What you need to know about business email compromise attacks, implications, prevention, and defense mechanisms.
BEC Attack Definition
Business email compromise (BEC) is a sophisticated cybercrime. Attackers leverage compromised email accounts to pose as legitimate entities and lure email recipients into either sharing sensitive data and information such as credit card details, trade secrets, and innovations or executing transactions for sending money. BEC scams are a rising concern for global organizations, posing challenges such as data theft, potential financial losses, and damaged brand image.
How does business email compromise work?
BEC scams are tricky to trace since there’s no use of malware or malicious URLs that can be detected using standard cybersecurity tools. Instead, they highly rely on sophisticated phishing, social engineering and impersonation techniques, and the human element of trust to trick the email recipients. Here are the essential steps attackers may execute to carry out a BEC attack:
- Researching and Targeting: For executing successful BEC scams, attackers start with detailed research about the target organization and its employees. They mine employee contact information and company details from websites, social media platforms, and other public forums. Most BEC attacks generally target high-level executives such as CEOs, lawyers, or employees from the finance department responsible for making payments on the company’s behalf.
- Setting Up Attack: After finalizing the target list of email accounts, attackers use the collected information to spoof email addresses, create look-alike domains, or leverage phishing techniques to hack an organization’s email system. The crucial underlying factor for carrying out successful BEC attacks is impersonating stakeholders whom the email recipients trust or gaining access to email accounts of senior executives such as CEOs or colleagues the victim trusts to send emails.
- Sending Emails: Finally, attackers impersonating colleagues, company lawyers, or partners send familiar, persuasive, and urgent emails to unsuspecting employees. Such emails direct victims to provide confidential information or initiate illegitimate payment transfers. It’s significant to note such attacks may be executed as a single email or a thread depending upon the level of research.
- Business Impact: Once the attackers gain the email recipient’s trust, they easily persuade the victims to fulfill their requests to share confidential data or execute payments. For instance, attackers may impersonate company partners to get monthly invoice payment transfers to a new account. In such a scenario, targeted finance department personnel may not question the request and process the invoice by transferring the required amount.
Why is business email compromise such a problem?
Backed by social engineering techniques, BEC attacks are easy to execute, require minimal tools, and highly popular among attackers. The following reasons make BEC attacks a staggering challenge for business organizations across industries.
- Traditional Defense Methods Focus on Technical Threats: BEC scams are sophisticated attacks based on phishing and social engineering techniques that often work by tricking victims after gaining their trust. Since most traditional security measures focus primarily on technical threats, it becomes challenging for businesses to tackle BEC attacks. Moreover, there are different types of BEC attacks that target different users across the company, which further adds to the problem.
According to the FBI, the following are five major types of BEC scams businesses need to defend against:
- False Invoice Scheme: Attackers send an email from the compromised email account impersonating the sender to request fund transfers for invoice payments to a particular account.
- CEO Fraud: Attackers spoof the CEO’s or other high-level executive’s email account to leverage their identity for sending an email to employees in the finance department, requesting an urgent money transfer to a fraudulent account.
- Account Compromise: Attackers hack an employee’s email account to mine the targeted employee’s contact list of partners, suppliers, and vendors. Next, the attackers send emails requesting invoice payments to a fake account owned by cybercriminals.
- Attorney Impersonation: Attackers send emails to company executives while impersonating a lawyer working for the company’s clients and requesting urgent fund transfers.
- Data Theft: Attackers target the HR or administrative employees’ email accounts to send emails to other employees to obtain personal data, which is further utilized to launch a more sophisticated attack against the organization.
- Highly Sophisticated Techniques Are Used: Attackers employ highly effective techniques to launch BEC attacks, such as below:
- Spear Phishing: Fake and misleading emails posed as legitimate requests from a trusted sender persuade email recipients to reveal confidential information to the attackers.
- Spoofing Email Accounts and URLs: With minor variations in actual email addresses or website domains, attackers succeed to trick victims into considering fraudulent accounts as authentic.
