What to do after a business email compromise (BEC) attack

Find out what organizations must do if they fall victim to a business email compromise attack (BEC).
by James Dyer
Published on 12th Jun 2023

A business email compromise (BEC) attack involves cybercriminals making use of phishing to defraud an organization of funds. BEC is a highly devastating and costly cyberattack and has resulted in $26bn in losses since July 2016, with little to no recovery options available.

Unlike other phishing attempts, in BEC attacks cybercriminals make use of payloadless phishing emails that usually bypass the signature-based detection used by traditional email security solutions, such as SEGs, which looks for known malicious payloads (e.g. malware attachments). Bad actors can also conduct OSINT to learn more about their target and the organizations they work with to find vulnerabilities they can take advantage of through spear phishing.

The use of compromised accounts and social engineering can make BEC attacks more convincing, which can lead to the target completing the transaction. According to the Egress Email Threats Pulse Report published in May 2023, there has been a 51% increase in phishing emails sent from compromised accounts in Q1 of 2023. It continues, “compromised, trusted supplier email accounts can be used to launch effective business email compromise (BEC) attacks.” The financial impact of a BEC attack can be devastating for an organization and in some cases the reputational damage can also lead to a business closing their doors. It is important to know how to proceed if your organization falls victim.

Report the business email compromise (BEC) attack

 After a fraudulent transaction is discovered, the organization must contact the appropriate law enforcement agency within their country, such as the FBI in the USA. These agencies will have departments that specialize in cybercrime and may be able to attempt to recover some or all of the funds. Despite reporting the crime, there is no guarantee the funds can be recovered.

After the attack has been discovered organizations must take note of the below details for the law enforcement report:

  • Name and location of the organization, the bank name and account number
  • The recipient’s name, bank, account number, and the location and name of the intermediary bank (if available)
  • The recipient’s SWIFT number, the amount transferred and any other relevant information

The organization is also required to report a successful business email compromise (BEC) attack to its insurers and board of directors.

Additionally, when an organization falls victim to a BEC attack it may become public knowledge and damage their brand reputation. To ensure there is less impact on the organization, it is important to have an effective crisis management team in place as soon as possible to recuperate the brand’s image.

How to report the attack

To report a business email compromise (BEC) attack, organizations can reach out to the below law enforcement agencies:

Provide support for colleagues

Phishing attacks, like business email compromise (BEC), have a psychological impact on employees, and it is important to provide the right support for employees. In the aftermath of an attack there are many ways that employees’ day-to-day tasks can be disrupted. For example, if the attack goes public, clients could become angry, frustrated, or upset, and employees on the frontline may be the target of these emotions. To help with this, employees need to have the right information available to reassure clients. If this is not done, there is a possibility that the negative response from clients could lead to the organization closing down, such as with Levitas Capital in 2020.  

The employee who will experience the biggest psychological impact after a BEC attack is the person who made the mistake. They may feel embarrassed and ashamed, and start to doubt their judgment and abilities. This doubt can consume them with the fear of accidentally interacting with a malicious email again and can affect their performance and productivity in their role. To remedy these affects, organizations should, as much as possible, operate a no-blame security culture. In addition, they can provide access to counselling, increase employee knowledge and awareness, and augment this with an integrated cloud email security (ICES) solution that uses real-time teachable moments.

Implement an integrated cloud email security (ICES) solution

ICES solutions like Egress Defend offer the best defense against business email compromise attacks.

Defend analyzes the content and context of every inbound email and uses technical measures and linguistic AI models to detect phishing emails that do not contain a malicious payload, such as BEC attacks. The solution also provides real-time dynamic banners within the inbox, offering in-the-moment education that augments security awareness and training programs.

Learn more about how to stop a business email compromise attack

Cybercriminals' tactics are becoming increasingly sophisticated, and organizations need to stay one step ahead. Visit the Egress phishing hub to learn about detecting and neutralizing advanced phishing attacks. Stop a business email compromise attack in its tracks. Protect yourself and your organization today."