Last updated on February 24, 2023
Business Email Compromise (BEC) is an attack wherein the victim believes they received an email message from a genuine sender, while the message is, in fact, sent by hackers. The email message attempts to defraud the company by impersonating a finance executive, sending a fake invoice, or asking to send wire payments to fraudulent bank accounts. BEC scams lead to thousands or even millions of dollars of losses per company. In 2021 alone, BEC schemes resulted in a total loss of nearly $2.4 billion. The $49.2 million losses due to ransomware reported in the same FBI 2021 Internet Crime Report seem minuscule in comparison.
BEC attacks use social engineering and computer intrusion techniques to target both individuals and businesses performing transfers of funds. Business Email Compromise attacks that target individuals are sometimes also called Email Account Compromise (EAC) attacks. Both BEC and EAC attacks aim to compromise email accounts to conduct unauthorized transfers of funds. If your company regularly performs wire transfer payments, you are at risk of becoming a target of BEC.
What are the Types of Business Email Compromise (BEC)?
Business Email Compromise (BEC) scams come in many forms and colors. In the past few years, hackers have honed their former simple attempts at spoofing businesses and developed sophisticated Business Email Compromise schemes involving cryptocurrencies and hacking of business leaders’ email accounts. Here are the most common types of Business Email Compromise scams.
1. Bogus Invoice
In this scheme, fraudsters pretend to be the company’s suppliers and ask to transfer the funds for the payment of the bill to a fraudulent account. The Bogus Invoice Scheme often targets companies with foreign suppliers.
2. CEO Fraud
Cybercriminals impersonate the CEO or financial executive of a company and send email messages to employees, requesting a money transfer to a fraudulent account. After a transfer has been made, hackers rapidly transfer the money to cryptocurrency wallets, which makes it harder to trace it back.
3. Account Compromise
Hackers compromise an email account of an employee and review the employee’s contact list to find vendors. Then, hackers make requests for payment of bills to these vendors. Naturally, the money sent by unsuspecting vendors goes to bank accounts controlled by scammers.
4. Lawyer Scam
Attackers pretend to be a lawyer, attorney, or somebody from a law firm that handles urgent and important legal matters. Targets are urged to act quickly and transfer funds to get the legal case going.
5. Data Theft
In this scam, hackers spoof or hack an email account of an employee of a company and send requests to other employees, asking for personally identifiable information of other people in the company. This type of Business Email Compromise can be an attack in and of itself or a prelude to a more sophisticated malicious BEC attack.
How Do Hackers Gain Access to Email Accounts?
Business Email Compromise (BEC) scams involve hackers gaining access to an email account and sending messages from that account. But how do hackers gain access to an email account of an employee of a company?
1. Breaking the Password
Sometimes attackers use a set of leaked credentials, brute-force the password, or employ a more sophisticated password-breaking technique to gain access to an email account of the victim.
2. Keyloggers
Another popular way of accessing an email account is installing keylogger malware on the victim’s computer. Hackers can then read all keys pressed on the victim’s keyboard and therefore extract the password the victim entered when they logged in to their account.
3. Social Engineering
Phishing, spear phishing, and other forms of social engineering are popular ways of tricking the victim into disclosing their login credentials or other information that can help fraudsters compromise the victim’s account. Spearphishing scams are especially dangerous because they usually contain a lot of specific information, which makes them seem more legitimate.
4. Spoofing
Sometimes hackers do not have to gain access to somebody’s account to send malicious email messages that look like they were sent from that account. Instead, cybercriminals send messages from an email address that is similar to the original email address. However, there is usually a slight difference that might be hard to notice at first look. For example, a hacker who wants to impersonate bob.smith@example.com can send an email message from bob.smith@exampl.com instead. Some people might not notice the difference before it is too late.
How to Protect Against Business Email Compromise Attacks?
Thankfully, companies and individuals can do multiple things to prevent or significantly mitigate Business Email Compromise (BEC) attacks.
1. Be Careful About the Information You Share Online
Hackers can use publicly available information that you shared on your social media profiles to guess your password or the answer to your security question. Further, cybercriminals can gather detailed information about you and use this information in a spearphishing attack to make it look more legitimate.
2. Do Not Click on Unknown Links
Never click on unknown links. They may contain viruses or key logger malware that will infect your device and allow malicious actors to get to know your password and other confidential information you enter using the keyboard.
3. Do Not Download Unknown Files
Akin to never clicking unknown links, you should never download unsolicited files. These files may contain malicious software that will infect your computer and steal your data, bringing hackers closer to compromising your account.
4. Carefully Examine the Email Sender’s Information
When you receive an email message, carefully examine the sender’s name, email address, and other information about the email message you received. Hackers hope that you will not notice a small difference in the email address and take the bait. Be smarter than that.
5. Be Wary of Requestors Who Push You to Act Quickly
If you receive a request for a wire transfer or another action that sounds very pushy and imposing, take extra care to analyze its authenticity. Hackers like to play on the urgency to force victims to act fast and without thinking. Take your time and never let yourself be fooled into performing an action fast.
6. Verify The Authenticity of Each Payment and Purchase
If you receive a request for payment, think if there is a way to confirm the request is legitimate. For example, if your CEO or financial executive emailed you asking for a wire transfer, call them to confirm the request. Be especially wary of changes in the account numbers and procedures of sending the money.
7. Spread Cybersecurity Awareness
Every organization should train its employees in cybersecurity. Security awareness training is known to decrease the number of successful social engineering attacks and therefore is one of the most essential.
8. Enable Multi-Factor Authentication (MFA) On All Accounts
Enabling Multi-Factor Authentication (MFA) on all accounts for all users is a key technique to prevent Business Email Compromise (BEC) attacks. Accounts protected with just a password are easy to compromise and overtake. In contrast, after you enable MFA on an account, you drastically increase the account’s security and make it very hard for a hacker to access the account.
How Multi-Factor Authentication (MFA) Prevents Business Email Compromise (BEC) Attacks?
Companies should enable Multi-Factor Authentication (MFA) for all users without exceptions to decrease the likelihood of hackers gaining access to corporate accounts. Besides enabling MFA on all email accounts, organizations should deploy Multi-Factor Authentication on all VPN and RDP connections and during logins to the cloud and on-premise applications and services. A comprehensive multi-layered approach to authentication thwarts malicious attempts at compromising business emails, stealing data, and gaining unauthorized access to corporate networks and applications.
Enable Modern Multi-Factor Authentication (MFA) For 1$
Rublon Multi-Factor Authentication (MFA) allows you to enable sophisticated multi-layered protection for your RDP, VPN, Active Directory, RADIUS, and cloud app logins for just 2$ per user per month.
You can try Rublon for free by starting the Free 30-Day Rublon Trial.