Advanced phishing

Examples of business email compromise (BEC) attacks

by Egress
Published on 30th Jun 2023

Business email compromise (BEC) is one of the most advanced and financially damaging forms of phishing. Each year, the number of successful attacks continues to rise. In 2022, BEC attacks cost organizations a total of $2.7bn. This represents a 47% increase in lost funds since 2020, making it the second costliest form of cybercrime.

BEC attacks have a high success rate because they are usually highly targeted. Cybercriminals use advanced social engineering and spear phishing to defraud their victims of funds. A popular form of spear phishing bad actors use in a BEC attack is whaling, where cybercriminals target C-suite executive who have the power to transfer large sums of money. To create these attacks, bad actors conduct open-source intelligence (OSINT) to gather as much information as they can on their target to make the attacks more convincing.

Cybercriminals can also make use of compromised accounts and other tactics to make their attacks look legitimate. They use social engineering to urge victims to act quickly so they don't have time to consult others before transferring large sums of money.

With the use of these and other technical tactics, bad actors can bypass traditional email security solutions, such as secure email gateways (SEGs) and the native security provided by Microsoft 365.

Over the past few years, there have been many successful large-scale BEC attacks that have targeted organizations around the world. This article covers some of the biggest attacks that occurred in recent years.

Five business email compromise (BEC) attacks

December 2021: Franco-Israeli gang

A group of French and Israeli nationalists was discovered to be targeting companies with business email compromise (BEC) attacks. The group appeared to have been active since the end of 2021. In one instance, the cybercriminals targeted a real-estate developer in Paris by impersonating lawyers.

After gaining the target's trust, the cybercriminals asked the company's Chief Financial Officer (CFO) to send an urgent and confidential transfer to a fraudulent account. In a matter of days, they had defrauded the company of over €38m. Then, they used a money laundering scheme to transfer the money across several European countries, then to China, and finally to Israel.

A joint investigation between January 2022 and January 2023 involving Europol, the EU's law enforcement agency, led to the arrest of the group's main organizer in Israel and seizures of funds, equipment, and vehicles valued at approximately €5.5m.

May 2021: One Treasure Island nonprofit hack

One Treasure Island is a homelessness nonprofit based in San Francisco. In late 2020, hackers gained access to the email system of One Treasure Island’s third-party bookkeeper. They infiltrated the bookkeeper's email and inserted themselves into email chains, impersonating associates of the nonprofit. 

From December 2020 to January 2021 the criminals managed to steal $650,000 from the nonprofit that was meant to be a loan for a member organization for affordable housing projects. The executive director of One Treasure Island discovered something was wrong on January 27th, 2021, after speaking to the member organization on Zoom and discovering that they had not received the funds.

December 2018: Obinwanne Okeke

To most people, Obinwanne Okeke looked like a successful entrepreneur in Nigeria. The reality, however, is much more sinister. An FBI investigation revealed that Okeke wasn't a successful entrepreneur– he had been committing fraud and theft.

In 2018, Okeke targeted a London construction equipment distributor's chief financial officer (CFO) by sending a phishing email. The email contained a link that appeared legitimate and requested the CFO to enter his login details into a fake website. The website was controlled by Okeke, who immediately took control of the CFO's account when he entered his details.

Okeke took this opportunity to send invoices requesting millions of dollars to the CFO's contacts. The money from these invoices was sent directly to accounts overseas. This prevented UK law enforcement from helping to recover them. In total, the company lost $11m.

December 2018: Guillermo Perez

In June 2021, Texas law enforcement arrested 26-year-old Houston resident Guillermo Perez in connection with BEC fraud. Perez had been accused of impersonating individuals and businesses via email and had defrauded them of $2.2m.

Perez and several others in the group tricked their victims into wiring money by sending spoofed emails. To disguise the origins of the money, Perez opened a fraudulent business bank account and wired the money across.

August 2016: Noel Chimezuru Agoha, Sessieu Ange Oulai, and Kelechi Arthur Ntibunka

In May 2021, three Maryland residents were indicted for crimes involving BEC, which defrauded victims out of $2.3m.

Between August 2016 and December 2018, the three cybercriminals posed as clients or representatives of companies and made fraudulent phone calls to businesses. They requested that their targets send money into fraudulent drop accounts that the co-conspirators had opened. Each member of the group either attempted to, or did, receive $1.1m.

How to prevent business email compromise (BEC)

Most business email compromise (BEC) attacks are carried out through social engineering and do not contain a malicious payload that traditional email security, such as SEGs, can detect. The most powerful defense against BEC is to bolster your existing email security with an integrated cloud email security (ICES) solution.

ICES solutions, such as Egress Defend, use AI (such as machine learning, natural language processing (NLP), and natural language understanding (NLU)) to analyze the content and context of emails, and detect and neutralize attacks. Defend employs a zero-trust approach and analyzes every email for underlying signs of phishing.

While an ICES solution offers the highest efficacy and reliability of detection, there are other steps organizations, and their employees should take to decrease the chances of falling victim to a BEC attack:

Set up standardized processes to follow when transferring funds

No matter how careful employees are, mistakes can happen. Having robust processes in place can reduce the risk of errors by catching them before it is too late. For example, it should be mandatory for employees to confirm with another team member before making transfers or re-confirm new bank details via another mechanism (e.g. calling the supplier if new details have been sent via email) before payment is made.

Increase awareness training

BEC attacks can be difficult to spot. Making employees aware of these attacks and how to spot them is the first step to protecting your organization. For instance, training can remind employees to check email addresses carefully if they receive a message from a new sender and to check with someone internally before they reply.

Egress Defend can also increase employee awareness through real-time teachable moments provided by the bannering of emails.

Encourage employees to learn clients' processes

It can be difficult to tell if a supply chain account has been compromised. However, encouraging employees to learn suppliers’ processes can reduce the risk of getting caught out. For instance, knowing that invoices from a supplier are generated by their accounting system and shouldn’t be received as PDF attachments in direct emails from a contact at the organization. In this instance, employees should use an alternative channel to confirm the request and ensure their emails are legitimate.

Enhance your defenses against business email compromise (BEC)

Sophisticated business email compromise (BEC) attacks can evade existing secure email gateways and the native security offered by Microsoft 365. Learn more about how Egress Defend combines intelligent detection technologies to defend against sophisticated phishing attacks by booking a demo today.