What Is Business Email Compromise (BEC) and How to Prevent It?

What Is Business Email Compromise (BEC)

The Internet has become the driving engine of interaction between companies and customers, with email remaining the most popular tool for formal business communication. Unfortunately, it’s also the most fragile way to exchange messages and sensitive data. Email is prone to phishing, and spam attacks, with Business Email Compromise (BEC) causing heavy financial losses and reputational damages.

We’re amid a digital and technological transition that disrupts economies and changes the very fabric of society. The latest developments in Artificial Intelligence and the post-pandemic challenges push businesses to enhance their online presence and seek new opportunities in unchartered areas. At the same time, cybercriminals are plotting new schemes to perpetrate devastating scams and slow down progress.

This article tackles BEC fraud and provides tips on protecting your business against cyber attacks. Let’s dive straight into the matter!

Table of Contents

  1. What Is a Business Email Compromise?
  2. How Do BEC Attacks Work?
  3. Business Email Compromise Examples
  4. Who Is Most Often Targeted in BEC Attack-Style Emails?
  5. What Types of Business Email Compromise Scams There Are?
  6. What Makes a BEC Attack Different Than a Typical Phishing Email?
  7. Why Is It Important to Prevent Business Email Compromise?
  8. How to Prevent Business Email Compromise?
  9. What to Do if You Fell for a BEC Scam?
  10. Business Email Compromise Statistics

What Is a Business Email Compromise?

A Business Email Compromise is a type of cyberattack where fraudsters impersonate a company executive or employee to trick individuals within an organization into taking actions that benefit the attacker. BEC attacks typically involve email communications and can lead to significant financial losses for businesses.

How Do BEC Attacks Work?

The attacker begins by gathering information about the target organization, such as employee names, job titles, and email addresses, through various means, including social engineering, public websites, or data theft.

Next, the attacker spoofs or impersonates a legitimate email account within the organization, such as a high-level executive or CEO. They often create an email address similar to the genuine one, using slight variations or misspellings that recipients might overlook.

On top of that, attackers use social engineering techniques to manipulate the victim into taking a desired action. They might exploit the recipient’s trust, authority, or urgency to increase the chances of success. For example, the attacker could claim to be the CEO requesting an urgent wire transfer to a specific fraudulent bank account for a time-sensitive business deal.

One of the oldest but most efficient tricks in the fraudsters’ book is to seed deception and urgency into their target’s mind. They may use phrases like “confidential,” “urgent,” or “strictly confidential” to add credibility to pressure the recipient into bypassing standard security procedures.

Employees with access to financial information or the authority to initiate transactions are especially prone to business email compromise scams. These could be individuals in the finance or accounting departments or employees responsible for managing vendor relationships. The goal is to convince them to transfer funds, disclose sensitive information, or change payment instructions.

Business Email Compromise Examples

Business Email Compromise attacks are relentless. Whether you’re a local business or a large international corporation, no one is safe from the next big attack unless all preventive measures and cybersecurity awareness are in check. However, it’s in humans’ nature to trust one another, and the examples below illustrate this perfectly:

Facebook and Google Fiasco

In arguably the most resounding social engineering attack of all time, Evaldas Rimasauskas and his associates persuaded Google and Facebook employees to pay invoices for goods and services that the manufacturer genuinely provided to a fake account defrauding the Big Tech companies of over $100 million.

If BEC scams can happen at this level, imagine how susceptible is the rest of the business landscape where employees lack cyber security awareness and vigilance. The costs and damages resulting from BEC attacks rise to billions over a calendar year.

Toyota Joins the BEC Victim’s Club

In 2019, Toyota, a well-known name in the automotive industry, fell victim to a staggering $37 million Business Email Compromise attack. This incident highlighted the vulnerability even large companies face when it comes to cyber threats.

Despite the substantial sum involved, the perpetrators managed to deceive an employee within Toyota’s European subsidiary, successfully transferring the funds undetected. Critics argue that Toyota, given its size and influence, should have been more vigilant in recognizing the signs of this pervasive scam.

Government of Puerto Rico Transfers Millions to Scammers

In the wake of a powerful 6.4-magnitude earthquake that struck Puerto Rico in early 2020, the Puerto Rican government fell prey to a cunning BEC scam, leaving them reeling from the consequences.

The protagonist of this unfortunate incident was Rubén Rivera, the finance director of Puerto Rico’s Industrial Development Company. He inadvertently transferred over $2.6 million to a fraudulent bank account.

The scheme unraveled through an email that landed in Rivera’s inbox, purportedly informing him of a change in the bank account associated with remittance payments. What made this email particularly insidious was its origin—an employee’s compromised email account from the Puerto Rico Employment Retirement System. Unbeknownst to Rivera, this seemingly innocuous message was nothing more than a cleverly crafted ruse expertly devised by the scammers.

