4 minutes reading
Today’s digitally connected and dependent companies face not only traditional risks but also new-age cyber threats. BEC, short for business email compromise, exploits social engineering and attacks organizations, which costs them enormous losses.
FBI dubbed the Business Email Compromise as the 26$ Billion Sam
Threat actors take advantage of the trust factor and manipulate human behavior, such as trusting and helping someone, causing the organization to lose billions of dollars. In the guide, we’ll explore business email compromise and also look at business email compromise prevention.
What is Business Email Compromise?
BEC is a type of social engineering attack where a threat actor reaches out to the victim via email and tricks them into performing a particular action, like paying the invoice, sharing credentials, etc. Specifications of BEC are:
- Highly personalized and often carried out with advanced research of the victim.
- Calculated target selection of an individual within a specified organization.
- Absence of any malicious link.
The success of such BECs is based on three human behaviors:
- Urgency: People, in general, have low patience, and when it comes to a time-specific activity, they’re more prone to take action.
- Emotion: The trust factor in humans is both an asset and a liability in such scenarios. An opportunity for emotional manipulation makes the process easier for threat actors.
- Habit: BECs are performed after extensive research on the target. Scammers know about the activities that the victim performs without giving much thought, making scamming them easier.
Types of Business Email Compromise
Here are different types of business email compromise attacks
- CEO Fraud
Threat actors present themselves as CEOs or executive-level individuals and email authoritative employees with a request to transfer X amount to a specific bank account owned by cybercriminals.
- False Invoice Scam
Companies that deal with foreign suppliers are prone to falling for or encountering this scam. Attackers send emails to employees with fake invoices from their suppliers and request money be transferred to an account owned by the scammers.
- Account Compromise
In this type, attackers hack employees’ email accounts and request payments from the company’s vendor to their fraudulent bank accounts.
- Data Theft
The aim is to obtain employees’ information, such as job position, level of authority, etc., to establish a base for future fraudulent activities. In data theft, the most common victim is the organization’s HR department.
- Attorney Impersonation
In this scenario, an attorney pretends to be a lawyer or represents a legal matter over a phone call or email and requests to make a transaction for a law-related urgent matter.
No matter how impossible it might sound, for threat actors, these are possible types via which they can trick organizations into falling for such fraudulent activities.
Between 2013 and 2015, a BEC attack caused losses of 121$ million. A threat actor named Evaldas Rimasauskas sent fake invoices to Google & Facebook, which the companies eventually paid, causing the loss of millions of amounts.
Read more about the incident: Top Real-life Examples of BEC Attacks.
To protect an organization from losing millions or billions, more than just the business email compromise definition and its types must be provided. The key is to focus on how to prevent business email compromise.
Business Email Compromise Prevention
It’s difficult to prevent this BEC crime as spammy links or malicious attachments are not present in the email. These spams are majorly based on pretending to be a legitimate source.
However, organizations can incorporate the following measures to ensure employees don’t quickly become victims of these cybercrimes.
- Enable multi-factor authentication, where one requires a one-time password to access email accounts or login to bank accounts. This will make BEC attacks difficult for threat actors.
- Conduct cyber security awareness training for employees and run a simulation test to determine their vulnerability to these threats.
“When you get a questionable phone call or email, the key is to just slow down and verify. People make mistakes when they act too quickly, so it’s important to remind employees that they don’t have to react right away to these kinds of situations.”
Jack Mott – Microsoft Threat Intelligence
- Adopt TDMARC by Threatcop to keep spoofers away from your email domain. TDMARC tools help prevent suspicious or fraudulent emails from reaching your employees’ inboxes.
- Pay high attention to common targets of BEC and make sure they don’t fall for BEC attacks. The most common targets are new employees, executive-level individuals, and employees with high authority and access to confidential information like passwords.
Defense From BEC Attacks
Staying suspicious and confirming the email from a colleague or senior is always the best decision compared to doing what the email says. Slow down and think before you act on a busy day. Also, create a culture encouraging employees to raise doubts and report such incidents.
Lastly, strict protocols regarding financial transactions and the sharing of credentials set by CISOs can save employees from acting on emails.
Technical Content Writer at Threatcop
Ritu Yadav is a seasoned Technical Content Writer at Threatcop, leveraging her extensive experience as a former journalist with leading media organizations. Her expertise bridges the worlds of in-depth research on cybersecurity, delivering informative and engaging content.
