Business Email Compromise (BEC) is one of the fastest-growing and financially-damaging cybercrimes. It has consistently led the way in cybercrime losses in recent years. According to the 2022 FBI Internet Crime Report, the FBI received 21,832 Business Email Compromise (BEC) complaints, with estimated losses totalling more than $2.7B.
Data shows a 38% increase in cybercrime as a service targeting business email between 2019 and 2022. The sophistication of BEC threat actors and their tactics continues to increase, especially with the use of artificial intelligence.
Businesses must adapt and equip themselves with the knowledge, tools, and strategies to detect, mitigate, and prevent these lurking threats. But first, we’ll explore a brief overview of BEC’s.
What is Business Email Compromise (BEC)?
Business email compromise (BEC) is a sophisticated cybercrime tactic where attackers manipulate or compromise legitimate email accounts to defraud organizations. Typically, these scammers pose as trusted individuals, such as company executives or partners, to deceive employees into making unauthorized financial transactions or revealing sensitive information. BEC attacks often involve social engineering and careful reconnaissance to make their emails appear genuine, and they exploit employees’ trust and familiarity within an organization. This fraudulent practice can lead to significant financial losses, data breaches, and damage to a company’s reputation. Defending against BEC requires robust email security measures, employee training, and a vigilant cybersecurity posture.
Characteristics of BEC Attacks
Unlike standard phishing emails that are sent out indiscriminately to millions of targets, BEC attacks are crafted to appeal to specific individuals and can be hard to detect. BEC attacks are commonly characterized as:
Much like a deep-sea predator singling out its prey, BEC attacks are often highly targeted. Attackers invest time and effort in gathering information about their targets to maximize their chances of success.
These attacks are not the work of ordinary phishers. BEC scammers use advanced tactics such as social engineering and artificial intelligence to manipulate their targets effectively.
Just as certain sea creatures adopt the appearance of harmless species to ensnare their prey, BEC attackers often impersonate senior executives or trusted partners, leveraging authority to persuade targets to act.
BEC emails often convey a sense of urgency, pressuring the recipient to act swiftly and bypass usual security protocols or checks.
4 Phases of a BEC Attack
BEC attacks follow a well-planned, strategic path, with phases that typically include:
The attackers research their target, understanding the organizational structure, identifying key individuals, and learning the business’s language and protocols.
The cybercriminals prepare for the attack by crafting a believable narrative or scenario. This could include setting up a fake email account that closely resembles a trusted entity or compromising a legitimate one.
The targeted individual receives the fraudulent email. It might request an immediate wire transfer due to an ’emergency’ or ask for sensitive data.
Once the recipient acts on the email, the attackers exploit the access or funds received to their benefit.
How to recognize a BEC attack
Understanding the common signs of a BEC attack can help organizations identify and respond to these threats effectively.
Common signs of a BEC attack include emails containing:
- Unexpected invoice requests
- Changes in banking details
- Urgent or confidential requests
Emails that contain these elements, particularly if they are out of the ordinary or from an unexpected source, should be treated with caution.
Another common tactic used in BEC attacks is email spoofing, where the attacker impersonates a legitimate individual or organization. This can be particularly difficult to recognize, as the email may appear to come from a trusted source. However, subtle differences in the email address, such as a slight misspelling or a different domain, can be a sign of email spoofing.
In addition, BEC attacks often involve a sense of urgency, with the attacker attempting to pressure the victim into acting quickly without questioning the request. Any email that demands immediate action, particularly if it involves a financial transaction, should be treated with suspicion.
Examples of successful BEC attacks
Here are 2 case studies on successful BEC attacks and their impact on organizations.
Case Study 1: The Belgian Bank Heist
In one of the most notorious BEC attacks, attackers swindled Belgian bank Crelan out of a staggering €70 million ($75.8 million) in January 2016. The audacious heist was executed with remarkable precision and subterfuge.
The attackers began by compromising the email system and creating counterfeit emails that perfectly mimicked legitimate communication. They then dispatched these to members of the financial team, ordering them to conduct what appeared to be standard transactions. By the time the bank uncovered the fraudulent activity, the funds had been transferred, and the cybercriminals had vanished into the digital depths.
This attack underlines the importance of diligent verification processes, especially for financial transactions. It’s a stark reminder that BEC attacks can successfully target even those who should (in theory) be the most prepared: financial institutions.
Case Study 2: The attack on the Save the Children Foundation
Charitable organizations aren’t exempt from the grasp of BEC attackers either. In 2017, the Save the Children Foundation fell prey to a sophisticated BEC scam, losing nearly $1 million. The attackers assumed the identity of a senior employee within the organization.
They sent emails from the compromised account to finance department staff, instructing them to urgently release funds to purchase solar panels for health centers in Pakistan—a project that aligned well with the organization’s mission. The money was wired to a fraudulent entity in Japan before the scam was detected.
