Email scams have existed for almost as long as email addresses have.

As organizations and security vendors work to protect against common types of phishing scams, cybercriminals always seem to stay one step ahead by adapting their tactics to get around established security controls.

The latest variant of email attacks afflicting organizations often operates by hiding in plain sight. Let’s talk about the many moving parts of Business Email Compromise (BEC).

This article will break down how a typical BEC attack works, highlight common strategies used by cybercriminals, and provide email security hygiene tips that organizations and individuals can take to protect against these attacks.

BEC (also known as the man-in-the-email scam) is a scam in which financially motivated adversaries trick unsuspecting executives and employees into making payments or sending sensitive data to fraudulent accounts. Attackers accomplish this by using a variety of techniques that manipulate users into sending money or data.

These recent statistics from the FBI’s 2020 Internet Crime Report show the gravity of BEC:

• In 2020, the FBI Internet Crime Complaint Center (IC3) received nearly 20,000 complaints about Business Email Compromise.

• Reported losses due to BEC increased from $1.29 billion in 2018 to $1.86 billion in 2020.

• The IC3 received more than 241,000 complaints on phishing and related attacks in 2020, a 110% increase from 2019.*

Business Email Compromise attacks are notoriously difficult to prevent. Rather than employ malware, perpetrators rely instead on social engineering techniques and impersonation to trick people into acting on the attacker’s behalf. Traditional threat detection solutions that analyze email headers, links, and metadata often miss these attack strategies.

BEC attacks don’t need any advanced tools or tradecraft to execute. Therefore, they are present in many forms, with the level of sophistication depending on the attacker’s motivation and ability. Here’s how a typical BEC attack runs its course:

Fig: How a typical BEC attack works

Phase 1: Research and Identify Targets

BEC attacks are usually focused on executives or employees authorized to make payments on behalf of their organizations.

Attackers perform reconnaissance over days or weeks, mining contact data from websites, social media, and the dark web. They build a profile of their target organization and then zero in on their victims. Common BEC targets include CEOs, lawyers, and accounts payable personnel.

Phase 2: Set Up the Attack

Unlike mass phishing emails that follow a “spray and pray” approach, BEC attacks come across as believable and legitimate.

Scammers prepare for the attack by performing activities such as spoofing email addresses or creating lookalike domains, impersonating trusted vendors, or taking over a legitimate email account of the victim’s manager or colleague.

Phase 3: Execute the Attack

The actual BEC attack can take place in one email or an entire thread, depending on the adversary’s thoroughness. This communication often uses persuasion, urgency, and authority to gain the victim’s trust. The perpetrator then provides wire instructions to the victim to facilitate making payments to a fraudulent account.

Phase 4: Disperse Payments

Once the money is wired to the attacker, it is quickly collected and disseminated across multiple accounts to reduce traceability and retrieval chances.

Rapid response times are critical for most cybersecurity incidents, and the same holds true for BEC attacks. If organizations are slow to identify a BEC attack that has been executed successfully, it’s unlikely that the money will be recovered.

According to the FBI, there are five common types of BEC scams:

1. CEO Fraud

Attackers impersonate the CEO or executive of a company. As the CEO, they request that an employee within the accounting or finance department transfer funds to an attacker-controlled account.

2. Lawyer Impersonation

Attackers pose as a lawyer or legal representative, often over the phone or email. These attacks’ common targets are lower-level employees who may not have the knowledge or experience to question the validity of an urgent legal request.

3. Data Theft

Data theft attacks typically target HR personnel to obtain personal information about a company’s CEO or other high-ranking executives. The attackers can then use the data in future attacks like CEO fraud.

4. Email Account Compromise

In an email account compromise attack, an employee’s email account is hacked and used to request payments from vendors. The money is then sent to attacker-controlled bank accounts.

5. Vendor Email Compromise

Companies with foreign suppliers are common targets of vendor email compromise. Attackers pose as suppliers, request payment for a fake invoice, then transfer the money to a fraudulent account.

Fig: New types of targeted email attacks utilize techniques that get past legacy email security controls

Since BEC relies heavily on social engineering, they are easy to execute with minimal tools and tradecraft. The accessible and repeatable nature of these techniques only serves to make BEC more popular among attackers. Here are five common types of BEC attack techniques to be aware of:

1. Exploiting Trusted Relationships

To urge victims to take quick action on email requests, attackers make a concerted effort to exploit an existing trusted relationship. Exploitation can take many forms, such as a vendor requesting invoice payments, an executive requesting iTunes gift cards, or an employee sharing new payroll direct deposit details.

