Business email compromise (BEC) occurs when cybercriminals scam organizations by compromising sensitive data through email accounts for financial gain. FBI research shows that BEC is currently the most costly digital crime, far surpassing ransomware to account for US$49.2 million in victim losses in 2021. BEC is also known as email account compromise (EAC) or 'man-in-the-email' scamming.
How Does Business Email Compromise Work?
Cybercriminals can use several techniques to carry out BEC scams, including directly hacking an email account and social engineering techniques.
Two common methods of BEC include:
Cybercriminals use keyloggers to gain unauthorized access to legitimate email accounts. This type of spyware can monitor and record a user's password by logging keystrokes, reading clipboard data, or taking screenshots from the user's device.
- A cybercriminal sends a phishing email containing the keylogger spyware to an unsuspecting employee.
- The employee mistakes the phishing scam as a legitimate download and unknowingly installs the keylogger malware onto their device.
- The cybercriminal uses the keylogger to record the user's email password.
- The cybercriminal can now gain access to the employee's email account and carries out a cyber attack directly via the compromised account.
A cybercriminal uses a spoofed email to obtain confidential information from an employee or organization. Cybercriminals often undertake spear phishing attacks to compromise personally identifiable information (PII) and protected health information (PHI).
- A cybercriminal impersonates a business email account through domain spoofing, e.g., email@example.com (the email address of John Smith, a legitimate employee at Pied Piper) → firstname.lastname@example.org (the cybercriminal's spoofed email address).
- The cybercriminal uses the spoofed email address or hacked account to send an email to another employee from the same organization requesting confidential information.
- The employee mistakes the misspelled email address for John Smith's email address and unknowingly reveals sensitive company data to the cybercriminal in response to the email.
- The cybercriminal uses this breached data to carry out a cyber attack.
The exact information the cybercriminal attempts to obtain using these techniques depends on the type of BEC scam they are conducting.
Types of Business Email Compromise
There are 5 main types of BEC scams, as listed below.
1. The Bogus Invoice Scheme: A cybercriminal impersonates an organization's vendor or supplier, usually through a spoofed email account. The scammer sends a fraudulent invoice to the organization requesting payment to an unfamiliar bank account.
2. CEO Fraud: More generally known as 'Executive Fraud,' this scam occurs when a cybercriminal hacks a CEO or executive-level employee's email account. Posing as the employee, the hacker then requests payment from the finance department to an unfamiliar bank account.
3. Account Compromise: A cybercriminal hacks an employee's email account and sends fraudulent invoices to vendors from its address book, requesting payments to an unfamiliar bank account.
4. Attorney Impersonation: A cybercriminal poses as a lawyer or other legal professional and contacts an employee under the guise of an urgent matter. The cybercriminal informs the employee to act quickly and discreetly, pressuring the victim to transfer funds over to an unfamiliar bank account to resolve the issue immediately.
5. Data Theft: A cybercriminal hacks an employee's email account in a relevant department (such as HR) to request the personally identifiable information (PII) of other staff members, providing intelligence for a more damaging attack.
BEC scammers rely predominantly on human error vulnerabilities to achieve their malicious objectives. Organizations should pair employee education with additional security measures to defend against BEC effectively.
How to Defend Against Business Email Compromise Attacks
The following defense strategies can help reduce the occurrence of BEC attacks in your organization.
Security awareness training programs are crucial to ensuring employees can identify BEC attempts before a data breach occurs.
Organizations must train employees to scrutinize all emails requesting sensitive data, whether internal or external. When in doubt, employees should always seek advice before responding to suspicious emails.
Below are common signs of a potential BEC attempt that employees should consider when receiving email requests for sensitive data.
- Unusual email requests from colleagues, including CEOs and high-level executives. When scammers use spear phishing tactics, they will often make requests that don't make sense, e.g., a CEO asking for an employee's individual payroll details.
