Definition 

Business Email Compromise (BEC) is a financially motivated email attack where threat actors attempt to manipulate employees into transferring funds or disclosing sensitive information. In these targeted attacks, scammers often target organizations like schools, governments, and non-profits.

 

A sub-category of phishing attacks, BEC scams start with an email impersonating a trusted colleague, supplier, or vendor. In just a few lines, the threat actors will employ common social engineering tactics, like creating a sense of urgency, to trick the email recipient into performing some form of fraudulent activity. 

 

 

Different types of BEC attacks

  • Email Account Compromise (EAC), is a common name for BEC attacks, but while these are related, they aren’t quite the same. EAC is a specific type of business email compromise where threat actors have hacked a legitimate email account to get unrestricted access to an inbox and contacts.
  • CEO fraud: Threat actors impersonate the CEO in an email sent to an employee in the finance department. They will request an urgent funds transfer into an account controlled by the criminal gang.
  • False invoice scam: Impersonating a legitimate vendor with an existing relationship, threat actors send an invoice requesting payment to a new account.
  • Data theft: A scam targeting HR and bookkeeping employees to obtain sensitive information. This might include social security numbers, bank details, or even schedules, calendars, and personal phone numbers. This information is often used in subsequent phases of a BEC attack.
  • Attorney impersonation: Threat actors will impersonate a legal representative, usually from a partnered law firm, requesting an urgent funds transfer to settle a legal matter.

 

 

Methods Employed in BEC Attacks

As an email-based threat, BEC employs many of the tactics used in phishing attacks. However, a BEC scam typically involves sending fewer emails and doesn’t usually include a payload like a malicious link or attachment. Without these signs of malicious intent, threat actors can often evade detection long enough to complete bank transfers, change banking details, or obtain sensitive information.

 

Stage 1: Finding a target

BEC works by scouring online sources, like social media networks, company websites, and news reports, to identify targets and build a catalogue of information about a company and its executives.

 

Stage 2: Delivery

Once a target is acquired, BEC scammers will spoof an email account or website to trick users into thinking an email came from a known or trusted person. This can be as sophisticated as forging email headers to creating an email address with a slight variation on an existing address.

Once they have an address that appears legitimate, they craft spearphishing emails and send them to individuals, often in finance departments, with a fraudulent request. The emails might be timed, using scheduling information obtained earlier, to arrive when the impersonated sender is attending an event, on vacation, or otherwise unavailable using regular communication channels.

 

Stage 3: Social engineering

While the timeline might extend from days into weeks, each spear phishing email will employ social engineering tactics to manipulate the recipient. The email will convey a sense of urgency, appear to come from someone important, and often include information specific to the organization, like a recent merger or acquisition.  This not only increases the pressure on the employee but helps enhance the legitimacy of the email and build trust.

It is common at this stage for the threat actor to insist the recipient refrain from attempting to verify the request with the impersonated sender or any other party. They might even try and move the conversation off email into SMS and phone calls to further reduce the chances of detection.

 

Stage 4: Monetization

In the final step, threat actors provide clear directions on how to transfer the money or information. This might include a bank transfer to a controlled account or sending serial numbers from gift cards. The funds are then transferred to other threat actors who help disperse and hide the funds. In some cases, this step will be repeated until the scam is detected. 

 

 

Real-world Examples of BEC Incidents

The FBI has been tracking business email compromise, and email account compromise, since 2013. Over the past decade, over $50 billion has been reported as lost to BEC scammers. In 2023 alone, BEC scams were responsible for adjusted losses of at least $2.9 billion

To understand how BEC works and how businesses can protect themselves, an exploration of milestone events and the tactics involved can provide useful context.

 

In a two-year BEC campaign, between 2013 and 2015, two tech companies lost a collective $121 million to a fake invoice scheme. In this scam, the threat actor incorporated a new company using the name of an Asian-based computer hardware manufacturer. He opened bank accounts in the company name, and started sending spear-phishing emails demanding payment of fake invoices that included the new bank accounts. The fake invoices included corporate stamps and signatures from executives authorizing the transaction.

 

In 2016, another social media platform saw their employee financial records leaked after a CEO fraud campaign manipulated an HR employee into sharing them. The attack was quickly discovered and reported to the FBI but revealed the growing sophistication of spear-phishing in BEC scams.

 

In 2019, a Catholic Parish lost $1.75 million to a fake invoice scam. It occurred after two employee email accounts were hacked. The threat actors discovered the name of a vendor partnered with the parish and details of work they had recently completed. They sent emails claiming they hadn’t been paid for two months due to a change in bank details. New details and wiring instructions were provided, and the money was collected from the fraudulent account before the scam was detected.

 

In 2020, a bank manager in Dubai transferred $35 million to threat actors following a series of emails and deepfake calls. In this attack, the bank manager received several fraudulent emails from both his client and someone impersonating an attorney while simultaneously receiving calls from the client using deepfake audio that sounded legitimate.

