A BEC scam is a form of cyberattack in which financially motivated bad actors trick unsuspecting executives and employees into sending money or sensitive data to fraudulent accounts. Attackers accomplish this using a variety of phishing techniques that manipulate users into transferring money or data.
The following examples will help you understand what business email compromise is and how it works.
A criminal sends an email that appears to come from a legitimate source, such as:
Business email compromise, formerly called man-in-the-email attacks, is notoriously difficult to prevent. Rather than employ malware, perpetrators rely on social engineering techniques and impersonation to trick victims into acting on the attacker's behalf. Traditional threat detection solutions that analyze email headers, links, and metadata often miss these attack strategies. That's why advanced email security solutions with integrated threat defense features are needed.
Phishing is a broader category of cyberattacks in which cybercriminals use deceptive emails, messages, or websites to trick individuals into revealing sensitive information, such as login credentials or credit card numbers.
BEC is a targeted and specialized form of phishing. In BEC attacks, attackers often use spear phishing techniques to target specific individuals, impersonating a company’s high-level executives, partners, or suppliers to manipulate employees into making financial transactions, like wire transfers or sharing sensitive company data.
Both phishing and BEC attacks trick targets to steal money or data, but BEC attacks specifically exploit trust and authority within an organization, often causing significant financial loss for the company.
BEC attackers carefully select their targets based on their roles and access within the organization to maximize their chances of success. They typically target employees within organizations who have access to financial resources or sensitive data. This includes:
Business email compromise is on the rise. Deceptively simple, these low-tech scams are carried out through one of today's most relied upon forms of business communication: emails, your top threat vector. These attacks require minimal resources and technical skills but can lead to significant losses, making this a favored strategy among cybercriminals. According to the Cisco Secure Email Buyer's Guide, in 2021 wire-transfer BEC scams demanded average sums of a staggering US$75,000. Read our guide to better understand the vulnerability that common emails impose on your organization, and what you need from email security to protect what matters.
BEC attacks are highly effective because they exploit our weaknesses as humans, such as our tendency to trust authority, act impulsively, and respond emotionally to urgent requests. Moreover, BEC attacks are becoming increasingly easy to perpetrate, with information, tools, and resources necessary to launch a successful attack readily available on the dark web. For attackers, BEC represents a relatively low-risk, high-reward endeavor, as bulk email addresses are inexpensive to obtain and virtually free to send.
Below is an outline of the typical progression of how a BEC attack works:
BEC scams typically target high-level executives or employees entrusted with the organization's payment authorizations. Over the weeks or even within days, attackers perform deep reconnaissance, meticulously gathering contact information from online platforms, social networks, and the dark web. They construct a detailed profile of their target corporation, then narrow their focus to specific individuals within the organization. Often, these targets are CEOs, legal professionals, or accounts payable employees.
Unlike the spray-and-pray strategy typical of mass phishing campaigns, BEC scams appear to be highly credible and authentic and target specific individuals. To prepare for the attack, scammers forge email addresses, create domains that mimic genuine ones, or even take over the legitimate email accounts of a victim's superior.
The execution of a BEC attack may involve a single email or a series of emails, depending on the technique's efficiency. These interactions typically leverage elements of influence, insistence, and legitimacy to convince the victim. Indicators of a BEC attack often include:
Once the attacker has the victim's trust or agreement, the criminal receives the requested data or issues wiring directions, guiding them to transfer funds into a deceptive account.
After the funds are transferred to the attacker's account, they are swiftly distributed among several accounts to minimize the possibilities of tracking and recovery.
Quick reaction times are essential in numerous cybersecurity events, BEC attacks included. If there's a delay in recognizing a successful BEC exploit, the likelihood of retrieving the stolen funds significantly diminishes.
There are 10 common types of threats related to BEC attacks, including:
Email account compromise: This is a common type of BEC scam in which an employee's email account is hacked and used to request payments from vendors. The money is then sent to attacker-controlled bank accounts.
Employee impersonation: This type of BEC takes the form of an email scam, in which a bad actor impersonates a trusted internal employee or vendor to steal money or sensitive information through email.
VIP impersonation: This type of attack occurs when a malicious actor sends an email to an unsuspecting victim, using a compromised email of a legitimate company, individual or VIP, asking for payment or funds transfer.
External payment fraud: An email attack is sent to an unsuspecting victim impersonating trusted vendors for invoice payment requests. It is also known as Vendor Email Compromise (VEC).
