What is BEC?
Business email compromise (BEC) is one of the most financially damaging forms of phishing, causing over $1.8 billion worth of losses to businesses in 2020 alone. Unfortunately, BEC is also more prevalent than ever before. Since January 2015, there has been a shocking 1,300% increase in identified losses from BEC attacks.
We'll run through three real-world examples of how BEC attacks work.
Three real business email compromise attacks
1) Obinwanne Okeke: $11 million
From the outside, Obinwanne Okeke appeared to be a successful entrepreneur. The reality, however, is much more sinister. FBI investigators discovered that some of Okeke's business ventures were the result of fraud or theft.
In 2018, Okeke sent a phishing email to the Chief Financial Officer (CFO) of a London construction equipment distributor. Within the email was a link to a legitimate looking website that Okeke controlled. The CFO logged in and unknowingly shared their details with Okeke, who then took control of the CFO's email account and sent invoices requesting millions of dollars.
The money transfers went directly into overseas accounts, meaning that UK law enforcement couldn't aid in recovering them. As such, the company lost $11 million.
2) Guillermo Perez: $2.2 million
26-year-old Houston resident, Guillermo Perez, was arrested in June 2021 in connection with a multi-million dollar wire fraud and money laundering scam involving BEC.
From October 2018 to October 2019, Guillermo and his co-conspirators allegedly tricked their victims - via spoofed emails - into transferring money to bank accounts he controlled. Perez then reportedly opened a fraudulent business bank account and wired the stolen $2.2 million to it, attempting to cover up the origin of the money.
3) Noel Chimezuru Agoha, Sessieu Ange Oulai and Kelechi Arthur Ntibunka: $1.1 million
Three Maryland residents face federal indictment for crimes involving BEC, which defrauded victims out of $2.3 million.
From August 2016 to December 2018, Agoha, Oulai and Ntibunka sent spoofed emails and made fraudulent phone calls to businesses. The three men posed as representatives of clients, who these organizations regularly dealt with, and requested victims to transfer money into drop accounts. The indictment alleges that the defendants stole over $1.1 million as a result of their BEC scams.
How to prevent business email compromise
Although some BEC attacks manifest themselves as a result of malware, the majority of them rely on social engineering. This means that signature-based detection is unlikely to be effective.
Instead, here are some protection strategies you should consider putting in place:
- Avoid using free email accounts: It's best to have a company domain name as this will make it harder to impersonate.
- Enable multi-factor authentication: Multi-factor authentication will require users to provide two or more pieces of information to log in, making it more difficult for hackers to gain access.
- Secure your domain: Even if you have a custom company domain, cybercriminals could make similar-looking ones. It's a good idea to register any similar domains to lower the risk of this happening.
- Forward emails instead of replying: If you're not sure of the legitimacy of an email, don't hit 'reply'. Instead, forward the email and manually type in the sender's correct email address.
- Put processes in place: Make it compulsory for employees to confirm email requests internally for wire transfers or confidential information.
- Know your clients' habits: If a client suddenly changes their business practices, this could be a suspicious sign. For example, if someone asks you to begin using their personal email address when previous correspondence has been through company email, you should verify this directly with the sender using another method of contact.
Augment your defenses with an ICES solution
The most powerful defense against business email compromise (BEC) is to bolster your existing email security with an ICES (Integrated cloud email security) solution. ICES solutions such as Egress Defend analyze both the content and context of emails using a combination of machine learning, natural language processing, and social graphs.
This means every email is treated with zero trust and analyzed for the underlying signs of phishing, rather than relying on detecting previously identified malicious signatures.