 

In 2022, the US Department of Justice charged 10 people with an ongoing BEC scam targeting Medicare, state Medicaid programs, and private health insurers. Over a period of years, the scammers were able to collect over $11 million dollars using spoofed email addresses and bank account takeovers.

 

In 2023, a multi-national company lost $25.6 million to a sophisticated BEC scam employing deepfakes, video calls, and GenAI. The scam started with an unusual request that caused the targeted employee to question the claim via email. The scammers invited him to a video call and convinced him to act based on deepfake images and audio of company employees. The images and voices of the employees were generated using publicly available video and audio footage.

With BEC attacks doubling in the past year, BEC fraud in 2024 is likely to go beyond the $3 billion mark representing another unwelcome BEC milestone.

 

 

What are the best Prevention Strategies Against BEC?

Adopting a proactive stance can help safeguard organizations against BEC fraud. By integrating the following tactics into a multi-layered cybersecurity strategy, organizations can prevent a BEC attack.

 

  • Employee awareness and training: A well-informed workforce is a strong line of defense against any cyber threat. For BEC, where employees are manipulated and coerced, it is even more important. Employees should be trained to identify and report any suspicious emails regardless of the sender. This includes understanding the tactics used by scammers, including urgent requests, unusual wire transfer instructions, or changes in business practices. Regular training sessions can keep employees up to date on the latest BEC scams and tactics.
  • Email authentication protocols: Implementing email authentication protocols can help protect against BEC attacks. These protocols, such as Domain-based Message Authentication, Reporting & Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM), can help verify than an email is genuinely sent from the claimed domain and not from a threat actor.
  • Email encryption: Email encryption transforms the contents of an email into a code to ensure only the intended recipient can read it. This will help protect sensitive information from being intercepted and exploited by hackers. There are various types of email encryption protocols available, such as Secure/Multipurpose Internet Mail Extensions (S/MIME) and Pretty Good Privacy (PGP)

 

Robust internal controls and verification procedures: Organizations should require multiple approvals for financial transactions, regularly auditing financial accounts for unauthorized activity, and verifying changes in vendor payment location by using a secondary sign-off by company personnel.

 

 

Why Employee Training is key to BEC Defense

BEC scams generally involve a handful of short emails sent to a carefully selected target. There are no obvious signs of malicious intent, like a surge in traffic, malicious links or attachments, or anything else that might trigger an alert. This makes employee training and awareness a crucial strategy in preventing successful BEC attacks.

 

  • Recognizing phishing attacks: Phishing is a common tactic used in BEC attacks. Employees need to be trained to recognize the subtle signs of these deceptive emails. This includes scrutinizing email addresses for slight alterations, being wary of unexpected requests, especially those that involve financial transactions, and being cautious with emails that create a sense of urgency or pressure.
  • Verifying email requests: Verification is a simple yet effective step in preventing BEC attacks. Employees should be encouraged to double-check any unusual or unexpected email requests. This could involve calling the person who supposedly sent the email or checking with a supervisor. It’s essential to use known contact information for this verification, not contact details provided in the suspicious email.
  • Adhering to security protocols: Adherence to established security protocols is crucial. These protocols may include multi-factor authentication, regular password updates, and limitations on who can authorize fund transfers. Employees should understand the importance of these protocols and follow them consistently.
  • Regular updates and refresher courses: Cyber threats are constantly evolving, and so should your training programs. Regular updates and refresher courses can help ensure that employees stay informed about the latest BEC tactics and defense strategies.
  • The role of IT Department: The IT department plays a crucial role in BEC defense. Employees should understand when and how to engage IT when they suspect a BEC attack. This could include escalating suspicious emails or seeking advice on potential phishing attempts.
  • Reporting mechanisms: Employees should be trained in how to properly report suspected phishing attempts and BEC attacks. This includes who to report to and what information to include. A clear and easy reporting mechanism can ensure that potential threats are quickly identified and addressed.

 

 

Technology Solutions for BEC Detection

Email security software can identify and block suspicious emails before they reach the recipient’s inbox. This might include detecting impersonated names within email headers and address fields, content analysis, and monitoring email threads for sudden changes to email addresses.

Anomaly detection systems can identify unusual behavior that might indicate a BEC attack. This might include flagging sudden changes in email communication patterns or unusual wire transfer requests. These systems often use machine learning to learn normal behavior patterns and detect any deviations from them.

AI-powered fraud detection can analyze email content, sender behavior, and hundreds of other variables extracted from each email message to identify email fraud.

Email filtering solutions can help prevent BEC attacks by blocking emails from known malicious domains and checking for spoofed email addresses. 

 

 

Response Measures to BEC Incidents

BEC incidents require a swift and coordinated response to minimize damage. Your plan should outline the strategies, personnel, procedures, and resources required to respond to the incident, limit its impact, and prevent a recurrence. 

