Business email compromise, or BEC, is an email scam where a cybercriminal targets a business to defraud. BEC is a growing problem that has been victimising organisations of all sizes in any industry worldwide. BEC scams have put organisations at risk of losing billions of dollars.
Email account compromise, or EAC, is a related threat that has been spreading quickly in today’s era of cloud-based infrastructure. BEC and EAC are often associated because compromised accounts are used in many BEC scams. BEC and EAC are challenging to detect primarily when we still use legacy tools, point products and native cloud platform defences.
Five major types of BEC scams
- CEO fraud
Attackers pretend to be CEOs or company executives and email a team member, usually in the finance department. Their goal is to request fund transfers successfully to accounts controlled by the attackers.
- Account compromise
A team member’s email account is hacked and used to request payments from vendors. These payments are directed towards fraudulent bank accounts owned by criminals.
- False invoice schemes
Cybercriminals usually target companies that partner with foreign suppliers. The attackers pretend to be the supplier and request fund transfers to fraudulent accounts.
- Attorney impersonation
Attackers impersonate a lawyer or any legal representative. They commonly target low-level employees who don’t know to question the validity of the criminals’ requests.
- Data theft
These attacks usually target HR employees to try and obtain any sensitive information about the company’s members, like CEOs and executives. They use this data as leverage for future fraudulent activities.
How do BEC attacks work?
In a BEC scam, the attacker poses as someone the recipient should trust – typically a boss, colleague or vendor. The sender requests to make a wire transfer, divert a payroll, or change bank details for future transactions.
BECs are tricky to detect since they don’t use malware or malicious URLs that traditional security defences can catch. Instead, BECs rely on impersonation and other socially engineered techniques that trick people into complying with the attacker’s requests. Investigating and remediating these attacks is difficult and time-consuming.
Some impersonation techniques attackers use in BEC are domain spoofing and look-alike domains. This proves effective because domain misuse is a complex problem that hasn’t been solved yet. Trying to stop domain spoofing is already hard enough, and it is even harder to anticipate every potential look-alike domain. The difficulty is multiplied further based on the number of external partners we work with and their domains that can be used to exploit your trust.
In EAC, the cybercriminal gains access and control of a legitimate account that allows them to launch similar BEC-style attacks. In cases like this, the attacker isn’t just using domains and URLs similar to legitimate ones. They use legitimate accounts themselves.
Because BEC and EAC take advantage of people’s errors rather than technical vulnerabilities, they also require a people-centric defence that can detect, prevent and take action against these threats.
How do I protect myself and my business against BECs?
An effective BEC and EAC defence strategy secures all channels cybercriminals can exploit. Because BEC and EAC rely on willing, unknowing victims, email protection, attack visibility and user awareness all play vital roles in an effective defence.
Train your members to be suspicious of the following instances and report them right away:
- High-level executives asking for unusual information
- Requests to not communicate with others
- Requests that bypass normal channels
- Language issues and unusual date formats
- Emails domains and “Reply To” addresses that don’t match the sender’s addresses
Here are several things that you also need to keep in mind to avoid becoming victims of BECs and EACs:
- Be suspicious
It is best to ask for clarifications, forward unusual emails to IT or check with colleagues than to send hundreds of thousands of dollars to a fraudulent company or bank account.
- If something doesn’t feel right, it probably isn’t.
Leaders should encourage members to trust their instincts, exercise good judgement and ask themselves, “Would my boss or colleague tell me this?” or “Why didn’t this vendor follow the standard protocol in requesting payments?”
- Slow down
Cybercriminals time their campaigns during our busiest season or time of the day. If you go through your emails too quickly, you are more likely to miss red flags and fail to verify whether a particular request is legitimate or not.
There are millions of resources on the internet that can help you figure out what to do against BECs, but as a business owner, managing your business is more than enough to occupy your schedule. We can help you implement adequate security strategies so you can focus on what you know best while we take care of protecting you and your business.