Business Email Compromise: What You Need to Know
It’s an all-too-common scenario: You receive an email from your CEO asking you to urgently transfer money, make a purchase, or share sensitive information. The message seems legitimate, and it implores you to take quick action. However, the urgent nature of the email is a big red flag — you may just be the target of a Business Email Compromise (BEC) attack.
Contents
What is a Business Email Compromise?
The Dangers of Business Email Compromise
Types of Business Email Compromise
High-Profile BEC Attacks that Made Headlines
Protect Yourself Against Business Email Compromise
What is a Business Email Compromise (BEC)?
Business Email Compromise is a type of sneaky cyberattack that is a growing threat worldwide. The perpetrators use social engineering tactics — the act of psychologically tricking the receiver into giving up sensitive information, authorizing fraudulent transactions, or taking other actions that could compromise the security of the targeted organization.
The attackers behind BEC frauds often spend time researching their targets, using social media and other online resources to gather information about employees’ job titles and email addresses.
Using this information, cybercriminals create spear phishing emails — highly targeted phishing attacks — where they pose as high-level executives or trusted vendors. These carefully crafted emails appear to be from legitimate email IDs, convey a sense of urgency, and use persuasive language to manipulate the target to act quickly and impulsively.
Business Email Compromise or Email Account Compromise (EAC) attacks are particularly successful at bypassing traditional email security measures. Unlike traditional malware-based attacks, these cybercrimes are designed to exploit human vulnerabilities, making them harder to detect and defend against.
The Dangers of Business Email Compromise
The consequences of a successful Business Email Compromise attack can be devastating. Organizations can suffer significant financial losses, reputational damage, and potential legal liabilities, depending on the nature of the data stolen.
Attacks related to BEC have resulted in over $43 billion in losses globally from June 2016 to December 2021, according to statistics collected by the FBI’s Internet Crime Complaint Center (IC3), law enforcement, and filings with financial institutions.
The recent rise in remote working culture has led to an increase in this form of cybercrime. Recorded BEC attacks increased by more than 81% during 2022 and by 175% over the past two years, with open rates on malicious emails also surging, according to Abnormal Security's latest report on business email compromise trends and statistics.
Types of Business Email Compromise
BEC attacks are ever-evolving, with the scope of the crimes getting wider. Here are some of the prevalent types of business email compromise and the strategies used by cybercriminals to carry them out.
Business Executive/CEO Scheme
The attacker poses as a high-level executive or the CEO of a company to send emails to employees who typically handle financial requests. The email often has a pressing tone which forces the employee to act quickly without checking the validity of the email. It could be a request for purchases, wire transfers, or other financial transactions to an external bank account.
Fake Invoice Fraud
In this type of attack, the cybercriminal poses as a legitimate supplier or vendor and sends a fraudulent invoice to the company for goods or services. The attacker replaces the vendor’s bank account details with their own. These frauds can be difficult to detect since the attackers often use the supplier or vendor’s legitimate information.
Lawyer Impersonation
An attacker poses as an attorney and contacts a company to request urgent payment for legal fees or settlements. The email is crafted to instill fear and often includes threats of legal action or other consequences if the payment is not made on time. These prey on the vulnerability of lower-level employees who may fear the alleged legal consequences.
Data Theft
A cybercriminal targets HR and Finance personnel to steal sensitive information about an organization’s CEO, employees, invoices, or contracts. The attacker can then use the data in future attacks like CEO fraud.
Account Compromise
This attack combines aspects of both the fraudulent invoice scheme and the CEO fraud. The attacker gains access to a company's email system and sends fraudulent emails to external vendors requesting payment or changing the bank account information of a vendor in the database. An individual executive or employee’s email contact list could also be compromised.
Gift Card Scam
In this attack, the criminal poses as a supervisor or high-level executive with authority and sends an urgent email to an employee requesting help to buy gift cards for staff or customers. The email asks for serial numbers so it can be emailed out right away.
High-Profile Business Email Compromise Attacks that Made Headlines
- A BEC scammer posing as Mattel's CEO contacted the company's finance team in 2015 and convinced an employee to wire $3 million to a Chinese supplier.
- In a notorious data theft BEC in 2016, cybercriminals impersonated Snapchat’s CEO to obtain sensitive data from a company employee. The data included former employees’ Social Security Numbers, tax information, salaries, and healthcare plans.
- In 2017, a Lithuanian man pled guilty to tricking internet giants Google and Facebook into transferring over $100 million into a bank account under his control. He posed as a well-known company that provided the internet giants with hardware for their data centers and sent them forged invoices and fraudulent contracts.
- In February 2023, Europol busted a Franco-Israeli criminal network involved in large-scale CEO fraud that cost a total of €38 million.
Business Email Compromise is now a growing threat to businesses of all sizes with attackers employing increasingly sophisticated social engineering tactics to carry out wire frauds, invoice frauds, and various other forms of cybercrimes. Security awareness and education play a crucial role in protecting companies from potential attacks.
Protect Yourself Against Business Email Compromise
There are ways for organizations to mitigate the risk of BEC. We at SSH Communications Security recommend sending emails containing sensitive or critical information only by using solutions tailor-made for such purposes.
One easy way is to use encrypted secure email, like our SalaX Secure Mail 2024. Its robust encryption ensures that the message cannot be intercepted in transit and the sender-recipient verification gives you the confidence that the email has been sent from a legitimate source.
Learn more about SalaX Secure Mail 2024 >>>
Start your journey toward enterprise email security and reach out to us to see SalaX Secure Mail 2024 in action >>>