Three employees found themselves suspended pending further investigation into their potential involvement. Thankfully the FBI promptly froze the ill-gotten gains, including public pension funds.

Who Is Most Often Targeted in BEC Attack-Style Emails?

BEC attacks typically target individuals or organizations involved in financial transactions. The primary targets are often accountants, financial officers, or payroll personnel.

BEC attackers often impersonate CEOs, CFOs, or high-ranking executives to exploit their authority and influence. They target these individuals because they usually have access to company funds and can authorize significant transactions.

Employees involved in procurement or purchasing activities, such as procurement officers or buyers, are also easy and frequent victims as scammers often pretend to be suppliers requesting fund transfers. HR personnel are also vulnerable to BEC scams as they store sensitive employee information, including social security numbers, bank account details, or personal data.

Finally, a Business Email Compromise scam may target IT administrators to gain unauthorized access to email accounts or jeopardize internal systems. By compromising these accounts, they can monitor communications, intercept sensitive information, or send fraudulent emails from trusted sources.

BEC attacks are highly adaptable, and attackers continuously evolve their tactics. Anyone with access to financial resources or valuable data within an organization can become a target. As a result, Business Email Compromise protection should be a top priority for every organization, regardless of its size and niche.

What Types of Business Email Compromise Scams There Are?

BEC scams encompass various tactics that attackers use to deceive individuals and organizations. Here are some common types of BEC scams:

  • CEO Fraud: In this scam, the attacker impersonates a high-level executive, typically the CEO or another executive with authority, and sends an email to an employee instructing them to make an urgent payment or transfer funds to a specified account. The email appears legitimate, often including the executive’s name, signature, and personal information obtained through social engineering.
  • False Invoice Scheme: Fraudsters target businesses engaged in regular transactions with suppliers or vendors. They intercept legitimate invoices and modify the bank account information, redirecting payments to their fraudulent bank accounts. The altered invoices often appear identical to the original ones, making detection difficult.
  • Attorney Impersonation: Here, tricksters pose as lawyers or legal representatives. They email individuals involved in business transactions, lawsuits, mergers, and acquisitions. The emails typically claim that a confidential matter requires urgent attention, such as a fund transfer to a designated account controlled for settlement or legal fees.
  • Employee Impersonation: Attackers pretend to be an employee within an organization and send emails requesting sensitive information, such as employee records, W-2 forms, or financial data. They may impersonate HR personnel, payroll officers, or colleagues.
  • Account Compromise: In this scenario, attackers gain unauthorized access to an employee’s email account. They monitor it to gather information, identify ongoing financial transactions, and then send fraudulent emails to redirect funds or change payment instructions.

What Makes a BEC Attack Different Than a Typical Phishing Email?

Business Email Compromise vs phishing has many similarities. Both phishing emails and BEC attacks involve deceptive emails. A typical phishing attack aims to trick individuals into revealing personal information, while a BEC attack targets businesses and tries to deceive employees into taking actions that benefit the cybercriminals.

BEC attacks are more sophisticated. In a BEC attack, cybercriminals try to impersonate someone within the organization, such as a CEO, manager, or a trusted vendor, to deceive employees into making wire transfers to fraudulent accounts, sharing sensitive company information, or even changing account details.

Why Is It Important to Prevent Business Email Compromise?

BEC attacks can result in substantial financial losses for organizations. Attackers often impersonate high-level executives or trusted business partners, tricking employees into initiating wire transfers or disclosing sensitive financial information.

Moreover, BEC scams can harm a company’s reputation. If customers, partners, or stakeholders learn that an organization lacks proper security measures and awareness, it can erode trust and confidence in the company’s ability to protect sensitive information. This loss of reputation can lead to decreased customer loyalty, reduced business opportunities, and difficulty attracting new clients.

BEC attacks can also expose sensitive data and personal information, leading to severe legal and regulatory consequences. Breaches of personally identifiable information (PII) can lead to legal action, financial penalties, and damage to individuals affected by the breach. Business Email Compromise prevention helps organizations minimize the risk of data theft and uphold their commitment to protecting customer privacy.

How to Prevent Business Email Compromise?

As you can see, BEC attacks are sweeping the world with increased frequency, so it’s imperative to spot them from the get-go. Here are five efficient Business Email Compromise solutions that will prevent future attacks.

1. Know Your Enemy and Their Schemes

Criminals seem like geniuses if they pull off a massive scam, but careless employees should take all the credit instead. Most BECs rely on the same underlying tactics and manipulations, so detecting them should come as second nature after learning the common BEC strategies.

