What is business email compromise (BEC)?

Egress | 25th Jun 2021

Business email compromise (BEC) can be extremely costly to organizations. According to the FBI, BEC attacks caused over $1.8 billion worth of losses to businesses in 2020. Organizations must prioritize the safety of their email systems if they hope to avoid becoming the victim of a BEC attack.

In this article, we'll explore what business email compromise is, what signs to look out for and how you can prevent an attack.

What is business email compromise?

Business email compromise, otherwise known as 'BEC', is a form of phishing scam where attackers pose as a trusted source in order to defraud an organization. They impersonate colleagues, vendors, or trusted authority figures, usually with the goal of tricking an employee into making a wire transfer or giving away confidential information.

Attackers can either compromise legitimate email accounts through account takeover (ATO) or by creating spoofed accounts that appear very similar to authentic ones. 

How business email compromise attacks happen

Unlike some forms of phishing, BEC attacks are highly targeted and require scammers to do some research to maximize their success rate. They're impersonating trusted sources, sometimes people who will be known to the recipient, so the email needs to be convincing and realistic. 

Business email compromise relies heavily on text-based social engineering, rather than malware or malicious links. This means BEC attacks can often bypass email security systems that rely on signature-based detection. 

If a BEC email is convincing enough, it can work through simply asking an employee to do something. US money transfer company, Xoom Corporation, became the victim of a BEC attack in 2014. A series of spoofed emails that impostors sent to the finance department asking for money transfers cost the business $30.8 million in losses. 

Another example involved a UK non-profit organization, Save the Children, which was the victim of a BEC attack in 2018. Cybercriminals compromised an employee's email account to send out fraudulent invoices and documents that were linked to a project in Asia. This cost the organization an estimated $718,615

Signs of business email compromise

Business email compromise attacks are highly targeted and lack some of the signs people expect to see in phishing emails. As they rely on social engineering rather than malicious links and attachments, people need to think about the following suspicious elements of an email. 

1. Senior leaders making unusual requests: Most of us will respond promptly to an email from a manager or someone in the c-suite. But is their request out of the ordinary? It's unlikely that the CEO will need you to transfer funds directly into an account, for instance, so take some time to consider the validity of the request.

2. Confidentiality requests: Cybercriminals impersonating someone will often ask the recipient to keep the request to themselves and only communicate with the sender via email. Why the need for secrecy? 

3. Requests that bypass normal channels: Most businesses have systems through which all payments must be processed, regardless of their urgency. However, BEC attacks will attempt to bypass this. For example, they may ask for a direct wire transfer. Process-breaking requests should be challenged, even if they come from a senior executive.

4. Content issues: Take a close look at the content. Is the sender is known, is this how they would normally communicate? If it's a vendor or government authority, have they ever reached out like this before? 

5. 'Reply To' addresses that don't match the sender address: Attackers may be using lookalike domains to fool recipients - e.g. c0mpanyname.com, rather than companyname.com. This won't help with account takeover where a legitimate email account has been compromised.

How to prevent business email compromise

Although some BEC attacks manifest themselves as a result of malware, the majority of them rely on social engineering. This means that signature-based detection is unlikely to be effective.

Instead, here are some protection strategies you should consider putting in place:

  • Avoid using free email accounts: It's best to have a company domain name as this will make it harder to impersonate.
  • Enable multi-factor authentication: Multi-factor authentication will require users to provide two or more pieces of information to log in, making it more difficult for hackers to gain access.
  • Secure your domain: Even if you have a custom company domain, cybercriminals could make similar-looking ones. It's a good idea to register any similar domains to lower the risk of this happening.
  • Forward emails instead of replying: If you're not sure of the legitimacy of an email, don't hit 'reply'. Instead, forward the email and manually type in the sender's correct email address. 
  • Put processes in place: Make it compulsory for employees to confirm email requests internally for wire transfers or confidential information. 
  • Know your clients' habits: If a client suddenly changes their business practices, this could be a suspicious sign. For example, if someone asks you to begin using their personal email address when previous correspondence has been through company email, you should verify this directly with the sender using another method of contact.

Augment your email security with an ICES solution

The most powerful defense against business email compromise (BEC) is to bolster your existing email security with an ICES (Integrated cloud email security) solution. ICES solutions such as Egress Defend analyze both the content and context of emails using a combination of machine learning, natural language processing, and social graphs.

This means every email is treated with zero trust and analyzed for the underlying signs of phishing, rather than relying on detecting previously identified malicious signatures.

Learn how ICES solutions can protect your organization against BEC and others forms of advanced phishing.