Business Email Compromise (BEC) is a financially motivated email attack where threat actors attempt to manipulate employees into transferring funds or disclosing sensitive information. In these targeted attacks, scammers often target organizations like schools, governments, and non-profits.
A sub-category of phishing attacks, BEC scams start with an email impersonating a trusted colleague, supplier, or vendor. In just a few lines, the threat actors will employ common social engineering tactics, like creating a sense of urgency, to trick the email recipient into performing some form of fraudulent activity.
As an email-based threat, BEC employs many of the tactics used in phishing attacks. However, a BEC scam typically involves sending fewer emails and doesn’t usually include a payload like a malicious link or attachment. Without these signs of malicious intent, threat actors can often evade detection long enough to complete bank transfers, change banking details, or obtain sensitive information.
Stage 1: Finding a target
BEC works by scouring online sources, like social media networks, company websites, and news reports, to identify targets and build a catalogue of information about a company and its executives.
Stage 2: Delivery
Once a target is acquired, BEC scammers will spoof an email account or website to trick users into thinking an email came from a known or trusted person. This can be as sophisticated as forging email headers to creating an email address with a slight variation on an existing address.
Once they have an address that appears legitimate, they craft spearphishing emails and send them to individuals, often in finance departments, with a fraudulent request. The emails might be timed, using scheduling information obtained earlier, to arrive when the impersonated sender is attending an event, on vacation, or otherwise unavailable using regular communication channels.
Stage 3: Social engineering
While the timeline might extend from days into weeks, each spear phishing email will employ social engineering tactics to manipulate the recipient. The email will convey a sense of urgency, appear to come from someone important, and often include information specific to the organization, like a recent merger or acquisition. This not only increases the pressure on the employee but helps enhance the legitimacy of the email and build trust.
It is common at this stage for the threat actor to insist the recipient refrain from attempting to verify the request with the impersonated sender or any other party. They might even try and move the conversation off email into SMS and phone calls to further reduce the chances of detection.
Stage 4: Monetization
In the final step, threat actors provide clear directions on how to transfer the money or information. This might include a bank transfer to a controlled account or sending serial numbers from gift cards. The funds are then transferred to other threat actors who help disperse and hide the funds. In some cases, this step will be repeated until the scam is detected.
The FBI has been tracking business email compromise, and email account compromise, since 2013. Over the past decade, over $50 billion has been reported as lost to BEC scammers. In 2023 alone, BEC scams were responsible for adjusted losses of at least $2.9 billion.
To understand how BEC works and how businesses can protect themselves, an exploration of milestone events and the tactics involved can provide useful context.
In a two-year BEC campaign, between 2013 and 2015, two tech companies lost a collective $121 million to a fake invoice scheme. In this scam, the threat actor incorporated a new company using the name of an Asian-based computer hardware manufacturer. He opened bank accounts in the company name, and started sending spear-phishing emails demanding payment of fake invoices that included the new bank accounts. The fake invoices included corporate stamps and signatures from executives authorizing the transaction.
In 2016, another social media platform saw their employee financial records leaked after a CEO fraud campaign manipulated an HR employee into sharing them. The attack was quickly discovered and reported to the FBI but revealed the growing sophistication of spear-phishing in BEC scams.
In 2019, a Catholic Parish lost $1.75 million to a fake invoice scam. It occurred after two employee email accounts were hacked. The threat actors discovered the name of a vendor partnered with the parish and details of work they had recently completed. They sent emails claiming they hadn’t been paid for two months due to a change in bank details. New details and wiring instructions were provided, and the money was collected from the fraudulent account before the scam was detected.
In 2020, a bank manager in Dubai transferred $35 million to threat actors following a series of emails and deepfake calls. In this attack, the bank manager received several fraudulent emails from both his client and someone impersonating an attorney while simultaneously receiving calls from the client using deepfake audio that sounded legitimate.
In 2022, the US Department of Justice charged 10 people with an ongoing BEC scam targeting Medicare, state Medicaid programs, and private health insurers. Over a period of years, the scammers were able to collect over $11 million dollars using spoofed email addresses and bank account takeovers.