The biggest red flag is a false sense of urgency. Attackers, usually posing as executives, supervisors, or chief accountants request invoice payments by sending spoof emails to victims and urging them to wire money to close a business deal. Here’s a classic example:

Hi Ben,

I’m meeting right now with [Company Name]. It seems that our last invoice went to their old account. If you don’t have their new account details, I’ve provided them below. Please pay NOW, so I can tell them it’s done.

Account No: 94567868900

Sort Code: 45-20-30 Thanks!

Andrew, CAO of [Your Company Name].

Seems pretty convincing, right? But what gives them away is the wrong domain name. You should always check the sender’s address before replying and sending money. At first glance, the message comes from a credible domain, but it’s slightly altered to catch you off guard. So instead of @microsoft.com, the fake address could spell @micr0soft.com or @microsott.com.

Another common BEC tactic is vendor impersonation. It involves scammers spoofing one of the company’s vendors. This attack is trickier because the sender’s details are correct, and the transaction seems legit. The bad news is that scammers have hacked into the vendor’s email account. The good news is that you can prevent fraud by double-checking the vendor’s account number because it will differ from the usual one. If something feels off, contact the company by phone and ask them to confirm the transaction.

2. Educate Your Employees to Spot Bec Attacks

Without proper training on cybersecurity awareness and BEC scams, you will fall victim to them sooner or later. Employees must develop a strong grasp of phishing emails and be fully aware of these attacks’ enormous risks and implications. Run regular phishing drills and remind employees to verify the authenticity of emails, especially those that are suspicious. Here’s what they should pay attention to:

  • The tone of the message. If urgent, they should step back and carefully inspect the email address and contents.
  • The senders’ information doesn’t match the email address.
  • Spelling mistakes, typos, and poor grammar.
  • Unsolicited links and attachments.

3. Use Strong Passwords and Enable Two-Factor Authentication

A password policy ensures that all users use strong passwords (i.e., at least 12 characters with upper- and lower-case letters, numbers, and special characters). Two-factor authentication (2FA) is an additional layer of security to prevent unauthorized access to an email account if the password has been compromised.

4. Get Technical. Protect Your Emails With Anti-Fraud Measures

One of the most efficient ways to safeguard against email attacks is to install a secure email gateway (SEG). Such a device or software monitors email activity and stops spam, malware, and viruses from reaching your inbox. SEG can also detect and block phishing domains, and you can add common keywords used in BECs, and flag them as suspicious.

Another security measure is to use email authentication methods such as SPF, DKIM, and DMARC.

  • With Sender Policy Framework (SPF), you can add a DNS record to authorize the IP addresses that can send emails on behalf of your domain.
  • DKIM stands for DomainKeys Identified Mail and works with SPF to detect forged emails. DKIM signs your outbound emails so that recipients can verify their legitimacy.
  • DMARC (Domain-based Message Authentication, Reporting, and Conformance). DMARC uses SPF and DKIM authentication protocols to verify emails sent from the organization’s domain.

5. Encrypt Emails and Documents With a S/MMIME Certificate

Email certificates follow the S/MIME (Secure/Multipurpose Internet Mail Extensions) standard and provide authentication and integrity.

S/MIME enables end-to-end encryption to all outgoing emails and blocks email spoofing attempts by confirming the sender’s identity and ensuring that the message content has not been altered.

With S/MIME the transmission is no longer in plain text and vulnerable to man-in-the-middle attacks. Best of all S/MIME certificates are compatible with modern e-mail clients and are FDA ESG compliant. You can get a S/MIME certificate from SSL Dragon. We have options for individuals and companies of all sizes.

What to Do if You Fell for a BEC Scam?

Oh no, you think you may have responded to a BEC email. Don’t panic just yet! Here’s what you should do:

  1. If your company has BEC security protocols, follow them as per your training guidelines.
  2. Notify your IT department immediately.
  3. Call your bank and ask them to suspend all transactions
  4. Review your account statements for any suspicious activity.
  5. Report the incident to the relevant authorities. In the United States, contact your local FBI field office to report the crime.

Business Email Compromise Statistics

Here are some stats to make you shiver:

Final Thoughts

Business Email Compromise scams will be around as long as the Internet exists. The main reason why they’re so successful is that human nature is prone to manipulations and covert tactics. BECs are more psychological than technical. They follow a proven blueprint that heavily relies on carelessness, submission to authority, and lack of cyber security awareness.

We’ve shown you how to spot and prevent BEC scams before it’s too late. Now it’s your turn to take action and implement them for general email security whenever you open a new message.

Save 10% on SSL Certificates when ordering today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

Written by

Experienced content writer specializing in SSL Certificates. Transforming intricate cybersecurity topics into clear, engaging content. Contribute to improving digital security through impactful narratives.