In recent years, Business Email Compromise (BEC) attacks have become increasingly common. These sophisticated scams target businesses of all sizes and can result in significant financial losses.
Many businesses are still unaware of the threat posed by BEC attacks and are unprepared to defend themselves. In this blog post, we’ll discuss what BEC attacks are, how they work, and what you can do to protect your business.
What is Business Email Compromise?
Business Email Compromise is a type of phishing attack that fraudsters use to trick unsuspecting executives or employees into sending sensitive data or making payments to fraudulent accounts.
Unlike most phishing attacks, BEC attacks are highly targeted. The attacker will take the time to compromise or replicate the email address of a high-level executive, and then email an employee with their request. Because the email appears to come from a legitimate address, the employee has no idea they’re being scammed.
BEC is one of the most damaging and expensive types of phishing attacks, and over the last seven years, it has been responsible for more financial losses in cybercrime than any other attack method.
Irish companies lost almost €6m to BEC scams last year, and according to the FBI’s 2021 Internet Crime Report, 35% of all cybercrime losses were attributed to BEC attacks.
How Does Business Email Compromise Work?
Most BEC attacks target high-level executives that are authorised to make payments on behalf of their company. Attackers will often spend weeks researching their targets on sites such as LinkedIn, company websites or any other online sources that help them zero in on their victims.
The ultimate goal is to identify the names and job titles of employees so that they can create a plausible link between the person whose account they will attempt to compromise and the person they will target with the scam email.
Once attackers have finalised a list of email accounts, they will use the information to spoof email addresses, create lookalike domains or take over a legitimate email account. Attackers will then impersonate a victim’s colleague, manager or CEO and send them an email requesting confidential information or an urgent funds transfer.
If the attacker has successfully gained the victim’s trust, they can easily persuade them to fulfil their requests.
These types of attacks are particularly dangerous because they do not contain malware, malicious links, dangerous email attachments, or other elements an email security filter might identify. It’s all achieved through sophisticated social engineering techniques that are used to exploit human trust.
Types of Business Email Compromise Attacks
CEO Fraud – Attackers will impersonate the CEO or another high-level executive within the company. As the CEO, they’ll send an email to an employee requesting confidential information or a funds transfer. The email may be flagged as urgent to avoid the employee from verifying the request or discussing it with another member of staff.
False Invoice Scam – Companies with foreign suppliers are often targeted by this type of scam. Attackers will pretend to be a legitimate supplier, request payment for a fake invoice and then transfer the money into a fraudulent account that they’ve set up.
Account Compromise – Attackers will hack an employee’s email account and then use it to request payments from partners, vendors or suppliers. The money is then sent to an attacker-controlled bank account.
Lawyer Impersonation – Attackers will impersonate a company’s law firm and request an urgent funds transfer to deal with a legal dispute or unpaid bill. These attacks typically target lower-level staff who mightn’t have the knowledge to question the validity of a legal request.
Data Theft – These types of attacks typically target HR and finance departments in an attempt to steal sensitive information about a company’s employees. They are often the precursor for a more significant cyber attack.
Business Email Compromise Warning Signs
- Emails that contain urgent language and covert requests.
- Large funds transfer to a recipient your company has never dealt with.
- Money transfers initiated at the end of the day or working week.
- Small changes to an email address that imitates a legitimate email address.
- The recipient account is a personal account instead of a registered business account.
- Last-minute changes in recipient account information.
- Communication only via email and refusal to communicate over the phone.
How to Protect your Business Against Business Email Compromise Attacks
- Use multi-factor authentication on all email accounts.
- Enable controls so that all emails from outside the company are flagged as coming from an external source.
- Employees should question and verify all confidential requests, especially those deemed urgent by senior staff.
- Use intrusion detection system rules to flag emails with extensions that are similar to company email addresses.
- Implement anti-phishing solutions to identify red flags such as a reply address not matching the sender address.
- Staff should receive regular cyber security awareness training to ensure that they can identify and respond to a BEC attack.
- Limit the number of employees authorised to approve payment transfers.
- Do not post sensitive information on company websites or social media.
- Implement strict accounting controls to verify the legitimacy of payment requests.
Business Email Compromise is a serious threat to businesses of all sizes. If you’re not already taking steps to protect your company from this type of attack, now’s the time to start. Get in touch today to find out how we can help keep your business safe from email-based fraud and other online threats.