FACT: In the U.S. alone, BEC attacks caused over $2.9 billion in losseslast year (FBI).
Criminals now leverage tools like AI and deepfake technology to mimic the voices of high-ranking executives within their target organization to increase the credibility of their attacks.
According to ID Agent, over 70% of organizations have experienced a BEC attack.
In this post, we’ll cover everything you need to know about BEC attacks and how to protect against them.
What Is BEC?
Business Email Compromise (BEC) is a type of cyber attack in which an attacker gains access to a corporate email account or impersonates a high-level executive, such as a CEO or CFO, and uses this access or identity to trick employees, partners, or customers into transferring money or sensitive information to the attacker’s account.
BEC attacks often involve social engineering techniques and can be highly sophisticated, making them difficult to detect. They can lead to significant financial losses and damage to an organization’s reputation.
Email Account Compromise (EAC) is a related threat, often associated with BEC, because attackers can use compromised email accounts to conduct BEC attacks. The primary difference is that BEC specifically targets high-ranking executives, while EAC is a broader term that involves accessing any email account for malicious purposes.
Types of Business Email Compromise
There are several types of BEC attacks, each with its own tactics and targets. Here are some of the most common types:
- CEO Fraud: In this type of BEC, the attacker impersonates a high-ranking executive, such as the CEO or CFO, and sends an email to an employee requesting an urgent transfer of funds or sensitive information.
- Fake Invoice Scheme: The attacker poses as a vendor or supplier and sends a fraudulent invoice to the company’s finance department, requesting payment to a bank account controlled by the attacker.
- Account Compromise: An employee’s email account is hacked, and the attacker uses it to request payments or sensitive information from other employees or partners.
- Attorney Impersonation: The attacker poses as a lawyer or legal advisor, often claiming to be handling confidential or time-sensitive matters, and requests the transfer of funds or sensitive information.
- Data Theft: The attacker targets employees with access to sensitive information, such as HR or finance personnel, and uses email to trick them into providing employee or customer data, which can be used for further attacks or sold on the dark web.
What is the difference between BEC and phishing?
BEC attacks tend to be extremely targeted, focusing on tricking employees or businesses into making unauthorized financial transactions. In contrast, phishing attacks have broader goals and aim to trick their victims into revealing sensitive information, installing malware, or simply stealing login credentials.
How Do BEC Attacks Work?
BEC attacks rely heavily on social engineering and the manipulating people within an organization. They typically follow the following steps:
- Target Identification: Attackers research and identify key individuals within a company who have the authority to make financial transactions or access sensitive information. This often includes executives, finance personnel, or employees in the accounting department.
- Email Compromise or Spoofing: The attackers either compromise the targeted individual’s email account or create a similar-looking email address (spoofing) to deceive recipients into thinking the email is legitimate. This can be done through previous phishing attacks, malware, or simply registering a domain that closely resembles the company’s domain.
- Building Trust: The attacker, posing as the compromised individual, may engage in email conversations with the target to build trust and credibility. They may reference real transactions or events to make their requests seem more plausible.
- Request for Action: Once trust is established, the attacker makes a request. This could be a wire transfer to a fraudulent account, changing payment details for a legitimate transaction, or requesting sensitive information. The request often comes with a sense of urgency to pressure the recipient into acting quickly.
- Execution: If the target complies with the request, the attacker quickly transfers the funds or exploits the information before the fraud is detected.
- Detection and Response: BEC attacks are often detected after the transaction has been made. Companies then need to respond by notifying their bank, law enforcement, and taking steps to secure their email systems.
Targets of business email compromise
The most common targets of BEC attacks are individuals or departments within an organization that have the authority to conduct financial transactions or access sensitive information. These typically include:
- Executives: High-level executives such as CEOs, CFOs, and other C-suite members are often targeted because they have the authority to make significant financial decisions.
- Finance and Accounting Departments: Employees in these departments are frequently targeted because they handle financial transactions, manage accounts payable and receivable, and have access to company bank accounts.
- Human Resources: HR personnel may be targeted for their access to personal employee information or their ability to change direct deposit information.
- Legal Department: Staff in the legal department may be targeted for sensitive company information or for their involvement in financial transactions related to legal matters.
- Supply Chain and Procurement: Individuals involved in purchasing or supply chain management may be targeted for their ability to authorize payments to vendors and suppliers.
BEC attacks can also target external vendors or clients who have financial relationships with the company. In this case, the attackers impersonate the external entity requesting payment or sensitive information.
Business email compromise examples
Here are some examples of Business Email Compromise (BEC) attacks:
- CEO Fraud: An attacker impersonates the CEO or another high-ranking executive and sends an email to an employee in the finance department requesting an urgent wire transfer to a fraudulent account for a confidential deal or transaction.
- Invoice Fraud: The attacker compromises a vendor’s email account or creates a spoofed email address that closely resembles the vendor’s. They then send a fake invoice to the company’s accounts payable department, requesting payment to a bank account controlled by the attacker.
- Payroll Diversion: The attacker impersonates an employee and sends an email to the human resources department, requesting a change in the direct deposit information. The new bank account is controlled by the attacker, diverting the employee’s salary.
- Attorney Impersonation: An attacker poses as a company’s outside counsel and requests a confidential transfer of funds to settle a legal matter or complete a transaction, often with a sense of urgency and confidentiality.
- Account Compromise: An employee’s email account is compromised through phishing or malware. The attacker then uses this account to request payments or sensitive information from other employees or external partners.
How do I defend against BEC attacks?
Defending against BEC attacks requires a combination of technical controls, employee training, and organizational policies. Here are some strategies to help protect your organization:
- Employee Education: Educate employees about BEC attacks and the importance of verifying the authenticity of emails, especially those requesting financial transactions or sensitive information. Teach them to recognize red flags, such as unusual language, urgent requests, or changes in account details.
- Multi-Factor Authentication (MFA): Implement MFA for email accounts and other critical systems to add an extra layer of security and make it harder for attackers to gain unauthorized access.
- Email Filtering and Security: Use email security solutions that can detect and filter out phishing emails, malicious attachments, and other threats.
- Verification Procedures: Establish procedures for verifying requests for financial transactions or changes in account details. This can include phone verification or using a separate communication channel to confirm the authenticity of the request.
- Access Controls: Limit access to sensitive information and financial systems to only those employees who need it for their job functions.
- Regular Security Audits: Conduct regular security audits and assessments to identify and address vulnerabilities in your email systems and other critical infrastructure.
- Incident Response Plan: Have a well-defined incident response plan in place to quickly respond to and mitigate the impact of a BEC attack if one occurs.
- Domain-Based Message Authentication, Reporting, and Conformance (DMARC): Implement DMARC to authenticate emails and prevent domain spoofing.
- Account Monitoring: Monitor financial and email accounts for unusual activity that could indicate a BEC attack.
- Dark Web Monitoring: Monitor the dark web for sensitive company information, like email addresses, credentials, or financial data. This can provide early warning signs of a potential BEC attack via compromised accounts. Early detection enables you to reset the credentials for the affected accounts before they get exploited.
If your security team needs visibility into your organization’s leaked data, book a demo to see how Breachsense can help.