Most people are familiar with phishing and ransomware because these attacks receive frequent coverage in the media. However, business email compromise (BEC), which involves a criminal gaining access to a corporate email account and spoofing the account owner’s identity in order to steal money, is another very dangerous and surprisingly prevalent email attack that gets far less attention.
BEC attacks are widespread due to their simplicity and effectiveness. These attacks can have devastating consequences for companies of all sizes across all industries. BEC is becoming increasingly common and costly and has generated losses of $26 billion worldwide. Between May 2018 and July 2019, there was an astounding 100 percent increase in identified global exposed losses due to BEC. As of June 30, 2019, the average loss reported in a BEC complaint was $7,904.
Earlier this month, the FBI announced 281 BEC-related arrests worldwide, which can be attributed to Operation reWired, a coordinated multi-agency effort to disrupt and dismantle international BEC schemes. The initiative has resulted in the seizure of nearly $3.7 million and the disruption and recovery of approximately $118 million in fraudulent wire transfers.
What is BEC and how does it work?
BEC describes an exploit in which an attacker obtains access to a corporate email account and sends fraudulent emails under the identity of the account owner in order to steal money from the company or its employees, partners or customers. In such a scam, the threat actor usually uses the spoofed identity to trick victims into sending money to his or her account. Business email compromise may involve either social engineering, malware or a combination of the two.
Here is a step-by-step example of how a BEC attack could be carried out. By understanding attackers’ methods and strategies, you will be better equipped to recognize and stop an attack on your company.
Step 1: Infiltrating the ranks within a company
When planning a BEC attack, threat actors conduct extensive research on their victims. Using advanced social engineering techniques, malware, remote administration tools that allow users to control another system as if they have physical access to it, keyloggers or brute-force attacks, criminals gain access to the CEO of the target company’s email.
Stap 2: Contacting junior employees
Once they have obtained access to the CEO’s email, attackers send a fraudulent email to a junior employee, pretending to be the CEO. These malicious emails can be very difficult to detect, as criminals include specific details which they have obtained using advanced social engineering tactics.
These emails often involve a confidential wire transfer, and convey a sense of urgency.
Step 3: Crafting fraudulent requests using social engineering
An attacker follows up with the victim regarding the fraudulent email he or she received, either via a phone call or another email. Sometimes, the threat actor may pose as someone other than the CEO. For example, if a criminal writes that an attorney will follow up with payment details, he or she will likely contact the victim, pretending to be the attorney calling with payment information.
Note: Phony emails used in BEC scam’s don’t always imitate the CEO or CFO of a company. Many impersonate a vendor or client invoice. When impersonating a CEO, the average transaction amount for these scams is $125,439, while vendors being impersonated average around $50,373.
Who Do BEC Attacks Target?
While any company is at risk of falling for a BEC scam, this threat is more prevalent in certain industries than in others. In the past, manufacturing and construction took the majority of the hits, accounting for one-quarter of all BEC scams in 2018.
However, attackers are broadening the scope of their preferred targets, and have recently been focusing on real estate and commercial services (shopping centers, entertainment facilities and lodging).
All organizations are vulnerable and the email threat landscape is constantly evolving. As one sector becomes more aware and increasingly difficult to deceive, criminals will find a new industry to hone in on.
Common Variations of BEC
BEC encompasses various types of scams including CEO fraud, data theft, account compromise, attorney impersonation and bogus invoicing scams. Here is a brief explanation of common variations of BEC attacks:
- CEO fraud: In these scams, a threat actor pretends to be an executive and requests that a finance or HR employee make an urgent payment.
- Bogus invoicing scams: These attacks use a compromised employee account to request a change in payee information, transferring payments to the criminal’s account.
- Employee account compromise: An employee's email account is hacked and used to request invoice payments to vendors listed in their email contacts.
- Attorney impersonation: In this variation of BEC, An attorney’s email identity is used to request immediate payments, claiming to be handling time-sensitive, confidential matters.
- Data theft: Criminals use a compromised account to gain more PII, which can be used in defrauding the company or its customers.
