Resources

BEC (Business Email Compromise): Prevention Strategies

When it comes to cyber attacks delivered by email, Business Email Compromise or BEC is a very present threat, costing billions of dollars in losses for companies worldwide. On this page, you’ll find all you need to know about BEC, from what it is to how to protect from it.

Arsen Team
7 minutes read
What is vishing?

What is a Business Email Compromise ?

Business Email Compromise (BEC) is a type of cybercrime that involves the use of email fraud to attack organizations. 

It typically involves attackers gaining access to a business email account and then using it to deceive the company, its employees, or its partners into transferring funds or sensitive information. 

Unlike mass phishing attacks, BEC is usually highly targeted and involves a significant amount of research on the victim organization.

50%

Of cybercrime losses

are due to BEC

6+

Months

Average Recovery Time after a BEC attack

65%

Increase

BEC attacks over the past five years

Types of Business Email Compromise

There are several types of Business Email Compromise attacks. We listed the most common below.

CEO Fraud

In CEO fraud, also known as executive impersonation, attackers pose as the company’s CEO or other high-ranking executives. They send emails to employees, usually in the finance department, instructing them to transfer money or provide sensitive information urgently. These emails often exploit the authority and urgency associated with executive communications.

Example: An attacker might impersonate the CEO and send an email to the CFO, requesting an immediate wire transfer to a specified account to finalize a high-stakes business deal.

Account Compromise

This type of BEC involves the compromise of a legitimate email account within the company. 

Attackers gain access to an employee’s email account through phishing or other methods and then use that account to send fraudulent emails. 

Since the emails originate from a trusted account, they are more likely to bypass security measures and be trusted by recipients.

Example: An attacker might gain control of an employee’s email account and use it to request invoice payments from customers, redirecting the payments to the attacker’s bank account.

Invoice Scams

In invoice scams, attackers impersonate vendors or suppliers and send fake invoices to the company’s accounts payable department.

The email might come from a spoofed address or a compromised vendor account, instructing the company to make payments to a new bank account controlled by the attacker.

Example: A company receives an email that appears to be from a long-time supplier, notifying them of a change in bank account details for future payments. The company updates its records and sends the next payment to the attacker’s account.

Attorney Impersonation

Attackers impersonate lawyers or legal representatives, often citing confidential or time-sensitive matters. These emails typically target senior executives or finance personnel and use legal jargon to create a sense of urgency and importance.

Example: An attacker posing as an attorney might email the CFO, claiming to handle a confidential acquisition and requesting immediate payment to secure the deal.

Data Theft

While many BEC attacks aim to steal money, some focus on obtaining sensitive information such as employee data, financial records, or intellectual property. This information can be used for further attacks or sold on the black market.

Example: An attacker compromises the HR director’s email account and sends emails requesting employees’ tax forms and personal information, which are then used for identity theft or sold to other criminals.

How Business Email Compromise Works

Business Email Compromise attacks work in a succession of steps that build a well-crafted social engineering attack.

Most BEC attacks follow the steps below: 

  1. Research: attackers gather information about the target organization and its employees, often using publicly available sources like LinkedIn, company websites, and social media. This helps them craft convincing and targeted emails.

  2. Initial Contact: Using phishing, spoofing, or other techniques, attackers make initial contact, aiming to compromise an email account or establish communication lines that seem legitimate.

  3. Account Compromise: If successful, attackers gain access to a legitimate email account, allowing them to send emails that bypass security filters and raise less suspicion among recipients.

  4. Execution: Attackers send fraudulent emails from the compromised account or spoofed addresses, requesting wire transfers, sensitive information, or changes to payment details. These emails often leverage urgency and authority to prompt swift action without thorough verification.

  5. Monetization: Once the victim complies with the fraudulent request, the attackers quickly move the stolen funds through various accounts, making recovery difficult. If sensitive information is stolen, it may be sold on the black market or used in further attacks.

  6. Cover-up: Attackers may delete sent emails or set up forwarding rules to conceal their activity and prolong the time before the compromise is detected.

 

Business Email Compromise Techniques

Business Email Compromise relies on different, combinable techniques to either take over accounts or impersonate existing people — usually of authority.

Credential Harvesting Phishing Attacks

Phishing is a common tactic used to gain initial access to an employee's email account. 

Attackers send deceptive emails that appear to come from legitimate sources, tricking recipients into clicking on malicious links or attachments. 

These links lead to fake login pages where victims unknowingly provide their email credentials.

Spoofing

Email spoofing involves forging the sender’s email address to make it appear as though the email is coming from a trusted source within or associated with the target organization. 

This technique can deceive recipients into thinking the email is legitimate, prompting them to follow the instructions without suspicion.

From changing extensions of domain names, called domain doppelganger) to using lookalike domains and typosquatting, many techniques allow attackers to manipulate their victim into thinking their email comes from the legitimate email address.

Malware

Malware, such as keyloggers, remote access trojans (RATs) or infostealers, is another method attackers use to compromise email accounts. 

