Business Email Compromise: Detecting and Preventing Email Fraud
Business Email Compromise (BEC) is a sophisticated social engineering attack in which cybercriminals impersonate executives, employees, or business partners by using, compromising, or spoofing their legitimate email accounts. The motive of business email compromise attacks is usually (although not always) financial in nature and generally involves misleading recipients into transferring money.
BEC attacks continue to surge in prevalence. A recent Microsoft report revealed 156,000 daily attempts detected between May 2022 and April 2023. Losses from a single business email compromise attack can easily hit hundreds of thousands or even millions of dollars, depending on the company targeted.
This article serves as a guide to help your business fully understand BEC attacks, including their mechanics, with some real-world recent examples for contextualizing the threat. You’ll also get some actionable detection and prevention strategies to help your business deal with this increasingly damaging cyber threat.
Understanding Business Email Compromise (BEC)
A threat actor carrying out a business email compromise scam impersonates or hijacks legitimate email accounts to deceive people. BEC attacks manipulate email communication to mislead recipients into transferring money or divulging sensitive information. This manipulation leans heavily on both the trust placed in various sources and commonly deployed social engineering techniques, such as creating urgency and/or phishing.
An interesting point about business email compromise is that these attacks are harder to detect using standard security tools because fraudulent emails rarely contain any malicious software that your systems can flag. A closer look at different types of BEC scams makes this challenge clearer:
CEO Fraud
In CEO fraud, cybercriminals impersonate the CEO or other senior company executives. Sending an email to the finance or accounts department requesting an urgent wire transfer results in financial gain by capitalizing on the authority of senior management.
CEO fraud attacks typically target employees with the authority to approve and send funds, such as those in your accounting or finance teams. The characteristic red flags of CEO fraud emails are a strong sense of urgency and often requests to keep the transaction confidential.
Invoice Scams
Invoice scams are a type of business email compromise attack in which threat actors impersonate a vendor or supplier and send fake invoices to your company. Sometimes this invoice is for a fictitious service, but other invoice scams involve exploiting relationships with trusted vendors/suppliers.
Characteristic signs include altered invoice details, like bank account information, and a sense of urgency or a ‘discount’ for immediate payment. The design and layout of invoices used in these scams mimic legitimate ones. Similar to CEO fraud, the aim is to trick your accounts payable department into making payments to bank accounts under the control of malicious actors.
Supplier/Vendor Compromise
In this business email compromise tactic, cybercriminals compromise the legitimate email accounts of actual suppliers or vendors. They then use these hijacked accounts to send legitimate-looking requests for payments, usually with a change in payment details.
Emails come from legitimate email addresses belonging to trusted vendors, which makes it hard to doubt their authenticity. The attacker often has in-depth knowledge of ongoing transactions and conversational patterns due to access to the supplier’s email history.
As with most BEC attacks, the aim is to financially benefit. By leveraging the trust between businesses and their suppliers/vendors, adversaries can redirect payments to their own bank accounts.
Business Email Compromise Scam Mechanics
While the forms it takes on vary from CEO fraud to vendor compromise, each business email compromise scam is a meticulously crafted type of social engineering attack. From gathering information to executing the final heist, there’s a clear strategy common in all BEC attacks. Here is a run-through of the mechanics of BEC to help you understand how it happens at a more granular level.
1. Reconnaissance
Before making any move, attackers first gather as much intel as they can about the targeted organization and its employees. Identifying the key employees, studying the company’s structure, and analyzing its business partners informs the type of business email compromise scam to use and who exactly to target. Reconnaissance leverages public sources like your company website, social media platforms, and professional networks like LinkedIn. It’s all about understanding who holds the strings to your company’s finances.
2. Initial Compromise
The attacker needs an entry point from which to deliver credible emails. This usually means compromising an email account within the company or that of a close business associate or vendor. Other tactics include forging sender addresses, registering spoofed domains with only slight variations in spelling from legitimate company websites/email addresses, or abusing subdomains.
3. Crafting the Attack
Equipped with information from initial recon efforts and from sometimes reading ongoing or past email threads, the threat actor crafts a convincing fraudulent email. Aside from using intel to make the email more believable, various social engineering tactics come into play here, including:
- Pretexting: Fabricating a scenario or pretext for the communication or request.
- Baiting: Offering something enticing to the victim that makes them more susceptible to the scam.
- Influence tactics: Using urgency, authority, or appeals to emotion to push the victim towards the desired action.
4. Executing the Attack
Here’s where the target employee receives the BEC email. The message typically urges quick or confidential action. As alluded to in the previous section on types of business email compromise scams, this might be a “CEO” needing an urgent wire transfer or a “vendor” updating their banking details.