- Malware: Attackers use malware to break into networks for gaining access to internal data and systems of the company. Information retrieved through malware is further used to manipulate victims by sending familiar emails to avoid raising suspicions while requesting money transfers.
- BEC Results in Severe Business Implications: In addition to potential data theft, BEC attacks cause a massive economic threat to businesses. Attackers with access to sensitive company data usually request payments and money transfers to their accounts. Moreover, if attackers compromise data about the company’s suppliers, customers, or partners, the company will lose reputation and brand value.
How to prevent a business email compromise attack
Business email compromise or email account compromise attacks focus more on people rather than technical vulnerabilities. Therefore, it’s imperative to strategically plan a user-centric defense to proactively prevent all types of BEC attacks before they become a hassle for the business. Here’s the list of some essential tips or best practices to help prevent a BEC scam.
- Create awareness among employees about different types of BEC attacks. Provide training to use open-source phishing simulation tools to understand and detect BEC risk faster.
- Form a dedicated cybersecurity team to keep the business secure.
- Regularly monitor employees for their BEC awareness to ensure better education, training, and positive change in cybersecurity behavior. Continuously remind users about BEC-associated risks.
- Define network access rules to control the use of personal devices and information sharing beyond the corporate network.
- Install necessary malware protection and anti-spam software to keep a check on vulnerabilities.
- Keep operating systems, networks, applications, and other internal software systems up-to-date and secure.
- Set up two-factor or multi-factor authentication for email accounts to strengthen the defense mechanism.
- Make cybersecurity awareness training, education, and support a part of the overall corporate culture.
- Be cautious while sharing information online or on social media that attackers can use to break into business email accounts by guessing passwords or answers to security questions.
- Avoid clicking on links in unsolicited emails asking to update or verify account information. Never open or download an email attachment from unknown or suspicious senders.
- Check the spelling of email addresses diligently to avoid scammers from taking undue advantage of look-alike domain names.
How to stop a business email compromise attack
Though stopping business email compromise attacks can be challenging, it’s advisable to ensure a robust multi-layered security approach and thorough employee education and training plan to reduce the perceived risk of attack. Businesses must implement the following measures to stop business email compromise.
- Get Attack Visibility: To effectively mitigate BEC risks, organizations must get clear attack visibility. It helps in understanding potential BEC threats, the most vulnerable employees, and the troubleshooting process. The right software to protect against BEC scams offers complete visibility to quickly identify targeted employees in an organization and the types of attack underway. Moreover, it also helps pinpoint vulnerable users for various BEC attack types and trace malicious domain lookalikes. Furthermore, organizations should get granular visibility into the emails being sent to respective stakeholders using their domain to avoid data breaches and prioritize threat mitigation.
- Email Protection Controls: It’s crucial to keep reviewing existing organizational procedures and policies and adding required controls to improve protection. Various controls businesses implement include:
- Two-Factor Authentication: Securely logging in email accounts with two-factor authentication minimizes the possibility of scams leading to email account compromise.
- Strict Accounting Controls: The FBI recommends companies employ more stringent and more formalized accounting controls to verify the legitimacy of payment requests and approvals effectively.
- Identity-Based Anti-Phishing Controls: As attackers plan to launch more sophisticated attacks, businesses must gear up with intelligent identity-based phishing defenses. Such modern controls in place help to identify all types of BEC risks.
- DMARC-Based Protection: Businesses must protect their domains from being used to attack their stakeholders, such as employees, partners, and customers, etc., by deploying domain-based Message Authentication, Reporting, and Conformance (DMARC).
- User Awareness and Training: Organizations must train their employees about malicious emails and phishing attacks, how to identify them, and due course of action to report them for ensuring proactive prevention. Unaware users tend to trust the emails they receive and may fall prey to such malicious emails. Comprehensive training and awareness campaigns improve an organization’s defense against business email compromise attacks by empowering users with the required information and understanding to stay vigilant and report BEC issues to the IT department. Regular training and awareness campaigns further help IT teams to reinforce necessary security policies to remain updated against evolving BEC risks.