Thankfully, due to diligent insurance coverage, the organization recovered all but $112,000 of the lost funds. This incident underscores the fact that no organization is immune to BEC attacks and that having robust cyber insurance can be a critical lifeline.
The role of artificial intelligence and machine learning in BECs
Artificial Intelligence (AI) and Machine Learning (ML) have become double-edged swords. On one hand, they are revolutionary technologies propelling businesses forward. On the other hand, they are powerful weapons in the hands of cybercriminals. BEC attackers are using AI and ML to impersonate executives convincingly, automate spear-phishing campaigns, and adapt their tactics based on the response to their attacks.
A recent report highlighted the development of a generative AI tool called WormGPT, designed to assist cybercriminals in crafting convincing BEC messages. This tool, which has been in development since 2021, is now being promoted on illicit online forums. WormGPT is a black-hat alternative to GPT models, specifically designed for malicious activities. It generates human-like text based on the input it receives and can create highly convincing fake emails.
The rise of organized cybercrime groups specializing in BEC attacks
The increasing specialization within the cybercrime community is contributing to the sophistication of BEC attacks. Organized cybercrime groups dedicated solely to BEC attacks are emerging, and investing significant resources and expertise into creating the most effective scams. Their specialized focus allows them to continuously refine their tactics, ensuring their attacks remain at the cutting edge of deception.
As these threats become more sophisticated, our strategies for detecting, preventing, and mitigating them must evolve as well.
How to mitigate BEC risks
1. Employee awareness and training programs
A recent report found that employee error is responsible for 82% of data breaches. So, the first line of defense against BEC attacks is often the employees themselves.
By implementing comprehensive awareness and training programs, organizations can equip their employees with the knowledge and skills to identify and respond to potential BEC attacks. This includes understanding the common signs of a BEC attack, such as unexpected invoice requests, changes in banking details, and urgent or confidential requests. Regular training sessions can help keep this knowledge fresh and top of mind.
2. Implementing multi-factor authentication and strong access controls
Multi-factor authentication (MFA) is a powerful tool in the fight against BEC attacks. By requiring users to provide two or more verification factors to gain access to a resource such as an email account, MFA can significantly reduce the risk of unauthorized access, even if the attackers have obtained the passwords.
Strong access controls, including the principle of zero trust, can further enhance security. By ensuring that employees have only the access they need to perform their jobs, organizations can limit the potential damage that can be done if an email account is compromised
3. Enhanced email security measures and email authentication protocols
Enhanced email security measures, such as spam filters and malware detection, can help to block or flag potentially malicious emails. Email authentication protocols, such as Domain-based Message Authentication, Reporting and Conformance (DMARC), can also help to prevent BEC attacks by verifying that incoming emails are from the claimed sender
4. The role of cybersecurity professionals and law enforcement agencies in combating BEC attacks
Cybersecurity professionals are experienced in dealing with BEC and similar threats, and can help design and implement effective security measures, monitor for potential threats, and respond to attacks that occur. By performing regular audits and penetration testing, they can identify and address any vulnerabilities to keep an organization’s network and communications secure.
Law enforcement agencies also play a key role in combating BEC attacks. By reporting BEC attacks to law enforcement, organizations can help to bring the attackers to justice and potentially recover any lost funds. Collaboration between organizations, cybersecurity professionals, and law enforcement creates a united front against BEC attacks and the groups responsible for them.
5. Stay proactive against BEC attacks
Maintaining an awareness of the latest BEC tactics and trends, and fostering a culture of cybersecurity within the organization. Employees at all levels should be educated about the risks of BEC attacks and trained to recognize the signs of a potential attack. This includes understanding the common characteristics of BEC attacks, such as unexpected invoice requests, changes in banking details, and urgent or confidential requests.
However, vigilance alone is not enough. Organizations must also adopt proactive security measures to protect against BEC attacks. This includes implementing robust email security measures, such as spam filters and malware detection, and email authentication protocols like Domain-based Message Authentication, Reporting and Conformance (DMARC).
Engaging cybersecurity professionals to help design and implement effective security measures, monitor for potential threats, and respond to attacks can save organizations significant time and resources.
SecurityScorecard’s Proactive Security Services
Defend your organization with a range of proactive security services that battle-test your security controls and safely exploit vulnerabilities in your environment to eliminate cyber risk. Tabletop exercises test and bolster your cyber readiness alongside trusted experts who conduct simulated real-world incident exercises tailored to your organization. Uncover and evaluate vulnerabilities and emerging threats to your organization before a threat actor does with penetration testing. Our red team service reveals your blind spots with advanced testing that simulates real-world attacks. We use tactics and techniques of known malicious groups to uncover compromising vulnerabilities found in physical security, social engineering, and other methods.