These malicious programs can be delivered via email attachments or links. Once installed on a victim’s computer, malware can capture keystrokes, steal login credentials, and provide attackers with remote access to the system.

Social Engineering

Generally speaking, social engineering can be used in ways different than phishing — which is an email-based application of social engineering. 

It involves manipulating individuals into performing actions or divulging confidential information. 

BEC attackers often research their targets extensively to craft convincing emails that exploit trust, authority, and urgency.

Warning Signs of BEC

Business Email Compromise, especially if they rely on a true account takeover can be really hard to spot. However, there are a few warning signs that can help detect these attacks.

Unusual Requests

BEC emails often contain requests that deviate from normal business operations. 

These may include sudden and unexpected demands for money transfers, requests for confidential information, or instructions to change payment details.

Email Anomalies

Emails involved in BEC attacks frequently exhibit subtle anomalies that can alert vigilant recipients to their fraudulent nature. 

These anomalies might include slight misspellings in the sender's address, unusual language or tone, and unexpected attachments or links.

Unexpected Urgency

Attackers often create a sense of urgency to pressure recipients into acting quickly without verifying the legitimacy of the request. 

These emails may emphasize the need for immediate action, claim time-sensitive opportunities, or warn of dire consequences if the request is not fulfilled promptly.

Verification Failures

BEC emails may bypass standard verification processes that the organization typically follows for sensitive transactions. 

This includes requests to ignore established protocols or to communicate outside of normal channels.

Abnormal Communication Patterns

If an email deviates from the sender's usual communication style or comes at an unusual time, it could be a sign of BEC. 

This includes emails sent at odd hours, uncharacteristic urgency, or a tone that doesn't match the sender's typical behavior.

Real-World Examples

Toyota Boshoku Corporation (2019)

Toyota Boshoku Corporation, a subsidiary of Toyota Group, fell victim to a BEC scam where attackers impersonated a company executive and instructed an employee to transfer a significant sum of money to a fraudulent account.

The company lost approximately $37 million in the scam.

The attackers used social engineering techniques to gather information about the company's financial operations and executive team, enabling them to craft a convincing email that bypassed standard verification procedures.

Facebook and Google (2013-2015)

A Lithuanian hacker impersonated a hardware vendor and sent fraudulent invoices to Facebook and Google over a period of two years. The invoices appeared legitimate, leading both companies to transfer funds to the attacker.

The scam resulted in combined losses of over $100 million.

The attacker exploited the established business relationship between the companies and their vendor, using carefully crafted emails and fake invoices that matched the format and details of legitimate transactions.

Ubiquiti Networks (2015)

Ubiquiti Networks, a technology company, was targeted by attackers who gained access to an employee's email account and used it to initiate unauthorized international wire transfers.

The company reported a loss of $39 million due to the attack.

The attackers compromised an employee's email account through phishing, allowing them to send fraudulent wire transfer requests that appeared to come from within the company. The lack of two-factor authentication and insufficient verification processes contributed to the success of the attack.

Impact of Business Email Compromise

Like in any cyberattack, there are several level of impact following a successful business email compromise.

Financial Losses

The most immediate and quantifiable impact of Business Email Compromise (BEC) is financial loss. 

Victims often experience significant monetary damage due to fraudulent wire transfers, fake invoices, and unauthorized account changes. 

The costs can extend beyond the initial theft to include fees for recovery efforts, legal expenses, and increased insurance premiums.

Reputational Damage

BEC incidents can severely damage an organization's reputation. 

When customers, partners, and stakeholders learn about a security breach, they may lose trust in the company's ability to protect sensitive information.

This loss of trust can lead to decreased business opportunities, customer attrition, and a tarnished brand image.

Operational Disruption

BEC attacks can disrupt business operations in various ways. 

The time and resources required to respond to an incident, investigate the breach, and implement remedial measures can divert attention from core business activities. 

Additionally, compromised systems may need to be taken offline for repairs, further interrupting normal operations.

Organizations that fall victim to BEC may face legal and regulatory repercussions. 

Depending on the nature of the breach and the data compromised, companies might be subject to fines, penalties, and lawsuits. Compliance with data protection regulations such as GDPR, CCPA, or industry-specific guidelines can lead to additional scrutiny and mandatory reporting requirements.

Psychological and Emotional Impact

Employees involved in a BEC incident, particularly those who were manipulated by social engineering tactics, may experience significant stress and anxiety. 

The fear of repercussions, guilt, and embarrassment can affect their morale and productivity.

Prevention and Protection Strategies

In these attacks, defense in depth is key. You need several strategies and layers of defense systems to better protect yourself from BEC.

Employee Training

Employees are often the first line of defense against BEC attacks. 

Training programs should focus on educating staff about the common tactics used in BEC scams, how to recognize suspicious emails, and the importance of verifying requests for sensitive information or financial transactions.

  • Regular Training Sessions: Conduct regular training sessions to keep employees informed about the latest BEC tactics and prevention strategies.

