Business Email Compromise (BEC) is a social engineering scam where attackers impersonate legitimate business emails to defraud employees, partners, and potentially even customers. While deceptively simple, these attacks can cause significant financial damage.
BEC scams, like most cyber-attacks, are global. They’ve been reported in all fifty states and 177 countries, with the financial harm now exceeding $50 billion. According to the FBI, BEC is one of the most financially damaging online crimes and exploits because so many of us rely on email to conduct personal and professional business. In March, the FBI Internet Crime Complaint Center (IC3) released its 2023 Internet Crime Report, highlighting BEC as a significant business threat, resulting in losses of nearly $3 billion – a 7% increase over 2022’s $2.7 billion total.
Simple to Execute with Increased Sophistication
To carry out a BEC scam, attackers need only an email service to create convincing emails targeting unsuspecting victims. According to Arctic Wolf Network’s State of Cybersecurity: 2024 Trends Report, almost three quarters (70%) of organizations were the target of attempted BEC attacks in the past year, with nearly a third (29%) of these targets victims of one or more successful BEC occurrences.
Using email for cyber fraud that targets businesses is not new, but the growth of AI is making BEC more widespread and dangerous. Today, AI tools can generate highly personalized, and legitimate-looking emails that can easily mislead recipients. Attackers can combine usernames, email addresses, passwords and use email templates to automate the process. Through APIs, attackers can also scale their operations, targeting a vast number of victims at one time. The criminals also have the ability to buy email servers and domains in bulk allowing them to target multiple organizations simultaneously.
Common BEC Business Scams
BEC attacks can be very specific in nature but with the same end goal, to steal data for financial gain. Four common BEC scams that are built to deceive employees include:
CEO Fraud. In this attack, malicious actors impersonate a high-level executive, often a corporate CEO. They create a mirror image email address and target employees, frequently those new to the organization, or those unfamiliar with approval processes, who may be the least suspicious. The emails will often contain a request asking that the recipient act urgently to complete a task, such as transferring funds to a fraudulent account.
Business Data Theft. Here, attackers target the HR or accounting departments to steal sensitive information. This information could include personal identifiable information (PII) of employees, intellectual property, or corporate financial data.
Fake Invoices. This type of scam was recently used to defraud a Massachusetts town and school district out of nearly half a million dollars. The criminals impersonated a legitimate vendor using email and sent invoices to town employees requesting payment. These invoices directed electronic payments to a fraudulent account. Employees then inadvertently sent town funds to the criminals.
Employee Account Compromise. In this scenario, all employees are at risk of becoming targets. Threat actors attempt to gain access to an employee’s email account. Once compromised, they can use the account to launch further BEC attacks or steal credentials for more critical systems.
BEC scams over the years have proven that no business, government, or organization is immune – whether it be tech giants, government bodies or even charities. We’ve seen Facebook and Google become victims when a phishing attack conducted by attackers impersonating a known vendor emailed authentic-looking invoices to employees asking for payment. A BEC scam successfully set a fraudulent transfer in action, costing the government of Puerto Rico $2.6 million. Even Save the Children has not escaped a BEC Scam, losing $1 million when scammers compromised an employee’s email after posing as a staff member.
Stealing Email Login Information: Another Means to Data Theft
BEC attacks do not only center on email impersonation. Threat actors also create fraudulent websites designed to obtain employee login credentials. These websites can mimic legitimate login pages for widely used email services such as Microsoft Exchange and Gmail.
Here’s how it may happen. Attackers send emails containing links to fake website domains. Employees click the link and are redirected to what appears to be a legitimate login page, but instead is the fake domain. Unaware of the deception, the employee enters their login credentials, which are then captured by the cybercriminal. This gives them the ability to move through the organization’s network, potentially compromising additional accounts and stealing data.
Early Detection of BEC Attacks through a Multi-Layered Security Approach
Most current security solutions rely on a reactive approach, identifying emails already targeting users within an organization’s network. These solutions use techniques like machine learning to detect user behavior and patterns, then flag suspicious emails that fall outside the known patterns. Security Operations Centers (SOCs) play a role by shutting down these threats.
In addition to analyzing emails at the user level to recognize and quarantine threats, organizations typically identify potential BEC scam domains and block them. They also engage policy enforcement through Domain-Based Message Authentication (DMARC) which helps detect domains spoofing their business.
While a reactive approach provides many benefits, it doesn’t take into account potential threats from internet tools that haven’t yet been weaponized. Many potential attacks are not currently in use, but exist in an unarmed state, at the ready when needed. For example, attackers often purchase domains resembling legitimate companies and leave them dormant for extended periods of time until they can be useful in launching an attack.
The mitigation answer lies in a multi-layered security approach that combines both contextual threat detection and takedown measures with steps to stop the source of the attack, which can include identification and takedown of domains suspected to become hosts for email servers and phishing attacks. This allows organizations to proactively identify and disrupt BEC attacks before they inflict damage. A layered defense can also significantly improve overall security posture by using automation to take some of the burden off of already taxed security and SecOps teams.
While no security approach is a guarantee against BEC attacks, the best defense is a good offense. The benefits of early threat detection enable businesses to reduce the likelihood of financial loss or operational disruption from the increasing cyber threats weaponizing email.
Ad