What is business email compromise (BEC)?
Email is a necessary part of doing business today, and criminal organizations use email as an effective way to hold companies for ransom. A business email compromise (BEC) attack is when a cybercriminal targets your employees with convincing emails designed to trick users into clicking and downloading malicious files. Once the attacker is in, they can learn more about your business or even block access, holding confidential information for ransom.
What Happens During a BEC Email Attack?
Business email compromise, also referred to as email attack compromise (EAC), is where a cybercriminal uses an email cam to exploit your business and employees. A cybercriminal creates an email account that looks similar to one used on your business' corporate network. In most cases, the criminal send the email to an employee requesting an action like downloading a file, password resets, or some type of ecommerce transaction where you insert credit card or bank account information.
Types of Business Email Compromise Attacks
CEO Fraud
A cybercriminal impersonates a CEO or another business executive, sends an email to your company's finance department, and requests money be transferred to an external account.
Account Compromise
This type of attack begins after a cybercriminal has already compromised an employee's email. In this instance, the hacker sends emails from the employee's email to business vendors and requests payments from them.
False Invoice Scheme
A cybercriminal impersonates a supplier, submits an invoice to your business, and requests the invoice payment be submitted via a fund transfer.
Impersonating an Attorney
A cybercriminal pretends to be an attorney or legal representative, sends an email to one of your employees, and requests money or other information about your business.
Data Theft
A cybercriminal targets your company's HR employees, sends emails to them, and requests information about the CEO or other executives.
Steps in a Business Email Compromise Attack
1. Target Identification
A cybercriminal gathers information about your company and its employees. The hacker looks online for information from websites and your employees' social media accounts and develops an attack profile for your business. Then, the criminal creates an email account and message to use during their attack.
2. Grooming
A cybercriminal uses spear-phishing emails to "groom" your employees. The criminal sends emails to try to persuade or pressure your employees to send money or share information about your business. This criminal may send multiple spear-phishing emails to the same employees over the course of several days or weeks.
3. Exchange of Information
If a cybercriminal's spear-phishing email is successful, your employees won't be able to tell it's fake. At this point, any of your employees can inadvertently comply with the cybercriminal's request.
4. Wire Transfer
If a cybercriminal asks for money in a BEC attack and any of your employees follows through on the request, the criminal will immediately transfer the funds to an external account. This ensures the criminal gets the money into their account before you discover the attack.
Common Business Email Compromise Techniques
Spear-Phishing
A hacker sends an email claiming to be from a trusted source and requests your employees provide money or information about your company.
Spoofing Email Accounts and Websites
A cybercriminal creates a slight variation of an email account that appears legitimate (for example: instead of bobsmith@sophos.com, the criminal can use bobsmith@sopphos.com). Or, a hacker sets up a fraudulent website to trick your employees into submitting payments or sharing information about your business.
Malware
A hacker emails your employees and encourages them to download a malicious attachment.
Business Email Compromise Attack Examples
1. Facebook and Google
Between 2013 and 2015, cybercriminal Evaldas Rimasauskas set up a fraudulent company called "Quanta Computer." He reached out to Facebook and Google and requested the companies pay invoices to accounts that he controlled.
Initially, the BEC attack was successful, as Facebook and Google paid $120 million to Rimasauskas. However, in December 2019, the U.S. Department of Justice sentenced Rimasauskas to five years in prison for participating in the BEC scheme against Facebook and Google.
2. Ubiquiti
Networking company Ubiquiti reportedly lost $46.7 million in a vendor email compromise (VEC) attack.
Ubiquiti discovered the VEC attack on June 5, 2015. During the attack, cybercriminals impersonated employees from a third party and targeted Ubiquiti's finance department. They were successful, and Ubiquiti's finance department transferred $46.7 million to overseas accounts held by unknown third parties.
Following the attack, Ubiquiti recovered $8.1 million of the amounts transferred. Beyond that, few details are known about the attack, and the cybercriminals behind it remain unknown.
