Business Email Compromise (BEC) is a form of cyberattack where criminals deceive employees into sending them money or sensitive information. Typically, attackers impersonate senior executives, vendors, or partners in carefully crafted emails.
Now, picture yourself in charge of protecting your company’s critical assets. You receive an email that appears to be from the IT department, urging you to share confidential employee details for an “urgent security update.” The email looks legitimate, but when you look closely, you see a slightly altered email address and phrases that don’t seem right.
This moment of hesitation could be what stands between your company and a successful BEC attack.
With these attacks becoming more common, let’s consider what a business email compromise is, how it might affect you, and what you can do about it.
Business Email Compromise: A Definition
Business email compromise is a scam targeted toward businesses and enterprises through email. It’s a form of social engineering where the scammer pretends to be a high-ranking executive and lures the victim into performing an action.
While this action is usually transferring money, it can have a larger scope.
BEC falls under the larger category of spear-phishing attacks. It involves highly personal messages that raise minimal suspicion since they resemble usual professional correspondence.
Scammers closely monitor employees of all levels and identify the ones they can target, especially those with limited knowledge of email security best practices.
The attacker may ask the victim to send them sensitive or confidential company information by impersonating a position of authority within the organization.
Here’s what happens in simple terms:
- The attacker gains access to employees’ email accounts using various social engineering methods.
- They access the contacts in these compromised email accounts.
- They send fraudulent emails from the compromised email account or using a fake address.
The unsuspecting victim thinks they’re carrying out a routine task, like sending info to their superior or transferring funds to a contractor. But they’re falling for a trap.
Types of Business Email Compromise
Scammers perform business email compromise attacks in different ways.
Depending on their goal and the victim’s security hole, they can go about their schemes through these methods:
- CEO account compromise. The attacker hacks a CEO’s email and sends messages to unsuspecting accountants or other employees who deal with finances. They ask them to transfer money to a fraudulent account. In some cases, they ask employees to buy gift cards and send them the serial numbers.
- Fake invoices. The attacker gets into the employees’ emails and finds the email addresses of their suppliers. Then, they send messages from lookalike addresses and pretend to be the vendor, asking them to transfer money to a deceptive account.
- Impersonating lawyers. Scammers reach out to low-level employees who handle sensitive information and pretend to be legal representatives or attorneys. They create a sense of urgency and ask the victims to divulge sensitive data without checking with the higher-ups. In other cases, they pretend to be the company’s lawyer and ask for a money transfer after sending invoices for their services.
- Goods theft. This is a new form of BEC recently identified by the FBI. The fraudster uses fake or lookalike email addresses to buy commodities like computer hardware or agricultural supplies. They pose as a legitimate company’s purchasing manager and send the victims counterfeit financial information. The unsuspecting employee has the order shipped but never collects the payments.
How Do Business Email Compromise Attacks Work?
BEC attacks generally target small groups of people or even individuals within an organization.
They’re sophisticated, personalized, and difficult to identify. And while they may target anyone within an organization, they focus on CEOs, executives, accountants, HR managers, and low-level employees more frequently.
Attackers use meticulously designed schemes to ensure they look as legitimate as possible. They may monitor email activities for months to tangle their webs.
Here’s how they work.
- Identify the target organization. Theoretically, any organization can fall victim to BEC attacks. Larger organizations make better targets since smaller financial transactions can go unnoticed by the top executives.
- Find the individual victims. Mid-level employees with access to financial or sensitive corporate data are the best targets for BEC attacks. It’s easy to obtain the email addresses of these individuals through purchased email lists or online directories.
- Research business partners or suppliers. The attackers need partners and suppliers to convince the victims they’re doing legitimate business with someone. So, they find these partners and identify details about invoices, payment methods, bank accounts, etc.
- Craft emails. Now, it’s time to create a convincing message. Depending on the situation, they may create fake emails highly similar to the original ones or hack an existing email to send messages. They may even take things further and create fake websites or even register a company.
- Launch the attack. The attackers send the email and ask the victim to wire a sum of money or send them information. They speak from a position of authority or create a sense of urgency to prevent the victim from double-checking with others.
