How To Prevent Business Email Compromise (BEC) Scams

FACT: Business email compromise attacks led to global losses of over $50 billion last year, according to the IC3.

This reflects a 58% increase in financial losses since 2020.

According to Microsoft, there are over 156,000 BEC attempts every day.

Clearly, BEC scams post a serious threat to organizations of all sizes.

In this post, you’ll learn the common tactics threat actors use and how to defend against them.

Table of contents:

What are business email compromise scams?

Business email compromise (BEC) scams are a subset of phishing attacks where criminals attempt to defraud organizations by impersonating executives, employees, or trusted third parties via email. The attackers send emails with urgent requests for wire transfers, fake invoice payments, or updating vendor payment details. These emails often contain an element of secrecy to deter the recipient from verifying the request through other communication channels. The goal is to trick the recipient into transferring money or providing sensitive information to the scammer.

Types of business email compromise scams

BEC attacks can be categorized into several distinct types, each leveraging different tactics to trick victims and exploit businesses. Here are the primary types of BEC attacks:

• CEO Fraud: In this type of scam, attackers impersonate a high-level executive, such as the CEO or CFO, and send emails to employees within the finance department requesting urgent wire transfers to a fraudulent account.
• Invoice Fraud: Attackers pose as a vendor or supplier known to the company. They send a fraudulent invoice that appears legitimate, often with updated payment details that direct funds to an account controlled by the scammer.
• Attorney Impersonation: Scammers pretend to be a lawyer or someone from a law firm supposedly handling confidential and time-sensitive matters. This type is typically aimed at manipulating employees into transferring funds or revealing sensitive information during what is portrayed as a critical time.
• Email Account Compromise: An employee’s email account is hacked and is used to request payments to vendors listed in their email contacts, but the payment details are altered to divert funds to the scammer’s bank account.
• Data Theft: Scammers target employees who have access to sensitive personal information, such as HR staff, and request details about other employees or company executives. This data can be used for future attacks or sold on the dark web.
• Change of Bank Account Details: This is a common tactic where scammers posing as regular vendors or partners of the company send a phony request to update banking information, ensuring that payments will be redirected to an account they control.

How do BEC scams work?

Most BEC scams use a series of steps that leverage deception, impersonation, and manipulation. Here’s a breakdown of how BEC attacks typically works:

1. Targeting and Research: Attackers start by choosing a target organization and gathering intelligence. They research and identify key individuals within the organization, especially those with the authority to make payments or access sensitive financial information. This phase may involve studying the company’s structure, the roles and responsibilities of employees, and their communication patterns.
2. Impersonation: Once they have the necessary information, attackers craft emails that appear to come from a trusted source, such as a senior executive, a trusted vendor, or a partner company. This involves either spoofing an email address (making the email appear to come from a legitimate source) or hacking into actual email accounts (EAC).
3. Crafting the Attack: The email message typically involves an urgent request for a wire transfer, payment of an invoice, or the provision of confidential data. The message often stresses the need for secrecy or immediate action, exploiting the victim’s trust and bypassing normal verification processes.
4. Execution: If the attack is successful, the victim follows the instructions in the email, leading to unauthorized financial transactions or data leaks. Funds are transferred to accounts controlled by the attackers, or sensitive information is leaked, which can be used for further attacks.
5. Discovery and Reporting: The fraud is often only discovered after the transaction has been completed, at which point it’s often too late to recover the funds or leaked information. Reporting the incident to authorities and initiating your incident response plan then becomes crucial.

Business email compromise examples

BEC scams can affect any organization regardless of their size or industry. Here are some high-profile known examples:

• Ubiquiti Networks: In 2015, attackers impersonated the company’s executives to trick staff into initiating unauthorized international wire transfers totaling USD 46.7 million to third-party accounts.
• Mattel: In 2018, toy maker Mattel lost $3 million in a business email compromise attack manipulating an executive into wiring funds to a bank account in Wenzhou, China.
• FACC (Aerospace Manufacturer): In 2016, FACC, an Austrian manufacturer of aerospace components, lost €50 million ($54 million) due to a spear-phishing attack that impersonated the CEO, tricking an employee into transferring the funds to Slovakia and Asia.

What should I do if I’ve been targeted by a business email compromise scam?

BEC scams are more challenging to defend against because they exploit human psychology rather than technical vulnerabilities. Even so, there are a number of steps you can take both during an attack as well as before hand to help mitigate the impact.

1. Notify Your Financial Institution: Immediately contact your bank to request that they stop or reverse any transactions that are fraudulent. This step is critical if the funds have not yet been completely transferred out.
2. Contact Law Enforcement: Report the incident to local law enforcement and possibly to national authorities who handle financial fraud, such as the FBI in the United States. In the U.S., you can also report to the Internet Crime Complaint Center (IC3).
3. Secure Your Email Systems: Change passwords and enhance security measures for your email accounts. If not already enabled, turn on two-factor authentication and review account settings for any unauthorized changes.
4. Internal Review: Conduct an internal review to determine how the breach occurred. Check for any signs of malware or persistent threats within your network that might have been part of the attack.
5. Communicate with Your Team: Inform relevant staff and departments about the compromise, especially those in finance, IT, and security roles. Provide them with information about what happened and how to avoid similar scams in the future.
6. Seek Legal and Professional Advice: Consult with legal counsel regarding the incident, especially if sensitive data was compromised. Consider engaging an external cybersecurity firm to conduct a pen test for a thorough audit of your systems.
7. Employee Training: Use this incident as a learning opportunity to train employees on the importance of cybersecurity, emphasizing the need to verify suspicious emails and requests for transfers or confidential information carefully.
8. Review and Strengthen Policies: Review your existing policies related to wire transfers and sensitive requests. Implement stricter verification processes to ensure that similar attempts are stopped in the future.
9. Implement Advanced Email Security Solutions: Use email clients that include features like anti-phishing and anti-spoofing. Ensure that your DNS has DMARC (Domain-based Message Authentication, Reporting & Conformance), SPF (Sender Policy Framework), and DKIM (DomainKeys Identified Mail) configured.
10. Multi-Factor Authentication (MFA): Enforce MFA for accessing email accounts and other sensitive systems. This adds an extra layer of security, making it harder for attackers to gain unauthorized access even if they have the password.
11. Verify Changes in Payment Instructions: Always verify changes in payment details or unusual financial requests directly through known and previously established communication channels, not via email.
12. Create an Incident Response Plan: Have a clear plan in place for responding to detected security incidents, including who to contact, steps to contain the breach, and how to recover lost data.
13. Dark Web Monitoring: Implement dark web monitoring to detect if your organization’s sensitive information, such as login credentials or other session data, have been exposed or are being sold on the dark web. This allows you to respond quickly to potential threats by resetting compromised credentials before attackers can use them in BEC or other types of cyber attacks. It’s particularly useful in spotting breaches early, often before the data is used for fraudulent purposes.

If your team needs visibility into your organization’s leaked credentials, book a demo to learn how Breachsense can help.