BEC campaigns utilize a wide variety of techniques and preliminary attacks in order to deceive victims and steal money. Although campaigns are uniquely crafted and always evolving, the majority of BEC attacks use some combination of email spoofing, spear phishing and malware to trick their targets into sharing sensitive information.
- Spoofing email accounts and websites: Criminals use slight variations on legitimate email addresses to trick victims into thinking that fake accounts are authentic.
- Spear phishing: Fraudulent emails that appear to be from a trusted sender fool recipients into sharing sensitive information with attackers.
- Malware: Threat actors often utilize malware to infiltrate networks in order to gain access to internal data and systems. This data is then used to avoid raising suspicions when a falsified wire transfer is submitted.
How to Recognize a Fraudulent Email
Malicious emails involved in BEC scams can be very difficult to distinguish from authentic messages, making them especially dangerous and effective. That being said, there are some definite “red flags” that users should be aware of and look for in all emails, especially those asking for payment information. This fraudulent email, which was identified and quarantined by Guardian Digital EnGrade Email Security Gateway, contains several key indicators of fraud:
- The “Reply to” address is different than the “From” address.
- The domain of the “Reply to” address is Gmail - this is a significant fraud indicator.
- The subject line reads “URGENT REQUEST”. The attacker wants the recipient to act before adequately thinking things through.
- The signature demonstrates that the threat actor has either taken the time to conduct extensive research using social engineering techniques or has previously received an email from the recipient. He or she may have sent an innocuous message to the recipient to gauge his or her response.
How to Protect Users from BEC: Email Security Best Practices
While the advanced social engineering techniques involved in planning and carrying out BEC scams can make attacks very difficult to identify, engaging in these email security best practices will significantly reduce the chances of your company suffering the consequences of a successful BEC attack:
- Invest in employee education on email threats and email security best practices.
- Carefully review the sender’s email address whenever you receive an email - criminals sometimes create an account with an email address that is very similar to one on your corporate network.
- Ensure that the URL in emails is associated with the business it claims to be from.
- Be on the lookout for hyperlinks that contain misspellings of the actual domain name.
- Use strong passwords and two-factor authentication (2FA), a security process which involves the use of two different authentication factors for verification purposes, to help secure email accounts.
- Ensure that the settings on employees’ computer are enabled to allow full email extensions to be viewed.
- Implement phone verification of payment changes.
- Use secondary sign-offs for payment changes.
- Monitor accounts on a regular basis for irregularities, such as missing deposits.
- Implement a comprehensive, fully-managed email security gateway. Investing in an email security solution that prevents malicious emails from reaching the inbox is the most effective way to mitigate the risk that BEC poses to your company.
How Guardian Digital Can Help
Guardian Digital EnGarde Email Security Gateway effectively protects against BEC attacks and other advanced email threats. EnGarde provides:
- Fully-managed end-to-end business email protection, accurately identifying and rapidly quarantining malicious email and preventing them from reaching the inbox
- A multi-layered, open-source approach to email security, where individual layers work harmoniously to provide comprehensive, resilient protection
- Centrally managed cloud-based administration
- Automatically adjusting detection algorithms that anticipate attacks
- Seamless implementation and unrivaled 24x7x365 customer support
Business email compromise is a more serious and common threat to businesses of all sizes across all industries than ever before. Attackers utilize advanced social engineering tactics and techniques including email spoofing, spear phishing and ransomware to gain access to a corporate email account and sends fraudulent emails under the identity of the account owner in order to steal money from the target company.
This email attack is becoming increasingly popular because organizations have more money to lose than individuals do, and the scam preys on the willingness of employees to please the boss.
Engaging in basic email security best practices has the potential to mitigate companies’ risk of suffering the aftermath of BEC; however, investing in an advanced, comprehensive business email security gateway is the best way to prevent these dangerous and costly attacks.
Learn More about BEC
Do you have any questions about BEC that haven’t been addressed in this article? If so, please contact us and we would love to answer them!
Stay tuned for our next Email Threats Explained blog post: What is Malware?