Business Email Compromise Examples
Business email compromise attacks are on the rise, especially due to the increasing popularity of remote work.
According to the Business Email Compromise FBI statistics, from 2013 to 2022, more than 130,000 BEC scams were reported in the U.S. Many employees haven’t met their top executives or aren’t aware of security procedures. So, they may easily fall prey to these scams.
Here are some famous examples:
Google and Facebook
One of the most famous instances of BEC exploits happened in the span of two years between 2013 and 2015 and targeted the tech giants Facebook and Google.
It’s one of the biggest Vendor Email Compromise (VEC) attacks in history, which led to a $121 million collective loss for these companies.
The fraudsters impersonated a hardware company that worked with Facebook and Google. In an elaborate scheme, they sent fake emails, invoices, lawyer letters, and contracts to deceive recipients.
They even registered a company in Latvia, with the same name as the legitimate business partner, which was registered in China.
Another famous instance took place in 2019 for a supplier of Toyota, the giant automotive company.
The scammers posed as one of Toyota’s business partners and convinced financial employees in one of Totyoa’s European subsidiaries to transfer money for their service payments, stealing $37 million from the company.
They sent an email urgently telling the employee to transfer money to a new bank account. The email warned that if they didn’t transfer the money, the production of automotive parts would be disturbed.
Government of Puerto Rico
After the 2020 earthquake in Puerto Rico, the government fell victim to a scam, losing $2.6 million.
A fraudulent scheme hacked an employee’s email and sent an email to the authorities handling remittance payments. They told them to send the funds to a new bank account, which was unsurprisingly fake.
The money was sent to a US bank account, so the FBI managed to freeze it and recover part of the funds.
Fischer Advanced Composite Components (FACC)
In an example of CEO fraud, scammers impersonated the CEO of Fischer Advanced Composite Components, an Austrian aeronautics company.
The fraudsters directed the financial employee to wire a whopping €50 million for an acquisition project.
The scammers managed to pull off this clever ruse by studying the said CEO’s writing habits. So, they were convincing enough to get the employee to transfer the sum.
The company could recover part of the lost money, but a bigger part of it didn’t return.
Business Email Compromise vs Phishing
If you’re on the lookout for malicious attacks through email messages, you may wonder if BEC and phishing are the same thing.
The short answer is that BECs are a type of phishing, but phishing attacks come in all shapes and sizes.
In phishing, the attacker masquerades as legitimate sources to scam the victim out of money or access their critical data. They contact victims through email, text messages, or phone calls and lure them into performing their desired actions. These are usually mass messages that target a large number of victims.
More often than not, the message contains a malicious link or attachment that leads the victim to a website or installs malware on their devices.
BECs are a type of phishing targeted toward a select group of victims. They include top financial managers, CEOs, accountants, or anyone with access to sensitive or financial data.
Let’s recap the difference between BEC and phishing:
|Steal information or money
|Steal information or money
|C-suite and financial professionals
|Mimics emails from positions of authority, suppliers, or attorneys
|Include suspicious links and attachments
As you can see, BEC emails don’t contain any harmful attachments or links. They look 100 percent legitimate and rely on social engineering tactics to get the victim to do their desired actions.
What Makes BEC Challenging To Fight
Business email compromise attacks are so sophisticated that they may take the scammers months of preparation.
These factors help BEC exploits fly under the radar:
- They look realistic. Unlike phishing emails that can contain links or attachments, BEC messages are as authentic as they come. They don’t contain spam triggers, fishy links, or malware. So, they can go undetected by many security tools.
- They’re highly targeted. Phishing and spoofing emails are sent in large volumes, hoping to trick as many victims as possible. This triggers security tools, which block them quickly. But BEC attackers go through the trouble of studying and convincing their victims. So, they don’t need to mount blind attacks.
- They can be legitimate. Everything in a BEC campaign may be legitimate. Attackers use real and reputable email IPs. They may even send emails from legitimate addresses they steal through spoofing or hacking. This helps them escape any suspicion.
How To Protect Yourself Against BEC Attacks
Protecting a company against business email compromise campaigns can be challenging. But you’re not helpless. Here are a few measures you can take.