The attackers, having studied your company, often mimic the tone, style, and email signature of the impersonated executive or vendor. The email might reference ongoing projects or use real-life events (like a CEO being on a business trip) to lend authenticity. We’ve even seen threat actors intentionally create fake email threads/conversations with other spoofed legitimate internal resources just to build up that urgent context and provide an indirect validation of yet another employee. For example, imagine a conversation seemingly spanning over several days or weeks where another colleague would have brought up the issue and discussed it with your fictitious CEO who, after all that delay in the process, then forwards you a request to make the payment promptly.
5. Money Transfer
If the deception works, the target employee approves an unauthorized transfer to accounts controlled by the malicious actor. To avoid immediate detection, attackers might set up rules in the compromised email account to delete or move emails related to the fraudulent transaction, which may buy them some time.
Once they’ve got the money, attackers will try to move it quickly, often through a series of international bank accounts to make tracking and recovery difficult. Crypto wallets are another common money laundering route.
Social engineering is at the heart of BEC attacks. By manipulating human psychology, leveraging trust, and exploiting a growing abundance of publicly available information, attackers weave convincing narratives that even savvy professionals sometimes fall for. The key is a blend of vigilance and continuous education to ensure that your staff can spot and react to these devious tactics.
Detecting Business Email Compromise
At the forefront of the strategies to detect business email compromise is effective employee training. After all, the best protection against BEC scams impacting your business is an informed workforce who knows what to look for. Regular training sessions, mock drills, and continuous awareness campaigns instill a sense of vigilance among your staff.
There are several red flags to look for that help discern real emails from business email compromise scams. Unexpected changes in bank account details, for example, require high degrees of suspicion and skepticism. Using any previously known communication alternatives (other than e-mail) for that provider/vendor/partner, confirm the changes directly with them. It should reduce risks greatly.
For urgent emails asking for money transfers, closely looking at the sender’s email address and comparing that to legitimate company domains can help detect some BEC scams, but not all. Use in-person checks and verifications or phone calls to verify any email that shows a sense of urgency concerning payment requests. In a remote work setup, create rules where the employee in doubt will pick up the phone or get on a video call with said individual requesting the action and confirming the payment.
Another good detection tip is to implement advanced email filtering. You can configure filters to quarantine emails with suspicious attachments or those from unrecognized senders. Furthermore, authentication protocols ensure that emails are genuinely from the claimed sender.
Preventing Business Email Compromise
A cornerstone strategy for preventing business email compromise attacks is strengthening authentication. Any email accounts used by your employees with weak authentication are easy pickings for cybercriminals. Bolstering email accounts with multi-factor authentication makes those accounts far less susceptible to being compromised because the hacker requires two distinct pieces of evidence to gain access rather than just a password.
While strong authentication is a preventative tactic for BEC scams based on account compromise, email domain authentication protocols ensure that only genuine entities can send emails on behalf of your organization. DMARC (Domain-based Message Authentication, Reporting & Conformance) is a protocol that verifies an email’s authenticity and then decides what to do if an email fails this check; either report it, quarantine it, or reject it outright.
DMARC uses two further protocols:
- SPF (Sender Policy Framework) allows domain owners to specify which IP addresses or servers may send emails on their behalf.
- DKIM (DomainKeys Identified Mail) acts as a digital signature by appending a unique code to outgoing emails that recipient servers can then verify.
Lastly, establish fortified verification processes around financial transactions to prevent successful BEC attacks. Mandatory callback verification requires recipients of emails containing financial requests at your company to always call back the requester using an agreed-upon phone number for verification.
Combating Business Email Compromise with Training
There’s a strong argument that the first line of defense against business email compromise isn’t a firewall or an email security tool—it’s your employees themselves. This human shield underscores the vital role of continuous security awareness training in equipping employees with the knowledge and tools to recognize and counter BEC attempts.
Cybercriminals are continually refining their tactics. As BEC schemes become more sophisticated, regular training ensures your employees stay updated on the latest threats. Repetition strengthens memory—regular training sessions embed best practices into the daily routines of your staff.
Some actionable tips to communicate to employees about BEC attacks include:
- Look out for subtle changes in email domains, such as “companyname.co” instead of “companyname.com”.
- Always be skeptical about sudden changes in bank details, urgent financial requests, or confidential information sharing.
- Before acting on any financial or sensitive request via email, verify its authenticity through a phone call or face-to-face conversation using pre-established contact methods.
- BEC emails may demonstrate unusual language, misspellings, or a tone that’s inconsistent with the purported sender’s typical communication style.
Recent Examples of Business Email Compromise
To truly contextualize the threat, it’s worth running through some recent real-world business email compromise examples.