In 2023, a multi-national company lost $25.6 million to a sophisticated BEC scam employing deepfakes, video calls, and GenAI. The scam started with an unusual request that caused the targeted employee to question the claim via email. The scammers invited him to a video call and convinced him to act based on deepfake images and audio of company employees. The images and voices of the employees were generated using publicly available video and audio footage.
With BEC attacks doubling in the past year, BEC fraud in 2024 is likely to go beyond the $3 billion mark representing another unwelcome BEC milestone.
Adopting a proactive stance can help safeguard organizations against BEC fraud. By integrating the following tactics into a multi-layered cybersecurity strategy, organizations can prevent a BEC attack.
Robust internal controls and verification procedures: Organizations should require multiple approvals for financial transactions, regularly auditing financial accounts for unauthorized activity, and verifying changes in vendor payment location by using a secondary sign-off by company personnel.
BEC scams generally involve a handful of short emails sent to a carefully selected target. There are no obvious signs of malicious intent, like a surge in traffic, malicious links or attachments, or anything else that might trigger an alert. This makes employee training and awareness a crucial strategy in preventing successful BEC attacks.
Email security software can identify and block suspicious emails before they reach the recipient’s inbox. This might include detecting impersonated names within email headers and address fields, content analysis, and monitoring email threads for sudden changes to email addresses.
Anomaly detection systems can identify unusual behavior that might indicate a BEC attack. This might include flagging sudden changes in email communication patterns or unusual wire transfer requests. These systems often use machine learning to learn normal behavior patterns and detect any deviations from them.
AI-powered fraud detection can analyze email content, sender behavior, and hundreds of other variables extracted from each email message to identify email fraud.
Email filtering solutions can help prevent BEC attacks by blocking emails from known malicious domains and checking for spoofed email addresses.
BEC incidents require a swift and coordinated response to minimize damage. Your plan should outline the strategies, personnel, procedures, and resources required to respond to the incident, limit its impact, and prevent a recurrence.
Containment:
Reporting:
Investigation and remediation:
Recovery and prevention:
BEC attacks are a complex threat that often involves coordination between multiple threat actors in numerous countries. With criminals targeting businesses across industries, sharing attack details helps everyone stay informed about evolving tactics. Pooling all this knowledge from attacked organizations, law enforcement, and cybersecurity experts, helps design more effective defense strategies.
Organizations can share anonymized details from their BEC experience on industry-specific platforms like an Information Sharing and Analysis Center (ISAC). These member-driven, non-profit organizations are designed to help protect facilities and people from both cyber and physical security threats.
Organizations can also take advantage of and contribute details about indicators of compromise, IP addresses, and domains to threat intelligence platforms. These platforms aggregate and analyze threat data to help stop attacks.
To provide protection for the full spectrum of cyberattacks including BEC scams, like CEO impersonation, Bitdefender delivers multi-layered security through GravityZone Platform.
Beyond this, all products benefit from our Threat Intelligence which consolidates massive quantities of Indicators of Compromise (IoCs) in real-time from multiple sources such as the Bitdefender Global Protective Network (GPN) that protects hundreds of millions of systems, honeypots, industry and technology licensing partners. Thanks to this cooperation, we can capture many emerging threats in real-time as they appear and share them with partners to increase the defender's capabilities.
You can detect a BEC attack by questioning any unusual requests, especially those involving money transfers or sensitive information. Keep an eye out for slight variations in email addresses, urgent or confidential requests, and requests that deviate from normal procedures.
BEC scams are one of the most financially damaging online scams. In the US alone, the FBI reports that billions of dollars are lost each year to BEC scams.
As with any new technology, the potential for malicious use is high. However, cybersecurity companies like Bitdefender, also use Machine Learning and other AI capabilities to help prevent cybercrime. For BEC attacks, AI can be trained to identify any changes from normal communication patterns and behavior. It can then flag them as potentially malicious. Although not a silver bullet, AI should be combined by other security control, and ongoing awareness programs.