 

Containment:

  • Isolate compromised accounts: Immediately suspend email accounts and system access for any potentially compromised employees. 
  • Stop any transfers and attempt to recover any transferred funds or information: If a fraudulent transfer has been initiated, contact your financial institution immediately to try and block the transaction. 
  • Review network activity: Isolate and analyze network traffic to identify additional suspicious behavior.

 

Reporting:

  • Internal notification: Inform relevant internal teams, like IT, Security, and Finance, following your existing incident response procedures. 
  • Law enforcement: Report the incident to your local law enforcement. 
  • Regulatory bodies: Depending on the nature of the data compromised, you might be obligated to report to relevant regulatory bodies.

 

Investigation and remediation:

  • Forensic analysis: Analyze email logs, network data, and compromised systems to determine the attack scope and identify if malware has also been placed in your systems. 
  • Identify the root cause: Investigate how the attacker gained access, phishing email, and compromised credentials, to implement preventative measures. 
  • Remediation: Remove any malware, if found, address vulnerabilities, and implement authentication protocols. 

 

Recovery and prevention:

  • User training: Provide employee training on BEC tactics and best practices for identifying suspicious emails. 
  • Review and enhance controls: Evaluate existing security controls and implement any additional safeguards to prevent future BEC attacks. 

 

Fighting BEC together

BEC attacks are a complex threat that often involves coordination between multiple threat actors in numerous countries. With criminals targeting businesses across industries, sharing attack details helps everyone stay informed about evolving tactics. Pooling all this knowledge from attacked organizations, law enforcement, and cybersecurity experts, helps design more effective defense strategies. 

 

Organizations can share anonymized details from their BEC experience on industry-specific platforms like an Information Sharing and Analysis Center (ISAC). These member-driven, non-profit organizations are designed to help protect facilities and people from both cyber and physical security threats.  

 

Organizations can also take advantage of and contribute details about indicators of compromise, IP addresses, and domains to threat intelligence platforms. These platforms aggregate and analyze threat data to help stop attacks. 

  • Joint training programs: Joint training programs can help spread awareness and knowledge about BEC attacks. These programs could involve scenario-based training exercises, webinars, or workshops. By training together, organizations can learn from each other and improve their own defenses. 
  • Public-Private partnerships: Public-private partnerships can bring together the resources and expertise of the public and private sectors. For example, law enforcement agencies can share their knowledge of BEC tactics and investigations, while businesses can provide insights into their security challenges and needs. These partnerships can lead to more effective policies, regulations, and defense strategies. Bitdefender, for example, collaborates with the FBI and Interpol alongside law enforcement in 27 countries to release ransomware decryptors, share threat intelligence, and stop attacks. 

 

How Bitdefender Can Help

To provide protection for the full spectrum of cyberattacks including BEC scams, like CEO impersonation, Bitdefender delivers multi-layered security through GravityZone Platform.  

 

  • GravityZone XDR Office 365 Sensor: Helps detect attempts to exploit Office 365 accounts and emails, including identifying phishing attacks and mailbox permission changes. 
  • GravityZone XDR Google Workspace Sensor: Helps protect Gmail accounts by monitoring account creation, manipulation of security rules, and anomalous behavior.  
  • GravityZone XDR Azure Active Directory Sensor: Detects suspicious user behavior like creating multiple accounts or changing emails/names which could then be used to impersonate users. 
  • GravityZone Security for Email: Safeguards against impersonation attacks and CEO fraud by analyzing and comparing the sender's domain with legitimate domain names. This helps identify any look-a-like domains that differ from the actual domain name by only one or two characters. This powerful feature adds an extra layer of protection, ensuring that potential threats originating from closely related domains are detected and mitigated effectively. 

 

Beyond this, all products benefit from our Threat Intelligence which consolidates massive quantities of Indicators of Compromise (IoCs) in real-time from multiple sources such as the Bitdefender Global Protective Network (GPN) that protects hundreds of millions of systems, honeypots, industry and technology licensing partners. Thanks to this cooperation, we can capture many emerging threats in real-time as they appear and share them with partners to increase the defender's capabilities. 

 

How can I detect a BEC attack?

You can detect a BEC attack by questioning any unusual requests, especially those involving money transfers or sensitive information. Keep an eye out for slight variations in email addresses, urgent or confidential requests, and requests that deviate from normal procedures.

What are the financial consequences of a BEC attack?

BEC scams are one of the most financially damaging online scams. In the US alone, the FBI reports that billions of dollars are lost each year to BEC scams.

How often should I run a malware scan on my devices?

As with any new technology, the potential for malicious use is high. However, cybersecurity companies like Bitdefender, also use Machine Learning and other AI capabilities to help prevent cybercrime. For BEC attacks, AI can be trained to identify any changes from normal communication patterns and behavior. It can then flag them as potentially malicious. Although not a silver bullet, AI should be combined by other security control, and ongoing awareness programs.