Since BEC attacks target individuals, you need to train employees on how to stay vigilant. They should be on the lookout for suspicious signs and never take anything lightly.
These are some of the things they should consider:
- Request from higher-ups. Mid- or low-level employees are quick to respond to emails from top execs. But they should be trained to take things with a pinch of salt, especially if a message contains urgent requests to transfer money or send confidential data.
- Fishy content. Employees should always be cautious when dealing with correspondence. Any inconsistencies in email addresses, email headers, or email content should be investigated carefully. Changes in the tone and style, misspelled words, or different templates are the biggest red flags.
- Requests to bypass regular procedures. If a company has a centralized system to carry out financial transactions, any message that requests a different course of action should be flagged. In most cases, the scammers direct the target not to communicate with the purported authority, which is a huge red flag and should never be dismissed.
- Cyber hygiene. Training employees on basic and advanced cybersecurity measures can help prevent email compromise. This includes educating them on how to recognize phishing attempts, secure their passwords, ignore cold emails, and verify the authenticity of requests.
Double-checking emails requesting sensitive information never hurts.
You should train your employees to communicate with other departments like IT if they see any inconsistencies. That’s critical when large sums of money or corporate info are at stake.
Take Security Precautions
Secure email gateways can’t detect BEC campaigns. These emails don’t contain malicious links, come in low volumes, and seem to originate from valid email addresses. So, there’s nothing to signal these getaways.
Still, security measures like anti-phishing protection, email encryption, and two-factor authentication can help double your protection.
Another tactic is labeling emails that come from sources from outside the company. In these cases, the employees can easily identify the emails not sent by their colleagues or superiors.
Inform Your Recipients
If you’re a company that sends bulk messages, you may become the target of BEC campaigns. Scammers may use you as bait to scam your business partners or recipients.
One of the best things is to tell your customers, “We never ask you to…” and list fishy requests made by scammers.
Also, be careful about the kind of information you share on your website, email content, or social media pages. Tell your recipients to contact you through another channel if they feel something feels off about an email that seems to come from you.
How Your ESP Can Help Ward off BEC Attacks
If your company uses email marketing as a way to bring on new customers, your email list and user interaction histories are an invaluable resource.
Attackers can impersonate you and send fraudulent requests to your audience. Or they may target individual people on your list and use your data to make their scam more convincing.
A reputable email service provider can help protect against BEC and VEC attacks in the following ways.
Domain authentication is a critical security measure to show email servers that you’re the legitimate email domain owner. It also ensures the sender has the permission to send emails from the server.
It’s an important anti-phishing tool since it allows ISPs to identify legitimate email senders and spam those not authenticated.
A reliable ESP understands and implements email security protocols. This way, you can maintain high-level security and prevent your recipients from getting scammed.
Your subscribers can ensure your messages only come from a reliable source and you can minimize the chances of scammers sending spam emails on your behalf.
Reputable email service providers also have dedicated security measures and firewalls, so you can be notified in cases of phishing or spear-phishing attacks.
They have phishing detection infrastructures that identify fake websites and C&C servers to ward off phishing attacks. They can also use AI and machine learning to detect abnormal sending patterns or requests.
Safe Sends, Sure Wins with Campaign Refinery
At Campaign Refinery, we know the risks of BEC attacks and work hard to make sure our customers are protected.
Choosing Campaign Refinery for your email marketing means partnering with a team that prioritizes security as much as you do. Our approach to email marketing is grounded in a commitment to security and the highest standards in the market.
So, every email you send with Campaign Refinery isn’t just impactful but also clean and safe.
But why limit your ambitions? Let’s propel your emails to become the first thing recipients look for in their inbox.
Our Inbox Formula guide offers practical insights and actionable strategies to ensure your emails land in your recipients’ inboxes, not their spam folders. From crafting compelling subject lines to understanding the nuances of email list hygiene, this guide covers everything you need to improve your email performance.
Grab your copy today and start sending emails that slice through the clutter and land directly in the inbox.
And once you’re ready to propel your email marketing with secure, effective, and high-deliverability campaigns, apply to join Campaign Refinery. We’re excited to welcome you!