Business Email Compromise: What to Know
July 06, 2021 by Kenyon Fraser, CRVMP
A Business Email Compromise (BEC), also referred to as an Email Account Compromise, is one of the most financially devastating cyberattacks. The Anti-Phishing Working Group found in 2020 BEC scams cost an average of $80,000 per successful attack. And according to the FBI’s Internet Crime Complaint Center BEC attacks accounted for $1.8 billion in losses that same year.
Several high-profile cyberattacks have been perpetrated using BEC tactics. In 2019, a Toyota subsidiary lost $37 million to a BEC scam. In the same year, an Atlanta area city had $800,000 stolen in just two fraudulent transactions. These attacks show no sign of slowing down. In March of 2021, the FBI released a notification warning about ongoing BEC attacks targeting all levels of government. Understanding them is an important part of staying safe online.
How does a BEC attack work?
In a BEC attack, the hacker sends an email to their target that appears to make a legitimate request from a known source. It could be a request from a vendor, instructions from a boss, or anything that might be abused to give the attacker a payday. Many of the same techniques used in phishing attacks are used to trick the victim. Unlike the average phishing attempt, though, most BEC scams typically provide specific instructions. While the phishing portion of an attack ends after the malicious link is clicked or attachment is downloaded, a BEC attack requires ongoing engagement.
Picking a Target
A Business Email Compromise operates in several distinct stages. Since BEC scams require the victim to take certain actions, the attack must target a specific person or organization. Attackers look for organizations who commonly carry out the task they need done so it will blend into normal business activity. For example, industries dealing with high-dollar invoices, such as construction and manufacturing, are common targets. Hackers can still be opportunistic. A hacker who compromises one account may choose to use that as a starting point to scam someone known to the initial victim. For example, suppose an employee at ‘Company A’ falls for a phishing campaign. The hacker can then look at Company A’s clients, vendors, and other stakeholders to pick an appropriate target for the BEC scam. An attack may start as a widespread phishing attack before focusing on a specific high value target.
Creating False Credentials
After choosing a target, the attacker must find a way to earn their trust. They do this by obtaining false credentials to impersonate a trusted source. Most BEC attacks follow one of two methods to do this. They either steal the existing credentials of a real user or completely make up a new account.
Hackers steal real credentials using common hacking techniques. They look for vendors, coworkers, or other stakeholders to interact with the intended victim. With real accounts, the attacker can more accurately mimic the party they are impersonating. However, there is more risk involved, so some hackers prefer to create new credentials.
This is often done by creating a new email address visually similar to the account they want to impersonate. For example, they might use @ty1ertech instead of @tylertech. These changes can be caught by observant users, but someone in a rush may not catch the difference. Attackers can make these types of changes to websites as well. A fake website can be used to create the initial contact with the victim, or it can be part of a larger scheme to build trust with the victim.
Victim Engagement
After establishing their credentials, the attacker reaches out to their intended victim. This can be as simple as one email making a demand for money or whatever else the attacker is looking for. In other cases, the BEC scam could involve a more complicated grooming process where the attacker will build a rapport with their target before making requests, allowing them to build trust and avoid suspicion.
Most attackers use BEC tactics to get the victim to send them money. They may impersonate an organization’s CEO and request gift cards as a surprise bonus for other employees. Or impersonate a vendor and ask them to update billing information to redirect funds. Whenever possible, the attacker will pick activity that does not seem suspicious and will be difficult to reverse later. Payments in cryptocurrencies or gift cards are particularly desirable as they are often difficult, if not impossible, to refund. Many attacks stop after getting a single payout; however, skilled attackers may be able to collect multiple payments before being discovered.
Protecting Yourself and Your Organization From BEC Scams
There are several steps we can take to protect ourselves from BEC attacks. First, be on guard for anything that seems strange about a message. Requests for untraceable or nonrefundable methods of payment, such as mass gift card purchases, should be met with extreme scrutiny. Watch out for emails with strange grammar or spelling. If someone you consider trustworthy is acting out of character that may be a sign their account has been compromised. Carefully examining an email before engaging with it will increase your chances of spotting BEC scams, as well as phishing attacks in general.
There are also some more technical and automatic protections that can be enabled. Many email services, including Outlook, can automatically detect if a domain is the same as your organization. This will spot subtle changes that are difficult for humans to notice. Similar tools will also spot if a return address is different than the sender’s address.
It is also important to follow basic security practices to reduce the odds of your email being compromised and used to trick another victim. Secure important applications using strong passwords, multifactor authentication, and applying security updates as directed by your security team. Making accounts as difficult as possible to compromise will remove a potent tool for hackers.
Finally, consider verifying requests through other means of communication. Even if an email seems legitimate, use a phone number you already know to reach out to the sender and ask for confirmation. Calling, or even visiting in person, will stop some of the most advanced attacks.
What To Do If You Are the Victim of a BEC Attack
If you suspect you have been the victim of a BEC attack, it is important to act quickly and contact your financial institution immediately. The sooner the scam is recognized, the sooner your organization can activate your Incident Response Plan. It some cases it is even possible to cancel a wire transfer or other payment method after the funds have left your accounts. Reacting quickly also increases the odds of law enforcement being able to assist in the recovery of funds. Even if the scammers get away, up-to-date reports make it easier for law enforcement as well as information sharing groups such as CISA to detect patterns in attacks and prevent future attacks.