What is Business Email Compromise (BEC)?

Updated June 23, 2022 to reflect current data.

Because of the accessibility of email, we’ve seen increased abuse that has become more sophisticated over the years. Business email compromise (BEC) attacks cost organizations an estimated $2.4 billion in losses in 2021 in the US alone, reports the FBI, which received a total of 847,376 complaints; that’s a 7% increase from 2020. This domain abuse has caused a loss of over $26 billion across the globe and is expected to rise steadily as people are increasingly working remotely.

What is Business Email Compromise?

BEC is a form of a cybercrime that uses email fraud to deceive organizations. While the name indicates it is targeting only businesses, every domain owner can be affected.

In a BEC exploit, cybercriminals send socially engineered email that appears to come from someone you know. It might seem to be from an executive or manager at your company or from a business partner or supply chain vendor. These emails will ask you to reveal business information, request a payment, or ask for gift card purchases that seem legitimate but sends the money directly to a criminal.

Many times, a BEC attack will attempt to compromise your email account. Once bad actors have access to your account, they can obtain private information, gain access to your company’s computer network and install ransomware and other malware.

In a BEC attackers might:

• Spoof email accounts and websites using slight variations on legitimate addresses (kelly.smith@example.com vs. kelley.smith@example.com). Unsecured email domains also can be spoofed to trick victims into thinking fake accounts are authentic.
• Send spear-phishing emails. These fake emails are believed to be from a trusted sender and prompt victims to reveal confidential information or make a payment.
• Install malware. This malicious software can infiltrate a company’s networks and access to email threads about billing and invoices, which provides criminals with the information on how to time payment requests so they don’t trigger suspicion. Malware also lets criminals gain access to personal data, including passwords and financial account information.

Here are five main types of BEC scams identified by the FBI:

• False Invoice Scheme: Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.
• CEO Fraud: Attackers pose as a company’s CEO or other executive and send an email to employees in finance requesting a financial transfer to an illegitimate account.
• Account Compromise: An employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are actually sent to fraudulent bank accounts.
• Attorney Impersonation: An attacker will impersonate a lawyer or other representative from a law firm responsible for sensitive matters. These types of attacks often occur through email during the end of the business day where the victims are low-level employees without the knowledge or authority to question the validity of the communication.
• Data Theft: HR and bookkeeping employees will be targeted in order to obtain personal or otherwise sensitive information about the employees or executives. This data can be very helpful for future attacks.

Why Is Business Email Compromise Such a Problem?

As more and more business goes online, there is an increased opportunity for cybercriminals to target people in BEC attacks and other cybercrime. The world is seeing an increase in the frequency, the complexity and the amount of loss associated with this crime. According to a 2022 Q1 report from APWG, there was a total of 1,025,968 phishing attacks—the highest number ever recorded for a quarter.

Criminals are constantly looking for new ways to victimize people. They have gotten more sophisticated since the days when phishing attacks were bulk-delivered and random. These actors engage in significant research and will exploit emotions and current events such as elections, natural disasters, terrorist attacks and global events like the COVID-19 pandemic.

What Are BEC Attack Warning Signs?

Cybercriminals are sly and use proven tactics to exploit their victims. Be on alert for these warning signs:

• Unexplained urgency
• Last minute changes in wire instructions or recipient account information
• Last minute changes in established communication platforms or email account addresses
• Communications only in email and refusal to communicate via telephone or online voice or video platforms
• Requests for advanced payment of services when not previously required
• Unexpected requests from employees or employers to change direct deposit information

Cybercriminals adapt very quickly when they find a new ploy or current event that they can exploit. Staying aware of the way tactics are evolving will help organizations take the proper precautions to defend against these highly targeted attacks and avoid falling victim to the latest tricks.

How to Prevent Business Email Compromise

As a domain owner, the first risk to consider is the abuse of your domain(s), the public-facing asset used to communicate within the organization and to external stakeholders like prospective customers, current customers and vendors. The risk of the abuse of the organizational domain is extraordinarily high, but it is also an easy problem to solve. 

Domain-based Message Authentication Reporting and Conformance (DMARC), an open internet standard and industry best practice, combats domain spoofing and allows organizations to take control of their online presence and prevent brand erosion caused by a data breach. As DMARC adoption across the email ecosystem continues to accelerate, the vital email communication channel and the internet as a whole will become safer. 

As an end user, here are some ways to protect yourself from BEC and phishing exploits:

• Never give login credentials, account numbers or personally identifiable information in response to any emails.
• Be careful with what information you share on social media. You can inadvertently provide criminals with information they need to guess your password, answer your security questions or create a socially engineered hoax.
• Don’t click on links or open attachments in an unsolicited email or text message asking you to update or verify account information. Instead, look up the company’s phone number (don’t use the one in the questionable email) and call the company to ask if the request is legitimate.
• Closely examine the email address, URL, spelling and grammar. Scammers use slight differences to trick your eye and gain your trust.
• Set up two-factor or multi-factor authentication.
• Verify payment and purchase requests in real-time to ensure it is legitimate. You should also verify any change in account number or payment procedures with the person making the request.
• Be especially aware if the request is urgent, time sensitive or plays to your emotions. Those are age-old deception techniques.

Educating yourself and your employees on the dangers of BEC is extremely important as a compromised email system can cause lasting damage to your organization’s reputation and finances. Being aware of the risks and putting safe measures in place will help to keep the problems at bay.

How dmarcian Can Help

For most organizations, the process of implementing DMARC is a rare chance to focus on their internet security posture. As a first step, you can use our domain checker to analyze the status of your domain(s). 

Our experts are happy to share how your organization’s security posture can be radically improved. Contact us to learn more or register for a free trial and get some help along the way.

Want to continue the conversation? Head over to the dmarcian Forum.