What is Business Email Compromise (BEC)?

Business Email Compromise Defined

Business Email Compromise (BEC) is a type of cybercrime where attackers infiltrate or spoof legitimate business email accounts to deceive organisations into transferring money or sensitive information. This scheme often involves extensive social engineering tactics to manipulate and exploit the trust within an organisation.

Attackers typically research their targets to impersonate senior executives, vendors, or trusted partners, sending fraudulent emails that appear authentic and urgent.

BEC attacks can result in significant financial losses and data breaches. These crimes exploit the lack of robust email authentication protocols and human vulnerabilities, making them difficult to detect. Common objectives include redirecting payroll, initiating wire transfers to fraudulent accounts, or obtaining confidential company information.

The success of BEC relies heavily on the credibility of the emails, often avoiding malware or links that could trigger security defences, focusing instead on simple, believable communication to achieve their aims. This subtlety and sophistication make BEC a highly effective and prevalent threat to businesses worldwide.

Types of BEC Attacks

Cyber security experts and law enforcement often identify five major types of BEC attacks, each targeting specific organisational roles and financial processes. Here's a breakdown of each type:

CEO Fraud (Executive Email Compromise):

Attackers impersonate high-level executives, such as CEOs or CFOs, and request urgent, confidential transactions. The emails typically target employees with the authority to handle wire transfers, instructing them to transfer funds to fraudulent accounts under the guise of pressing business matters.

Account Compromise:

In this type, a legitimate email account within the organisation is hacked. The compromised account is then used to request invoice payments or other financial transactions from vendors or business partners. Since the request originates from a legitimate account, it often bypasses suspicion and security checks.

Attorney Impersonation:

Cybercriminals pose as legal representatives, such as solicitors or barristers, handling confidential or time-sensitive matters. These attacks commonly occur at the end of the business day or during off-hours, adding a sense of urgency and reducing the likelihood of verification before action is taken.

Data Theft:

Instead of directly stealing money, attackers focus on obtaining sensitive information, such as tax statements, personally identifiable information (PII), or employee records. This data can be used for future attacks, identity theft, or sold on the dark web. Typically, HR departments or financial officers are targeted for this kind of information.

False Invoice Scheme:

Here, attackers compromise the email accounts of suppliers or business partners. They then send fraudulent invoices to the organisation, requesting payments to new, attacker-controlled bank accounts. Since the invoices appear to come from trusted partners, they often pass through standard checks without raising alarms.

Identifying BEC Attacks

To identify BEC attacks, be vigilant about several key indicators:

1. Email Anomalies: Look for subtle discrepancies in email addresses, such as slight misspellings or changes in domain names. Verify any unexpected or unusual requests directly through known, trusted communication channels.
2. Urgency and Pressure: Be cautious of emails that create a sense of urgency or pressure to act quickly, especially if they deviate from normal business procedures.
3. Unusual Payment Requests: Scrutinise requests for atypical payment methods, changes in payment instructions, or payments to unfamiliar accounts. Cross-check with the supposed sender via a different communication method.
4. Content and Tone: Pay attention to the tone and language used in the email. An unexpected level of formality or informality, or phrases that don't match the sender's usual communication style, can be red flags.
5. Missing Information: Be wary of emails lacking usual details, such as incomplete signatures or missing company logos, which might indicate a spoofed email.
6. Unexpected Attachments or Links: Avoid opening attachments or clicking on links in unsolicited emails, even if they appear to come from a known contact. Verify their legitimacy first.

By maintaining a healthy scepticism and verifying details through established, secure channels, employees can better identify and prevent BEC attacks.

What is the Difference Between Phishing and BEC?

Traditional phishing broadly targets individuals by sending deceptive emails designed to steal personal information or infect systems with malware. It often includes generic messages and malicious links or attachments.

In contrast, BEC is a highly targeted attack focusing on specific individuals within an organisation, such as executives or financial officers. BEC relies on social engineering to impersonate trusted figures and requests legitimate business transactions or sensitive information, usually without using malicious links or attachments, making it more sophisticated and difficult to detect.

Read More: The Anti-Phishing Insights Every CISO Should Know

What is the First Stage of a BEC Attack?

The first stage of a Business Email Compromise (BEC) attack is the reconnaissance and initial compromise phase. During this stage, attackers gather detailed information about the target organisation and its employees. They often use social engineering techniques, such as researching the company's hierarchy, understanding business processes, and identifying key personnel through public sources like company websites, LinkedIn, or social media.

Next, attackers compromise an email account within the organisation or create a spoofed email that closely mimics a legitimate address. They may use phishing emails, malware, or brute force attacks to gain access. This initial foothold allows them to monitor email communications, study internal language and procedures, and plan their fraudulent activities to increase the likelihood of success without raising suspicion.

Who do BEC Attacks Typically Target?

BEC attacks typically target individuals within an organisation who have the authority to conduct financial transactions or access sensitive information. This includes executives like CEOs and CFOs, finance department employees, accounts payable or receivable staff, and occasionally HR personnel.

Additionally, they may target trusted external partners or vendors whose compromised accounts can be used to send fraudulent requests.

How to Protect Against BEC Attacks

To protect against Business Email Compromise (BEC) attacks, organisations must implement multi-layered defences and foster a culture of vigilance. Here are key strategies to enhance protection:

1. Employee Training: Regularly educate employees about BEC tactics and red flags, such as urgent requests from executives, unusual payment instructions, or emails that bypass normal channels. Encourage them to verify requests via alternative communication methods.
2. Email Authentication: Implement robust email authentication protocols like DMARC, DKIM, and SPF to reduce the risk of email spoofing.
3. Multi-Factor Authentication (MFA): Require MFA for accessing email accounts and sensitive systems. This adds an extra layer of security even if login credentials are compromised.
4. Advanced Email Security Solutions: Deploy email security tools that use artificial intelligence to detect suspicious patterns, phishing attempts, and malicious content.
5. Regular Security Audits: Conduct periodic security assessments and audits to identify vulnerabilities and ensure that security policies are up-to-date and effective.
6. Incident Response Plan: Develop and maintain a comprehensive incident response plan to swiftly address and mitigate any BEC attempts.
7. Monitor Financial Transactions: Implement checks and balances for financial transactions, such as dual approval processes for wire transfers and large payments, to reduce the risk of fraudulent transactions.

By combining these strategies, organisations can create a robust defence against BEC attacks, safeguarding both financial assets and sensitive information.

Improving Security with Employee Awareness Training

Organisations must invest in employee awareness training to combat Business Email Compromise (BEC) attacks effectively. BEC exploits human behaviour through sophisticated social engineering tactics, making educated employees the first line of defence. Trained employees can recognise warning signs, such as unusual requests and email discrepancies, preventing fraudulent transactions and data breaches.

Moreover, this training is a cost-effective way to enhance security. The financial and reputational damage from successful BEC attacks can be extensive, so proactive prevention is crucial. Regular training fosters a culture of security awareness, ensuring employees are vigilant and proactive in identifying threats.

This vigilance not only strengthens the organisation's security posture but also ensures compliance with industry standards, reducing legal and regulatory risks. Ultimately, knowledgeable employees are vital for protecting the organisation's assets and reputation.