BEC stands for business email compromise. This type of security concern occurs when a threat agent gains unauthorized access to a company's email account or impersonates a trusted individual to execute fraudulent activities, such as acquiring sensitive information or transferring funds. The attacker often uses social engineering tactics to achieve their goals.

According to the 2021 IC3 report. "BEC is responsible for $2.4 billion in adjusted losses in 2021, and a 556% increase since 2016."

BEC is expected to continue growing given the increase in remote workers, openly available generative AI tools, and the multitude of business-related accounts organizations have. These affordances increase the potential attack paths for threat actors. Thus, keeping email accounts secure is becoming increasingly challenging.

Business Email Compromise (BEC) is a type of cyber-attack in which an attacker impersonates a trusted individual, such as a senior executive or a vendor, to trick an organization or individual into divulging sensitive information or transferring funds. This attack vector has become increasingly prevalent in recent years, resulting in significant financial losses for businesses of all sizes.

In a typical BEC attack, the attacker conducts extensive research to learn about their target organization, including its key personnel, vendors, and business processes. They will then use this information to craft convincing emails that appear to come from a trusted source, often with a sense of urgency or importance, in order to prompt the recipient to take immediate action.

Now, with advancements in generative AI technology, BEC is becoming more common. Threat actors can generate believable textual messages and impersonate individuals, increasing their likelihood of tricking victims.

To understand the various methods cybercriminals use to exploit businesses through email, let's explore some common business email compromise examples:

CEO Fraud

CEO fraud occurs when attackers impersonate a CEO to trick other members of an organization into revealing sensitive information.

Data Theft

Threat actors attempt to obtain valuable personal information about an individual at a company. They could then use this information to launch future attacks. 

Email Account Takeover

This attack occurs when a threat actor obtains an employee's email and uses legitimate credentials to request valuable information from others within the organization.

Lawyer/Attorney Fraud

Impersonating as the lawyer for an organization, a threat actor will contact low-ranking individuals attempting to retrieve sensitive information. 

Account Compromise

In an account compromise BEC attack, attackers gain access to an organization's email account through phishing or malware. They then send fraudulent invoice requests, altering payment details to redirect funds to their own accounts. For example, they might use a finance employee's email to send fake invoices, directing payments to a deceptive bank account.

What are some identifiers of a BEC attack?

Spotting a BEC attempt involves being aware of specific characteristics often found in these fraudulent emails. BEC emails typically include a sense of urgency, employing words like "quick," "urgent," or "important" to prompt swift action. They often impersonate authoritative figures such as CEOs or CFOs, using tactics like mimicking the person’s writing style or spoofing their email address with minor modifications to trick recipients.

Attackers provide detailed instructions to create an illusion of legitimacy. If they request a fund transfer, they will specify an exact amount and provide a reason for the request to enhance its credibility. Additionally, BEC emails may instruct recipients not to contact the sender or verify the request with others to avoid detection. By being vigilant about these red flags, recipients can better protect themselves from falling victim to BEC attacks.

Learn how modern threat actors use AI to turbo-charge their BEC attacks in the white paper "Beyond the Inbox: A Guide to Preventing Business Email Compromise."

In both cases, threat actors seek to disrupt or damage systems in order to carry out malicious activity. However, a business email compromise involves impersonating an important figure in an organization to trick an employee. This is considered a social engineering tactic.

Email Account Compromise (EAC), on the other hand, is the act of stealing legitimate login credentials. Sometimes, phishing or social engineering is used to do so, but EAC is not overtly a social engineering tactic like BEC is. Instead, EAC is more closely aligned with the access to login credentials.

Any individual or company can be a victim or suspected target of a BEC attack. If you work at a small organization without a robust security infrastructure, be particularly mindful of the communication patterns between yourself and other high-ranking members.

Executives‍

Threat actors will likely research high-ranking individuals in an organization because they have public-facing accounts that offer a lot of information. These individuals are likely to be impersonated by threat actors for that reason and because using their name in an email might alarm or call for urgency from the recipient.

New Employees

HR employees and those in the finance department are particularly vulnerable to BEC attacks because they have access to other employees' financial and personal information.

Employees with access to sensitive information

HR employees and those in the finance department are particularly vulnerable to BEC attacks because they have access to other employees' financial and personal information.

Business Email Compromise (BEC) attacks are sophisticated forms of social engineering that can bypass standard security tools, as they often do not contain malicious links or malware. To effectively protect against BEC attacks, both organizations and individuals must adopt comprehensive security measures and remain vigilant.