  • Phishing Simulations: Implement phishing simulation exercises to test and reinforce employees' ability to identify phishing emails, including BEC simulations

  • Awareness Campaigns: Use posters, newsletters, and emails to remind employees of best practices and warning signs.

Email Security Measures

Technical defenses can significantly reduce the risk of BEC attacks by identifying and blocking suspicious emails before they reach employees' inboxes.

Key Tools and Technologies:

  • Email Filtering: Use advanced email filtering solutions to detect and block phishing emails, spoofed addresses, and malicious attachments.

  • Multi-Factor Authentication (MFA): Require MFA for email accounts to add an extra layer of security, making it more difficult for attackers to gain access even if they obtain login credentials.

  • Domain-Based Message Authentication, Reporting, and Conformance (DMARC): Implement DMARC policies to protect against email spoofing by verifying the authenticity of incoming emails.

Verification Processes

Establishing and enforcing robust verification processes for financial transactions and sensitive information requests can prevent BEC attacks from succeeding.

Key Procedures:

  • Dual Authorization: Require dual authorization for significant financial transactions, ensuring that at least two individuals review and approve the request.

  • Out-of-Band Verification: Verify requests for sensitive information or financial transfers using a separate communication channel, such as a phone call, to confirm the request's legitimacy.

  • Vendor Management: Regularly verify and update vendor contact information, and establish procedures for confirming changes to payment details with trusted contacts.

Incident Response Plans

Having a well-defined incident response plan enables organizations to quickly and effectively respond to a BEC attack, minimizing damage and recovery time.

Key Components:

  • Detection and Reporting: Establish clear procedures for detecting and reporting suspected BEC incidents. Encourage employees to report any suspicious emails or activities immediately.

  • Containment and Eradication: Define steps to contain the incident, such as isolating compromised accounts and systems, and eradicating any malware or unauthorized access.

  • Investigation and Recovery: Conduct a thorough investigation to understand the scope of the attack, identify affected systems and data, and implement measures to recover from the incident.

  • Communication: Develop a communication plan to inform stakeholders, including employees, customers, partners, and regulatory bodies, about the incident and the steps being taken to address it.

Book a demo

Learn what makes Arsen the go-to platform to help CISOs, cyber experts, and IT teams protect their organizations against social engineering.

Book a demo

Frenquently Asked Questions

BEC attacks typically occur through phishing emails, email spoofing, or malware that compromise an employee's email account. Attackers then use this access to send fraudulent emails that appear legitimate, requesting financial transactions or sensitive information.

Common targets of BEC attacks include executives, finance department employees, and other personnel with access to company finances or sensitive information. However, any employee can be targeted if they are believed to have the ability to execute financial transactions or access valuable data.

Common types of BEC scams include:

  • CEO fraud: Impersonating executives to request urgent wire transfers.
  • Account compromise: Using a compromised email account to request payments or data.
  • Invoice scams: Sending fake invoices that appear to come from legitimate vendors.
  • Attorney impersonation: Posing as legal representatives to request confidential information or payments.
  • Data theft: Seeking sensitive information such as employee data or financial records.

Warning signs of a BEC attack include:

  • Unusual or urgent requests for money transfers or sensitive information.
  • Emails with slight variations in the sender's address or domain.
  • Requests to bypass standard verification processes.
  • Uncharacteristic language or tone in emails from known contacts.
  • Emails sent at unusual times or from unknown locations.

Organizations can protect themselves against BEC attacks by:

  • Conducting regular employee training on recognizing and reporting phishing and BEC attempts.
  • Implementing advanced email security measures, such as email filtering and multi-factor authentication.
  • Establishing robust verification processes for financial transactions and sensitive information requests.
  • Developing and maintaining an incident response plan for dealing with BEC attacks.

If employees suspect a BEC attack, they should:

  1. Immediately report the suspicious email to their IT or security team. Avoid clicking on any links or opening attachments in the suspicious email.
  2. Verify the request through a secondary communication channel, such as a phone call to the purported sender.

BEC attacks can have several impacts on organizations, including:

  • Financial losses from fraudulent transactions.
  • Reputational damage and loss of customer trust.
  • Operational disruptions due to compromised systems and investigation efforts.
  • Legal and regulatory consequences, including fines and lawsuits.
  • Psychological and emotional stress on affected employees.

After a BEC attack, an organization should:

  • Contain and eradicate the threat by isolating compromised accounts and systems.
  • Conduct a thorough investigation to determine the scope of the attack.
  • Implement measures to recover from the incident, including financial recovery efforts and system restoration.
  • Communicate with stakeholders, including employees, customers, and regulatory bodies, about the incident and mitigation efforts.
  • Review and strengthen security measures to prevent future attacks.

Continue reading

BEC Definition: Understanding Business Email Compromise

BEC Definition: Understanding Business Email Compromise

Thomas Le Coz
Thomas Le Coz

The compromise of email addresses, or Business Email Compromise (BEC), is a popular attack aimed at compromising a company's mailbox for malicious purposes. The simplest monetization is generally to request a fund transfer from the corrupted address or a change...