What is Business Email Compromise?
Business Email Compromise (BEC) is a scam where a cybercriminal uses a falsified business email to trick the recipient into disclosing sensitive information, sending funds to the criminal by wire transfer, or diverting payroll.
There are at least four types of BEC scams that cybercriminals are actively using to defraud major organizations and their employees around the world:
- CEO/Executive Impersonation – The cybercriminal uses email spoofing and other techniques to impersonate the CEO or another executive in the company. Then, they send emails to the finance/AP departments with instructions to send funds or divert payroll to the criminal’s bank account.
- Vendor Fraud – The cybercriminal uses email spoofing to impersonate one of the target organization’s vendor partners. They may then send emails containing false invoices and requesting payment to the criminal’s bank account.
- Attorney Impersonation – The cybercriminal creates a spoofed email address to impersonate a legal representative of the targeted business. They may then use that email to contact lower-level employees, win their trust, and trick them into disclosing sensitive data or sending money.
- Email Account Takeover – The cybercriminal gains access to a business email account, often targeted executive leadership or HR employees. They may then use this access to steal organizational data, including the personal information of employees, or send fraudulent emails to other employees in an attempt to steal money.
BEC scams are among the most damaging cybercrimes, with over $4.1 billion in financial losses reported to the Internet Crime Complaint Center (IC3) in 2020 alone (Internet Crime Report 2020).
How Does Business Email Compromise Work?
BEC scams come in many different varieties, but most of these attacks follow a fairly consistent pattern of methods and techniques. Here’s how cybercriminals go about executing a BEC attack:
Step One: Targeting + Intelligence Gathering
Cybercriminals start the BEC attack process by selecting a target. Cybercriminals will work diligently to discover the names and email addresses of the executive leadership, vendors, legal team, and employees of a business they wish to attack. They may search through business email databases, social media profiles, and visit company websites to gather the information they needed to launch a BEC attack.
Step Two: Email Spoofing + Attack Initiation
Next, the cybercriminal will use email spoofing techniques to impersonate a business executive, legal representative, or vendor. This could involve forging email message headers, creating a look-alike domain name, or using a falsified display name. When the email spoofing is complete, the cybercriminal can start sending fraudulent emails to employees of the target business.
Step Three: Social Engineering
Cybercriminals use social engineering techniques in their emails to convince the recipient to disclose sensitive data or send money.
Impersonating a high-ranking executive or legal representative of the targeted business allows scammers to leverage tactics that include:
- Invoking Authority – When an employee receives a special request from a high-ranking member of the business, they’re more likely to follow it without questioning its contents.
- Creating Urgency – A scammer posing as an executive leader to steal from a business will target employees with emails marked urgent. Emphasizing the urgency of a request encourages the recipient to act quickly and decisively on the request without properly verifying its authenticity.
- Feigned Secrecy – A cybercriminal posing as a business leader might contact an employee with a “secret” or “special” request. This creates a pretense for requesting confidentiality when the real goal is to prevent the employee from discussing the request with colleagues and uncovering the scam.
- Scare Tactics – Scammers may also use scare tactics, threatening employees with consequences if they don’t quickly follow the instructions in the email.
Step Four: Fraud or Data Theft
BEC scam emails end with a call to action that results in the recipient disclosing their private information or sending money to the scammers. This call to action usually comes at the end of a made-up story that creates a false pretense for the recipient to follow the instructions in the email.
Some common ones ask:
- An employee to send a wire payment to a vendor.
- An employee to purchase gift cards that will be distributed as prizes to other employees.
- An HR representative to change someone’s payroll details to deposit funds into the criminal’s bank account.
- An employee to share their Intranet access credentials.
When email spoofing and social engineering techniques are successful, it becomes increasingly likely that the recipient of a scam email will believe the story and follow the call to action. When this happens, cybercriminals can get away with sensitive company data and thousands or even millions of dollars in cash. In one famous incident, an employee at a major auto parts supplier was persuaded by scammers to make a wire transfer of over $37 million.
Who is at Risk of Business Email Compromise?
Organizations of all sizes have been targeted by BEC scammers, including corporations, government agencies, and non-profit NGOs. While CEOs, attorneys, and other high-ranking roles may be most likely to be impersonated by scammers, all organizational employees are potential targets for scam emails.
Employees in HR and accounting departments with access to personal employee information and financial resources should be especially diligent in verifying the sender of an email before actioning any ad-hoc requests to disclose data or send money.
Why is Business Email Compromise Such a Problem?
Business email compromise is a massive source of vulnerability for organizations in 2021. It’s also difficult to protect against, as the majority of BEC attacks rely on social engineering techniques rather than technical exploits. This means these scammers exploit human nature – our willingness to trust, desire to please others, and our tendency to be caught off guard by the unexpected.
This makes it difficult to counteract BEC attacks with purely technical solutions and creates a need for organizations to educate and train their employees on how to recognize and report scam emails.