Organizational Strategies

• Enhance Visibility of Account Activity and User Behavior: Implement systems that monitor and analyze account activities to detect unusual patterns indicative of a BEC attempt. ‍
• AI-Powered Security Solutions: Utilize advanced AI-driven security solutions to assist in identifying and responding to AI-powered attacks more effectively. ‍
• Automated Detection and Response: Deploy automated systems that promptly detect and respond to potential BEC threats. ‍
• Employee Training and Awareness: Conduct regular training sessions to ensure employees, especially those in vulnerable positions, can recognize and respond to BEC attempts. ‍
• Regular Software Updates: Keep all software and security systems up to date to protect against known vulnerabilities.

Individual Precautions

• Scrutinize Unusual Communications: Be cautious of emails from high-ranking officials that seem out of the ordinary. Verify any unexpected requests directly through known communication channels.
• Carefully Assess Emails: Pay close attention to the details in emails, especially those requesting sensitive actions. Look for signs such as unusual language, poor grammar, or a sense of urgency that might indicate a scam.
• Verify Requests for Money: Adhere to your organization's established procedures for money transfers and information sharing. Be suspicious of any attempt to bypass these protocols via email.

A successful BEC attack can be extremely costly and damaging, but proactive measures can significantly reduce the risk. Here are some essential tips:

• Use Multi-factor Authentication (MFA): Enable MFA to enhance email security. This method requires a second form of verification, such as a code, PIN, or fingerprint, in addition to a password.
• Implement Anti-Phishing Protections: Deploy advanced anti-phishing solutions to identify BEC red flags, such as mismatched reply-to and sender addresses. These solutions should also use machine learning to analyze email language for indications of an attack.
• Employee Training: Regularly educate employees on identifying and responding to BEC attacks. Conduct simulations of BEC scams to ensure they recognize warning signs like phishing links and domain mismatches.
• Set Security Defaults: Administrators should enforce stringent security measures, such as mandatory MFA, challenging new or risky access attempts, and enforcing password resets if credentials are compromised.
• Email Authentication Tools: Protect against email spoofing by using authentication protocols like Domain-based Message Authentication, Reporting and Conformance (DMARC),  Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM).
• Adopt a Secure Payment Platform: Shift from emailed invoices to secure payment systems designed to authenticate transactions and prevent fraudulent activities.
• Use Secure Email Solutions: Utilize email platforms that automatically flag and delete suspicious emails or alert users to unverified senders.
• Label External Emails: Configure email systems to mark emails coming from outside the organization as external, helping to identify potential impersonation attempts.

Preventing Business Email Compromise (BEC) attacks presents several challenges. Attackers often use legitimate domains, low-volume tactics, and pass DMARC checks, making detection difficult. Employee education is crucial but challenging to maintain, as awareness levels can wane over time. Balancing effective security measures with uninterrupted business operations is another key challenge.

Delivery Tactics

• Legitimate Sources: Attackers often leverage compromised accounts, making emails appear to come from trusted sources.
• No Attachments: BEC emails typically lack attachments, bypassing traditional malware scans.

Social Engineering Tactics

• Spoofing Executives: Attackers frequently impersonate high-level executives to add legitimacy and urgency to their requests.

Can businesses detect BEC attacks with traditional antivirus software?

Because BEC attacks often do not involve malware, traditional antivirus software cannot identify them. BEC primarily uses social engineering tactics. For that reason, you need advanced software with AI capabilities to detect them.

While organizations can implement robust security systems and training for their employees, individuals can follow these tips in order to stay ahead of BEC attacks:

Unusual Communication

Attackers will often impersonate high-ranking officials in an organization to trick new employees into divulging sensitive information. If it is unusual for your CEO or other high-ranking officials to communicate with you, be weary of these messages.

Assess your emails

With the high magnitude of email communication in the business world, it might be challenging to read through each email carefully. However, if you are about to click on a link or download a file, verify the sender’s account and read the email carefully, looking for unusual language or poor grammar. Be on the lookout for emails labeled as “urgent,” as attackers often try to get victims to make rash and quick decisions, increasing the chance of them being caught.

Requests for money

Most businesses have distinct processes to transfer money and keep strict regulations around how money moves in the business. If there is an attempt to bypass these regulations and transfer money or information via email, it is likely a scam.

Darktrace has developed a fundamentally different approach to email security, one that doesn’t learn what’s dangerous from historical data but forms an in-depth understanding of each organization and its users.

Darktrace / EMAIL focuses on individuals - how each person uses their inbox and what constitutes “normal” for each user - in order to detect what’s not normal. Our AI technology builds profiles for every email user, including their relationships, tone and sentiment, content and link sharing patterns, and thousands of other signals.

Because Darktrace understands the human behind email communications rather than knowledge of past attacks, it can stop the most sophisticated and evolving email security risks like generative AI attacks, BEC, account takeover, supply chain attacks, data loss, and ransomware.  

To learn more about Darktrace / EMAIL read our Solution Brief.