What is Business Email Compromise (BEC)?

Business email compromise (or BEC for short) is a category of cyberattack that involves targeting, impersonating, or taking over business’ email accounts. This type of attack has surged in popularity due to more businesses transitioning to a cloud-based infrastructure in recent years. 

Such cloud-based networks are great for businesses but have notoriously weak security, especially considering how much access they give to a company’s inner workings. Overall, they’ve become major targets for hackers.

A business email compromise is a worldwide issue for small and large businesses alike. In total, BEC attacks have cost companies billions of dollars over the years. But they’re not impossible to prepare for and prevent. Read on to learn how you can defend yourself and your business against business email compromise attacks.

What is BEC?

Before we go over prevention measures, let’s explore the business email compromise definition in depth. So, what is BEC

It’s a social engineering attack that targets a victim in a company and sends a legitimate-seeming email that claims to be from a trusted source. The email typically requests money or information of some kind for a supposedly genuine reason. Upon closer inspection, it’s usually apparent that the sender is not who they claim to be.

How Does Business Email Compromise Work?

With the amount of damage that this type of scam has caused, the FBI has investigated the matter extensively. They define five major categories for BEC attacks:

  • Bogus Invoice Scheme: The attacker pretends to be one of the company’s goods or services providers and sends an invoice to request funds to a false account.
  • CEO Fraud: The attacker mimics an executive position in the company and sends an email to an individual employee requesting either information or funds.
  • Account Compromise: The attacker manages to get hold of an employee’s email account to request payments be made for various services into the attacker’s false bank accounts.
  • Attorney Impersonation: The attacker appears to be a legal representative and targets members of a company with low knowledge of the business’s legal affairs. Once they’ve established a false sense of authority, they make requests for funds or information.
  • Data Theft: Attackers target HR and other employees to attain sensitive data about the company or even personal information about higher-ups and executives. This information can be used against the company in the future.

The above methods require some way for the attacker to take advantage of human error and acquire data. There are three common ways to do this:

  • Official Domain Spoofing: The attacker creates a false site or email account where the domain mirrors the official domain. This is then used to trick individuals into trusting them and following any demands.
  • Lookalike Domain Spoofing: The attacker creates a domain with a typo or slight alteration of the official domain’s name. Usually, this involves a fake website or email account that purposefully replicates the official version. The goal is to exploit employees who miss the small alteration to the domain. 
  • Compromised Accounts: The attacker gets hold of an official account and uses it to take advantage of any connections the individual has. Anyone who trusts that account is at risk, and the attacker exploits this to spread their scams.

Business Email Compromise Examples

Now that we know the “how” of BEC attacks, let’s discuss a few real cases. Here are some known business email compromise examples from the last several years:

  • Toyota, 2019: An attack that targeted Japan’s Boshoku Corporation’s CEO ended up costing the company $37 million due to a false wire transfer scam.
  • COVID-19 Health Organizations, 2020: When the public’s desire for information on the pandemic rapidly began to soar, so too did scam opportunities. Using fake domains intended to resemble various trusted organizations like the World Health Organization, scammers spread malware and misinformation as efficiently as the disease itself.
  • Treasure Island Homeless Charity, 2021: Attackers always look for weak links to exploit, and most charities lack cybercrime insurance. This San Francisco-based one wasn’t an exception, either. Hackers got into the system via a bookkeeper’s email and initiated a month-long attack, resulting in losses of $625,000.

Why is BEC Effective?

While malware and viruses can be prevented and defended against, human error is a factor that all systems suffer from. Business email compromise (BEC) attacks take advantage of this component as much as possible. 

Whether they target someone on the bottom of the corporate ladder or the very top, attackers are bound to find a mistake or slip somewhere. They exploit this to gain a foothold, acquire information, and even siphon funds from the company. The process is similar, whether it’s a small five-person team or a several thousand-employee mega-corporation.

How to Avoid BEC Attacks

Since BEC attacks prey on simple mistakes, there are steps you can take to avoid them. Here are a few tips to help you and your team prevent business email compromise:

Don’t Overshare on Social Media

Always be mindful of what information you’re sharing on social media. If an attacker is determined enough, they’ll go digging. And they’ll find details to use as hooks to further the attack.

Don’t Rush into Taking Action, Especially if Pushed

A sense of urgency in emails and messages (especially from sources you don’t trust/recognize) should always be taken with a grain of salt. What’s the hurry? If their reason for rushing you into action is vague or sounds suspicious, don’t fall for any demands. Take your time, and don’t make rash decisions just because an email sounds frantic.

Verify the Sender, the Address, the URL, etc.

This one requires a careful eye. Take extreme caution in ensuring and double-checking the validity of any URLs, domains, senders, etc. You can talk to the sender over the phone, check the links for any typos and make sure the email address is on your contact list.

Set Up Two or Multifactor Authentication

While most people groan and roll their eyes at any prompt for you to upgrade your account’s security with multi-step verification, it really is a good idea. Simply put, it’s another added layer of protection that’ll keep attackers from preying on your account.

Label External Emails

Be cautious of any emails that aren’t in your contacts or business’ directories. Always scrutinize first-time emailers before opening or interacting with anything they send.

Verify Requests in Person Even if They’re from the Bosses

Requests and demands (especially those dealing in information or transactions) should be verified person-to-person. Don’t take a friendly message from the “boss” at face value. Confirm that they are the official sender.

Implement DMARC and Anti-Phishing Protection

DMARC (or domain-based message authentication) and other anti-phishing protocols have become vital to reduce incoming BEC attempts on any employees in the workplace. Such security measures greatly reduce the chance of human error that creates cracks in a system’s security. That’s why businesses massively benefit from implementing protocols like DMARC.

Final Thoughts

While systems can be compromised from common human mistakes that anyone can make, there are plenty of ways to prevent and defend against BEC scams. Be cautious and make sure that all team members keep their wits about them online. 

Always verify email accounts, first-time emailers, and URLs, and don’t rush into rash decisions. Confirm important requests in person and set up two- or multi-factor verification. Lastly, implement security measures like DMARC to reduce BEC attacks and help keep your organization and employees safe.

SPF Record Syntax: Structure and Components

SPF Record Syntax: Structure and Components

Understanding what SPF is and bringing it into use is important for technology-driven businesses...

Read More
What is a DKIM Record?

What is a DKIM Record?

What is a DKIM record? That's a question we see everywhere these days. Emails...

Read More
What is an SPF Record?

What is an SPF Record?

What if you realize a threat actor is misusing your domain name to send...

Read More