Connecticut school district
An August 2023 story by ABC News reported that the New Haven Connecticut school district lost over $6 million in a series of business email compromise attacks. In an interesting blend of vendor impersonation and CEO fraud, the hackers managed to access an email account belonging to the school system’s chief operating officer (COO).
By studying the existing email threads and conversations with legitimate vendors, the cybercriminals then impersonated both the COO and the vendors to have funds directed to accounts under their control. Aside from demonstrating the sophistication of modern social engineering, this incident also serves as a reminder that no sector or organization is immune from the actions of profit-hungry hackers.
CEO fraud gang
In February 2023, Europol swooped in and dismantled a criminal network built up using a series of CEO fraud scams. In one spate of activity, the gang managed to steal 38 million Euros within the space of a few days. Victim companies included a large French metallurgical company and a real estate developer in Paris.
Business Email Compromise Use Cases
Business Email Compromise (BEC) scams are widespread and affect various sectors differently. Threat actors tailor these attacks to each sector’s unique characteristics and vulnerabilities. Here’s an exploration of scenarios in which BEC scams impact e-commerce platforms, non-profit organizations, and government agencies.
E-Commerce Platforms
An e-commerce platform receives an email, purportedly from one of its primary suppliers, indicating a change in bank account details for future payments. The platform transfers a significant sum to the new account without first verifying this change of details, only to later find out that the email was a business email compromise scam.
E-commerce platforms rely heavily on email communication with vendors, which makes them prime targets. The financial impact can be considerable. Additionally, there’s a risk to brand reputation, as delayed payments to genuine vendors could lead to stock shortages and customer dissatisfaction.
Cybercriminals hitting e-commerce platforms with BEC attacks often exploit the high volume of transactions e-commerce platforms handle. They bank on the likelihood that one or two transactions might go unverified.
Non-Profit Organizations
A non-profit receives an email, seemingly from the CEO, requesting an urgent wire transfer to a foreign bank to facilitate an “under-the-radar” humanitarian effort. Given the seemingly noble cause and the “confidentiality” stressed in the email, the finance team goes ahead without verifying. Later, they discover it was a scam.
Non-profits operate on tight budgets, and cyber scams can significantly impact their operations and charitable efforts. Attackers targeting non-profits often exploit their sense of urgency and mission. By mimicking senior personnel and conjuring scenarios that resonate with the organization’s ethos, they increase their chances of success.
Government Agencies
A government procurement officer receives an email, allegedly from an established contractor, detailing a change in payment processes due to “new financial regulations.” The email provides new bank details for the upcoming contract payment. The officer makes the payment only to realize later that the contractor’s email has been spoofed.
BEC scams in government agencies can lead to contractual complications, project delays, and a blow to public trust. A successful attack also raises alarms about the security of other sensitive information within the government’s IT environment.
Given the bureaucratic nature of many government agencies and the formal tone of most communications, attackers take a more sophisticated approach. They do ample research to get terminologies right and time their emails to coincide with actual ongoing projects or tenders.
Future of Business Email Compromise Prevention
Beyond the role of employee knowledge and awareness, emerging technologies like machine learning and AI have an important part to play in preventing future BEC scams. By analyzing email patterns AI-based systems can detect anomalies, such as a CEO suddenly sending an email at 3 AM requesting an urgent fund transfer. Machine learning algorithms can discern context from email content to flag potential BEC attempts that employ certain urgent or manipulative phrasings.
Biometric authentication, which uses unique physical attributes for verification, is emerging as a formidable defense against BEC. Integrating biometrics into MFA processes can further tighten email security. For example, an email request involving financial transactions could require both a fingerprint and a one-time passcode sent to a mobile device to provide what CISA defines as phishing-resistant MFA.
Conclusion
Business Email Compromise (BEC) isn’t just another buzzword in the cybersecurity space; it’s a potent and rising threat with real-world consequences. But the silver lining here is that this threat of BEC scams is not undefeatable.
A multi-layered defense strategy is paramount. By intertwining advanced technological solutions with stronger authentication methods, you can lay a formidable foundation for defense.
Technology alone isn’t a panacea, though. Vigilant employees, trained to spot and report anomalies, are the frontline warriors in this ongoing battle. Staying informed, educated, and proactive is the best way to ensure that your employee’s inboxes remain secure.
At Kelvin Zero, we are building next-gen authentication and trust solutions to help secure your digital future. With Multi-Pass, not only can you protect your organization against BEC attacks, but you can start your zero-trust journey with a completely phishing-resistant and enterprise-secure passwordless solution. Contact us today and set up a demo to learn more about Multi-Pass and how we can help you integrate trust throughout all of your operations.