2. Replicating Common Workflows

An organization and its employees execute an endless number of business workflows each day, many of which rely on automation, and many of which are conducted over email. The more times employees are exposed to these workflows, the quicker they execute tasks from muscle memory. BEC attacks try to replicate these day-to-day workflows to get victims to act before they think.

Compromised workflows include:

• Emails requesting a password reset

• Emails pretending to share files and spreadsheets

• Emails from commonly used apps asking users to grant them access

3. Suspicious Attachments

Suspicious attachments in email attacks are often associated with malware. However, attachments used in BEC attacks forego malware in exchange for fake invoices and other social engineering tactics that add to the conversation’s legitimacy. These attachments are lures designed to ensnare targets further.

4. Socially Engineered Content and Subject Lines

BEC emails often rely on subject lines that convey urgency or familiarity and aim to induce quick action.

Common terms used in subject lines include:

• Request

• Overdue

• Hello FirstName

• Payments

• Immediate Action

Email content often follows along the same vein of trickery, with manipulative language that pulls strings to make specific, seemingly innocent requests. Instead of using phishing links, BEC attackers use language as the payload.

5. Leveraging Free Software

Attackers make use of freely available software to lend BEC scams an air of legitimacy and help emails sneak past security technologies that block known bad links and domains.

For example, attackers use SendGrid to create spoofed email addresses and Google Sites to stand up phishing pages.

Google Forms and Docs are also used to extract sensitive data from victims, and attackers can host 0-day phishing links and fake invoices in Box and Google Drive.

Follow these tips and best practices to minimize BEC attacks’ frequency and impact.

Enable MFA on Your Accounts and Workflows

Enabling multi-factor authentication (MFA) will significantly reduce the likelihood of accounts being compromised and used to carry out BEC attacks. At the very least, businesses should ensure that these high-risk employees have MFA enabled:

• C-Level executives

• Employees with authority to initiate payments

• Administrator accounts

• Human resources

With the growing popularity of remote work, it’s also essential to create your own authentication means when none exists. If you receive a suspicious email from a familiar vendor asking for an invoice to be urgently fulfilled, call the vendor to confirm that they sent the email. A few extra seconds of caution can help prevent lots of strife later on.

Don’t Rely Solely on Native Email Security

Moving to a remote business model has accelerated cloud email adoption, enabling organizations to simplify email delivery and reduce the need for Secure Email Gateways (SEG).

G Suite and Office 365 have improved their native security offerings in recent years, providing better anti-spam and anti-malware protection. However, built-in security from cloud email providers should form the base — not the entirety — of your email security stack.

Thoroughly audit your existing email security capabilities to find out what you’ve already invested in. Microsoft recently launched a free Office 365 Configuration Analyzer, which will recommend the proper configurations for native O365 email security procedures, helping override rules and guidelines that give organizations lower protection.

Once you clearly understand what your native email security can and cannot do, make a plan to augment these baseline capabilities with security layers that are purpose-built to stop BEC attacks.

Fig: Improvements in native email security are causing organizations to move away from Secure Email Gateways (SEG).

When Reading Emails, Always Be Skeptical

BEC attackers do whatever they can to get victims to act before they think, relying on them being too busy to engage with emails rationally. While reading every email with a critical eye is much easier said than done, being aware of email risk is a good starting point.

Train employees to look for signs that a Business Email Compromise scheme may have targeted them:

• Be skeptical of deadlines emailed at short notice that involve sending money or sensitive data.

• Be wary of unusual purchase requests, even when they come from high-level employees and entities you trust.

• Keep a careful eye on emails from employees sharing new direct deposit details.

• Have additional authentication steps in place whenever vendors share new banking details for invoice fulfillment.

• Question requests to keep information confidential and be skeptical of warnings to limit or bypass normal communication channels.

• Pay close attention to requests for wire transfers that must be completed hastily or without proper authorization.

• Listen to your gut: if something doesn’t look or feel right, don’t be afraid to investigate. Emails with obvious misspellings or grammar that are unusual for the sender should be paid attention to. If a reply message looks “off,” you may have received a spoofed message. When in doubt, send a separate email to the sender rather than replying to the one sent.

The surface-level nature of BEC attacks means they are here to stay. Organizations and employees need to transform their mindset, processes, and security tools to keep abreast of the growing Business Email Compromise threat.