Internal payment fraud: Using stolen credentials an attacker can gain access to internal payment systems such as payment platforms and set up fraudulent vendors, change payment recipients, or redirect payments to their accounts.
Payroll diversion fraud: Using stolen email credentials, an attacker emails an organization's payroll or finance department requesting a change to direct-deposit information.
Social engineering: Persuasion through psychology is used to gain a target's trust, causing them to lower their guard and take unsafe action such as divulging personal information.
Extortion: Threatening or intimidating action is used to obtain monetary or other financial gain, commonly used in vishing scams.
Malicious recon emails: This looks like legitimate email communication but is actually an email sent by an attacker with the purpose of eliciting a response prior to extracting sensitive user or organizational data.
Credential phishing: A bad actor steals login credentials by posing as a legitimate entity using emails and fake login pages. The bad actor then uses the victim's stolen credentials to carry out a secondary attack or extract data.
BEC attacks rely on social engineering tactics and require minimal tools, making them straightforward yet effective. This simplicity and reproducibility make BEC appealing to cybercriminals. Below are five prevalent BEC scam methods that your team needs to recognize and guard against:
Attackers tactically use pre-existing trust to push victims towards immediate action on email directives. Social manipulations may appear normal or urgent, and highly convincing, such as vendors requesting payment, employees changing direct deposit accounts, or executives seeking Amazon gift cards for clients.
Employees receive countless automated business emails every day, prompting them to execute routine processes. Accustomed to these patterns, employees often respond to them as if on autopilot. BEC scams cunningly mimic these routines, prompting staff to act reflexively without suspicion.
While typical email threats often involve malicious attachments, BEC scams opt for a subtler approach. They avoid malware to create an illusion of authenticity. Instead, emails can include attachments like forged invoices, financial statements, contracts, or other fraudulent documents to convince the recipient of the legitimacy of their request.
BEC strategies frequently use subject lines showing urgency or a personal touch to prompt immediate action. Examples of these terms are:
The email body mirrors this deceptive approach, using calculated phrasing to convince the victim to act. Rather than embedding malicious links, BEC attackers weaponize persuasive language to enhance the credibility of their scams. Emerging trends in BEC schemes leverage artificial intelligence (AI) to craft highly convincing messages that closely mimic legitimate communication styles, making the scam harder to detect.
Scammers often turn to free online tools and services to make their BEC attacks seem real and to avoid security filters. For example, they often:
BEC phishing scams are becoming increasingly difficult to detect, but a multifaceted approach using best practices and security technologies can help minimize the frequency and impact of BEC attacks. Here's how you can fortify your defenses:
Securing sensitive company data in today's threat landscape requires more than just a strong password. Multi-Factor Authentication (MFA) is no longer optional—it's a necessity. This secure access tool requires two or more verification factors, such as a fingerprint or token, to access resources. Adding an extra layer of verification can help keep attackers out who are armed with only a password.
To defend against BEC scams targeting critical employees, enforce MFA across your entire organization, especially for roles like senior executives, financial approvers, system administrators, and human resources personnel.
Today's increasing standard of hybrid work models often means relying more on digital communication, making email security more vital than ever. While email platforms offer fundamental, built-in protections, these measures aren't foolproof.
To defend against BEC, phishing, and malware attacks, look for a comprehensive email security solution like Cisco Secure Email Threat Defense that delivers:
BEC attackers exploit busy routines, relying on employees overlooking deceptive emails during their busy workday. Though challenging, it's crucial to cultivate a culture of security mindfulness across all levels of your organization.
Train employees to look for these signs of a business email compromise scheme:
Employees should trust their instincts and not be afraid to investigate. When in doubt, they should call the sender or send a separate email rather than replying to the one sent.
BEC fraud thrives on superficiality and haste. To stay head, foster a thoughtful, security-conscious culture and arm your staff with up-to-date knowledge and resources.
In the fight against BEC, quick, organized responses to threats are vital. Set clear escalation protocols so employees can immediately report unusual activities, helping to stop BEC attempts in their tracks. This structured approach is essential but works best when paired with an open company culture.
Encourage a workspace where everyone feels responsible for security and is comfortable raising suspicions, even if they're unsure. This open dialogue often catches inconsistencies that formal procedures might miss.
To reinforce this approach, encourage team members to:
Business email compromise attacks exploit human trust to steal data and millions of dollars from organizations. Though strong email protection is the first line of defense against BEC phishing, an educated, empowered, and confident workforce is crucial to identifying and stopping these attacks.