We stand with Ukraine to help keep people safe. Join us

Topic Secure Inbox

What Is a Business Email Compromise?

By Andriy Slynchuk

Jun 08, 2021
14 min read
Jun 08, 2021
14 min read

Table of contents

Business email compromise (or BEC, CEO fraud, or the man-in-the-email attack) is a type of phishing attack where scammers target — you guessed it — your business email. They do this in order to trick you into wiring them money or perform other actions that will negatively impact your organization.  

 

The difference between business email compromise vs. phishing is that the attacker already has the credentials or a believable way to pretend to be another company representative, contractor, vendor, or client. This way, they can persuade legitimate employees to perform actions that would benefit the hacker. The usual outcome of a business email attack is the loss of money or confidential information. According to Verizon's 2021 Data Breach Investigations Report, financially motivated attacks continue to be the most common ones, so business email compromise is also gaining popularity.

 

A BEC can be carried out in multiple ways, including via malicious software infiltrating your business network. With Clario's real-time anti-malware protection, you can discover all the viruses that might be hiding in your computer. Clario combines the capabilities of an antivirus, VPN, and live 24/7 support from security professionals. Download Clario and start your free trial now.

Anatomy of BEC

An attempt at business email compromise usually consists of a message sent from a hacked or a falsified account of a person in a powerful position within a company. The transfer of money or data then takes place, and the attacker vanishes. Lately, BEC has become such a serious and widespread problem that even the Australian Cyber Police provided recommendations on how to avoid and protect yourself against BEC.

 

One of the most typical signs of business email compromise, which it shares with most other phishing scams, is the urgency and non-typical nature of the request. Without the time factor, the recipient of the treacherous email is most likely to question what's required of them. However, the attackers usually exploit human psychology, using fear, threats, or pleading to get what they need. The victims are put under such circumstances that the presumed consequences of not complying with the request outweigh the possible consequences of fulfilling it.

bec example
This is what a typical BEC fraud email might look like — pressing your emotional buttons, trying to cause panic, and bully you into doing what the email sender requires.

How BEC works  

To compromise the initial gateway email or to trick the receivers of the BEC email, the attackers will use one of the following methods:

  • Spoofing of websites, email, or even instant messenger accounts
  • Spear phishing to target select employees or
  • Malware running within the organization's infrastructure

At first, the attacker gets access to a business email account belonging to a top manager (hence the "CEO attack" nickname). Next, they reach their goals by manipulating the employees. Phishing plays a big role in this. Including business email compromise cases, the number of phishing cases has increased to 36% of security/data breaches in business compared to 25% in the last year (2020).   

Types of BEC

A business email compromise scam where the attacker gains access to an email within the business infrastructure (hence causing email system compromise) is also called email account compromise. Most often, during the BEC, the attacker only impersonates somebody and pretends to be sending the messages through a legitimate gateway — using tactics like domain spoofing or display name spoofing.  

The most common types of BEC are:  

  • Fake CEO (Fake boss) — the money, property, or sensitive info/permissions are stolen by somebody pretending to be a C-level manager of the attacked company.
  • Fake invoice scam — money is lost to a fake legitimate-looking invoice.
  • Wire transfer fraud — similar to a fake invoice scam, but the wire transfer is requested to a 'drop' account from which it is immediately transferred further until the money is untraceable.
  • Fake lawyer — attackers impersonate a legal representative of the company or its business partner to lay their hands on sensitive legal information.
  • Fake HR — an attacker that impersonates HR staff gets access to personal employee information.
fake invoice
Even if such an email arrives from an unknown address, it's enough to intimidate a fearful employee into processing this invoice.

In BEC, a hacked business email may be used for targeting other employees, suppliers, or clients. This will usually be a manager or a business partner (for example, a supplier) asking for a specific action.  

Who does BEC target?

The most likely targets of a BEC are:

  • Companies with a large number of employees and complicated business processes.
  • Research and development companies whose trade secrets, discoveries, or inventions are of great interest to their competitors.
  • Companies that deal with large sums of money regularly so a "lost" invoice for several hundred thousand dollars won't seem out of place.
  • Companies whose top management is away on a business trip, so out-of-place after-hours requests made from unknown phone numbers or email accounts won't seem unusual.

The one common denominator here is that the companies have something of interest for hackers, and the fraud won't be easily recognized.  

Why is protection from BEC so important now?  

Unfortunately, the transition to remote working during the global pandemic helped increase the numbers in business email compromise statistics. Many of us have switched to the working-from-home model, and we're using our personal devices for working purposes (and the other way around, too). This, plus the absence of the physical office's security infrastructure, obviously puts us at much greater risk.

 

In December 2020, Keeper reported that uncertainty caused by COVID-19, Brexit, and the move to remote-working and BYOD policies led to 70% of UK finance companies experiencing BEC attacks over the preceding year.

 

The average monetary amount requested by attackers in a fake wire transfer or invoice BEC/AEC attacks increased almost by 100% by the end of 2020 (from $48,000 to $75,000). The losses from such crimes crossed over $1.77 billion in 2019 — and topped this in 2020. And according to the FBI's Internet Crime Report, BEC cases were the top cybersecurity claims in 2020.  

The most famous BEC scams

Due to the nature of the scam — as it deals with hacking humans as opposed to systems — business email compromise examples include companies of all sizes and from all industries. In 2020, 80% of firms experienced an increase in cyberattacks.

 

Google and Facebook

The early days of BEC also saw one of the biggest and the most ambitious attacks — the one against Facebook and Google, which led to $121 million in losses between 2013 and 2015. The person behind these attacks, Evaldas Rimasauskas, got a 5-year prison sentence for this fraud in 2019.

 

Scoular

This has been one of the most significant BEC cases ever. An employee of the Scoular company transferred $17.2 million to a Shanghai bank account following the request in a fake email that pretended to come from the company's CEO.

 

Ubiquiti

$46.7 million was lost by a company called Ubiquiti due to business fraud. The attackers used BEC and pretended to be an external company that successfully demanded and received money from Ubiquiti's financial department.  

How to prevent BEC

These are the steps you should take to prevent business email compromise:

  1. Realize that your company is just as vulnerable to such an attack as any other.
  2. Set workplace rules on using two-step verification for suspicious correspondence.
  3. Set email rules for flagging external emails.
  4. Require two-factor authentication in your IT infrastructure.
  5. Normalize confirmation requests and double-checks for unusual orders.
  6. Set at least a basic business email compromise policy and provide training for all new hires.

Unless the breach has been really deep and ongoing for a long time, a business email compromise attack alone won't bypass such security measures. Remember, the cost of business email compromise is always higher than the time and effort spent providing preventive training.  

 

If BEC prevention seems complicated but you would like to make your infrastructure more secure and your employees or colleagues more cautious, you should consider asking trusted security experts for help.

 

If you have doubts about the authenticity of any new email and you’d like to avoid BEC, you can consult Clario digital experts 24/7. Don't put your device and information at risk — get help when you need it. Download Clario now and enjoy your free trial.

 

When it comes to your company's security, it's better to err on the side of caution than regret your carelessness later. Keep your guards up and question anything suspicious that ends up in your email.

 

Read more:

Keep reading

Is Discord Safe for Kids?

Digital Wellness

Is Discord Safe for Kids?
11 Illegal Things You Unknowingly Do on the Internet

Digital Wellness

11 Illegal Things You Unknowingly Do on the Internet
Tapped on a Phishing Link on Your Phone? Here’s What to Do

Secure Inbox

Tapped on a Phishing Link on Your Phone? Here’s What to Do

Clario anti-malware protects users from sketchy websites.

Try Clario free
Click here to start installing