Advanced phishing

Three examples of business email compromise attacks

by Egress
Published on 20th Dec 2021

Today, businesses rely on email as their primary means of inter-organizational communications and interfacing with external parties. That includes customers, partners, suppliers, vendors, and more. Unfortunately, email is also the most commonly used attack vector for malicious actors looking to gain a foothold into the organization. 

According to the FBI's Internet Crime Complaint Center (IC3) report, there were four times (19,369) as many business email compromises (BEC) as ransomware attacks (2,474) in 2020, with BEC-related financial damages totaling $1.8 billion, compared to ransomware at $29.1 million. Businesses should prioritize their cybersecurity efforts towards preventing costly BEC incidents from impacting their operations and bottom line.

What is a business email compromise (BEC)?

Simply put, a BEC is an email account compromise that occurs in a business or corporate environment. These attacks happen when a cybercriminal defrauds clients, colleagues, or customers into sending money or sensitive information by hacking into the company's email account to impersonate the account holder or by creating a spoofed email account.

Attackers target these organizations because of their high value and propensity to comply with cybercriminals' demands. And because email's initial design didn't focus on advanced security, organizations with only standard email security controls in place often find themselves ill-equipped to survive in today's hostile cyber threat landscape.

For example, a BEC incident may involve cybercriminals sending email messages masquerading as a trusted vendor or executives within the organization, including the company CEO or CFO. These emails may seem like legitimate requests for payment or directives from the company's senior management; subsequently, the recipients remit payment only to discover deception after the fact. BEC perpetrators may also use a combination of spear phishing in conjunction with malware to gain access to the organization's privileged network.

Unique issues and challenges with BEC 

Because sophisticated criminal organizations usually conduct BEC campaigns, their methods tend to be well-designed and compelling enough to deceive employees with access to the company's finances and (or) bank accounts. BEC incidents may also result in the compromise of customer and partner data; if this is the case, the cyber failure is technically considered a data breach that requires specific post-incident handling and response, as mandated by local and state laws. 

For example, the California Consumer Privacy Act (CCPA) requires certain businesses to notify California residents whose personal information was compromised because of a data breach. BEC incidents may therefore result in significant brand damage and negative publicity.

Three real-world examples of BEC attacks

Even though a BEC attack can target anyone within an organization, the targets typically include those working in finance or other high-level executives. The following are examples of prominent BEC incidents that have severely impacted businesses in recent years. 

  • Snapchat: In 2016, instant messaging and social media giant Snapchat fell victim to a BEC attack, resulting in the theft of sensitive payroll information belonging to current and former employees. By impersonating the CEO in an email, the attackers managed to steal employees' tax information, salaries, Social Security Numbers, healthcare plan information, and more.
  • Ubiquiti Networks: In 2015, wireless data communications device manufacturer Ubiquiti Networks suffered a BEC attack that resulted in losses upwards of $46 million. Cybercriminals were able to impersonate employees successfully and request payment from the company's finance department.
  • Xoom Corporation: Electronic funds transfer and remittance provider Xoom fell victim to a series of BEC incidents that ended up costing the enterprise $30 million. In the 2014 attacks, fraudulent employee emails requesting money transfers were sent to internal staff who ended up mistakenly wiring funds to the cybercriminals.


What type of cyber-attack is a business email compromise?

Business email compromises (BEC) are exploits in which attackers can successfully penetrate a business' cyber defenses using a business-related email address—either posing as employees or other trusted entities (e.g., customers or partners). BEC is also commonly referred to as a man-in-the-email attack.

What is an example of a business email compromise?

The prime example of a BEC is the phishing attack, a method that both consumers and businesses are well aware of and yet still fall victim to regularly. Phishing BECs use fraudulent messages sent from fake or compromised email addresses to trick recipients into revealing privileged information, sending money, or installing malware on their computers.

How do you compromise a business email?

Various methods exist for compromising a business email; that said, cybercriminals usually rely on three staples exploit methods: email account spoofing, spear phishing, and malware. It's worth noting that using DMARC can prevent all three of these compromise methods.

Related articles