financial harm.
Since almost every organization relies on emails to operate their business, cybercriminals chose this business email platform to lure people.
And, the trickier part is that fraudsters typically use the identity of someone on a corporate network to trick their target. Which further makes it difficult to discover the actual culprit behind these attacks.
But, fret not! You will get an idea of the scam by looking at the examples discussed in the coming section.
Now, the question arises;
Who are The Targets of the BEC Scam?
Well, the target can be anyone. Businesses, Government, Schools, Non-profits, etc. Name any professional entity and it could be under the radar of cybercriminals.
Anyway, they choose their targets carefully and are very specific about the roles(played by their victims). Such as:
- Executives and leaders, because information about them is frequently made public on the company website, allowing attackers to pose as their friends.
- Employees with access to banking information, payment options, and account numbers, such as controllers and accounts payable staff.
- Human resource managers have access to employee information such as social security numbers, tax returns, contact details, and schedules.
- Employees who are new or entry-level won’t be able to confirm an email’s veracity with the sender.
As a matter of fact, they smartly carry out this scam in multiple forms. Let’s take a look at those.
Different Types of Business Email Compromise
There are 5 common and majorly executed BEC scams that have been seen so far. They are;
- CEO Fraud: In this type of attack, an attacker poses as the CEO or another executive of a firm and emails someone in the finance department asking for money to be transferred to an account they control.
- Account Compromise: A vendor’s payment requests are sent from a hacked employee’s email account. The attacker’s fake bank accounts are then used to receive payments.
- False Invoice Scheme: Attackers frequently use this strategy to go against overseas providers. In this type of business email compromise attack, the con artist poses as the provider and asks for money transfers to fake accounts.
- Attorney Impersonation: In this type of BEC attack, an attacker impersonates a lawyer or other legal professional. These attacks frequently target lower-level employees because they lack the knowledge to question the legitimacy of the request.
- Data Theft: Sometimes hackers start off by going after the HR division and stealing data from the business, such as a person’s schedule or personal phone number. Then, it is simpler to carry out one of the other BEC frauds and enhance its credibility.
But, how do the fraudsters do those attacks? Let’s find out.
How does Business Email Compromise Work?
In a BEC scam, the perpetrator assumes the identity of someone the victim should be able to trust, usually a coworker, supervisor, or vendor. To make a wire transfer, redirect payroll, update banking information for upcoming payments, and other requests are made by the sender.
Because BEC assaults don’t involve malware or bad URLs that can be examined by traditional cyber defenses, they are challenging to identify. Instead, BEC attacks use different techniques like impersonation and others to trick individuals into acting as the attacker’s agents.
On the other hand, many impersonation strategies, including domain spoofing and lookalike domains, are used in BEC schemes. Due to the complexity of domain misuse, these assaults are successful. It’s challenging enough to stop domain spoofing; foreseeing every prospective lookalike domain is far more challenging. The problem only gets worse as more domains owned by outside partners are used in BEC attacks to prey on consumers’ trust.
You see, these attacks are challenging and time-consuming to manually investigate and address due to their targeted nature and use of advanced mind-manipulating techniques.
However, you can get an overall idea of identifying the culprit if you know some instances of what the scam looks like. Let’s explore some examples.
Examples of Business Email Compromise
Here are some common examples of BEC scams.
Example 1: Pay This Important Bill
Imagine you are employed by your company’s finance division. You receive an urgent email regarding a past-due bill from the CFO, but it’s not really from the CFO. Or the con artist sends you an invoice through email that appears to be from your internet service provider or repair firm.
Example 2: What is Your Phone Number
You receive an email from a company boss asking for assistance with a brief task. I’ll text you if you send me your cell phone number. The con artist is hoping that you will text them payment information or other sensitive information because texting feels safer and more intimate than email. This is known as “smishing.”
Example 3: Your Lease is About to End
When a con artist gains access to a real estate company’s email, they can view active deals. They send clients emails with subject lines like “Here’s the bill to renew your office lease for another year” or “Here’s the link to pay your lease deposit.” Recently, con artists used this technique to con someone out of more than $500,000.
Example 4: Top Secret Acquisition
Your boss requests a deposit in order to buy out one of your rivals. “Keep this just between us,” the email states, deterring you from validating the request. At first glance, this fraud might not look suspicious because M&A information is frequently kept under wraps until everything is final.
What are The Consequences of BEC?
In the event that a business email compromise attack is successful, your company might:
- You could lose $100,000 to $1,000,000 in total.
- Those who have their personally identifiable information stolen may experience widespread identity theft.
- accidentally divulge private information or intellectual property.
- Threat protection techniques change along with BEC schemes. Actually, Microsoft stopped 32 billion email threats in 2017.3 Find out more about Microsoft’s solutions for protecting against email threats.
Security Tips to Prevent Business Email Compromise
Here are some tips for avoiding BEC frauds and keeping businesses secure in the face of these more frequent attacks:
- Exercise caution. It is preferable to seek clarification, send an email to IT, or consult a colleague before moving hundreds of thousands of dollars to a fictitious Chinese firm.
- If it doesn’t feel right then maybe something is wrong. It’s just that the employees need to trust their instincts. And, they may ask probing questions such as, “Would my CEO honestly request this of me?” and similar questions to protect against business email compromise.
- Remain calm. Attackers frequently schedule their campaigns to coincide with our busiest times of the day for good reason. When reviewing emails rapidly, a human resources manager is less likely to pause and decide whether a particular request is questionable.
Note: For any kind of cybersecurity assistance and services, you may contact our security team!
Q- What are common red flags of BEC scams?
If you encounter unusual emails, requests for sensitive information, or emails that force you to make instant decisions, etc. indicates something is wrong.
Q- What is the primary goal of executing Business Email Compromise attacks?
The main motive is financial gain. Also, some attacks are done to destroy them both financially and professionally.
Q- Do the attackers target any specific industries to execute the BEC scam?
Oftentimes, attackers target industries having a large financial transactions on a regular basis. Such as real estate, finance, healthcare, etc.
Q- What to do if my business falls victim to a Business Email Compromise attack?
First and foremost report the attack to the law enforcement department and your email service provider. Next, consult with cybersecurity experts such that they can thoroughly investigate the breach, isolate the breach, and attempt recovery of lost funds.