- Incorrect use of language. E.g., use of broken English, spelling and grammatical issues, inconsistent tone in language, such as lapsing between casual and formal language.
- Inconsistencies in font type, font size, or email format. E.g., the email body text uses two different font sizes.
- Typos in the sender's email address or different formatting. E.g., email@example.com → firstname.lastname@example.org, email@example.com → firstname.lastname@example.org.
- Requests that don't follow usual protocol. Organizations follow specific processes for payments, regardless of their urgency. An email requesting an immediate wire transfer that doesn't follow these processes is likely cause for concern.
- Requests to keep communication private. Scammers often ask recipients to keep their email interactions between the two parties to minimize outside scrutiny and suspicion.
Implement Multi-factor Authentication (MFA)
Multi-factor authentication (MFA) adds an additional layer of data protection to employees' devices and accounts. MFA ensures users adequately identify themselves before accessing their email accounts and other apps that store sensitive information.
This authentication method often uses a combination of a password/pin with additional verification requirements, such as biometrics. If a cybercriminal compromises the first line of authentication, they are less likely to bypass the other authentication methods.
Prevent Email Typosquatting
Typosquatting is a hacking technique that takes advantage of users misspelling an organization's domain name. If a scammer successfully hijacks a misspelled URL, they can use the typosquatted domain in emails to pose as a sender from the victim organization.
Organizations can help prevent this entry point for BEC scammers by registering domains that look similar to their own or are likely to be mistaken for theirs. For example, piedpiper.com could register peidpiper.com, p1edpiper.com, pied-piper.com, etc.
Implement Email Verification
Email verification methods can help to filter, block, and report suspicious emails, preventing BEC before it even reaches an employee's inbox. Common email verification methods include:
- Sender Policy Framework (SPF) Filtering: Ensures incoming emails are coming from the domain they claim to be.
- DomainKeys Identified Mail (DKIM): Adds encrypted signatures to validate all outgoing emails and verify incoming emails.
- Domain-based Message Authentication, Reporting & Conformance (DMARC): Leverages SPF filtering and DMARC and provides reporting and guidance surrounding what action to take with unauthenticated emails, e.g., send to the spam folder, reject entirely.
Develop Effective Security Controls
Robust cybersecurity controls make it more difficult for cybercriminals to compromise an organization's systems. Organizations must fulfill their regulatory requirements, such as PCI DSS, HIPAA, and FISMA. Complying with recognized security frameworks, including the NIST Cybersecurity Framework, NIST 800-53, and ISO 27000 series, also helps organizations ensure their cybersecurity is up to international standards.
Limit Public Display of Personal Information
Cybercriminals can leverage open source intelligence tactics to uncover vital information for social engineering schemes in future attacks. For example, they can easily find employee names, job titles, and contact details on social media sites like LinkedIn.
Employees should be mindful of their social media privacy settings and avoid sharing excessive publicly identifiable information (PII) online.
How to Recover From a BEC Scam
If your organization has fallen victim to BEC, time is of the essence. The FBI outlines the following steps:
Step 1. Contact your financial institution immediately and ask them to contact the financial institution provided by the scammer.
Step 2. Report the crime at your local FBI field office.
Step 3. Lodge a complaint with the FBI's Internet Crime Complaint Center (IC3).
Countries outside of the US should follow Step 1. as above, then contact their local authorities for details on next steps.
Continue Learning about Cyber Threats
- How Do You Get Infected by Ransomware?
- Best Practices to Prevent Ransomware Attacks
- What is Cyber Threat Intelligence?
- What is Cyber Risk Quantification?
- What You Need to Know About the Apache Log4j Vulnerability
- What is Threat Intelligence?
- What is Threat Modelling?
- What is Netwalker Ransomware?
- What is Egregor Ransomware?
- What is a Cyber Threat?
- What is Cyber Resilience?
- What Is an Insider Threat?
- What is Malware?
- What are the OWASP Top Ten?
- Common Types of Malware And How to Recognize Them