3. Toyota
In 2019, a Toyota subsidiary recorded nearly $37 million in financial losses from a BEC scam.
To launch the attack, a hacker posed as a business partner of the Toyota subsidiary. The hacker sent emails to the business' finance and accounting teams. In the emails, the cybercriminal requested funds be sent for payment to a third-party bank account.
Toyota officials found out about the BEC scam after the funds were transferred to the hacker's account. To date, they have not been able to find the hacker or get the funds returned.
Are Business Email Compromise Attacks Common?
The FBI issued an alert in May 2022 about business email compromise attacks and their impact on businesses. Key takeaways from the alert include:
- From July 2019 and December 2021, there was a 65% increase in identified global exposed losses due to BEC attacks; these losses include actual and attempted losses in U.S. dollars.
- Domestic and international exposed dollar losses from BEC scams exceeded $43 billion.
- Over 241,000 domestic and international BEC scams were reported, with scams reported in all 50 states and 177 countries and over 140 countries receiving fraudulent transfers.
What to Do After a Business Email Compromise Attack
1. Report the Attack to the FBI
Reach out to a local FBI field office to report the attack and file a complaint with the FBI's Internet Crime Complaint Center (IC3).
2. Contact Your Financial Institution
Notify your financial institution about the BEC attack. If a transfer has been initiated, your financial institution may be able to stop it or get information about who received it.
3. Learn from the Attack
Don't pretend like the BEC attack never happened. Analyze the incident and find out why it happened.
How to Protect Against Email Attack Compromise
1. Establish a Cybersecurity Awareness Program
Create a program to teach your employees about business email compromise attacks and the dangers associated with them. Your program should focus on the following areas:
- How BEC attacks impact global organizations
- How cybercriminals launch BEC attacks
- Social engineering and its relationship to BEC attacks and other types of cyberattacks
- How to respond to a BEC attack and report it to a manager or IT team
- BEC attack prevention best practices
Your cybersecurity awareness program can include quizzes, exercises, games, and other tools to teach your employees about BEC attacks.
In addition, make sure your workers receive cybersecurity awareness training at least a few times a year. You can update your cybersecurity awareness training program periodically so your workers always know the best ways to combat BEC attacks and other current and emerging cyberthreats.
2. Layer Your Cyber Defense
Account for BEC attacks in your cybersecurity strategy. To do so, revamp your existing cybersecurity strategy or create a new one.
Perform a cybersecurity audit to learn about your security strengths and weaknesses. It helps to hire a third-party cybersecurity company to complete the audit. Following the audit, you'll know what to do to improve your security posture.
Look for cybersecurity technologies that complement your everyday operations. For example, you can use artificial intelligence to fight BEC attacks. AI can help you quickly identify BEC scams before they can damage your business.
Make sure any BEC detection, analysis, and prevention technologies are implemented properly. It often helps to gradually integrate these technologies into your business operations. Track the results of your security technologies as you deploy them. If your deployments are successful, you can continue to integrate these technologies into all aspects of your business.
3. Remain Diligent
Establish processes and protocols to track information-sharing across your company. That way, if funds are transferred outside your business, you can identify who is sending them and who is receiving them.
Require multi-factor authentication (MFA) for employees to access your business systems. With MFA in place, your employees will need to complete at least two authentication steps before they can access your systems.
Make sure you're operating in accordance with your industry's data security compliance requirements. Stay up to date about these requirements and follow them closely.
Keep looking for ways to level up your security posture. Cybercriminals are constantly launching BEC attacks. You need to keep pace — or risk falling victim to BEC attacks.
Get Help with BEC Attacks from Sophos
Sophos provides a cybersecurity as a service offering to protect your business, its employees, and its customers against BEC attacks and other cyberthreats. To learn more, please contact us today.
Related security topic: What is a phishing attack?