BEC stands for business email compromise. This type of security concern occurs when a threat agent gains unauthorized access to a company's email account or impersonates a trusted individual to execute fraudulent activities, such as acquiring sensitive information or transferring funds. The attacker often uses social engineering tactics to achieve their goals.

According to the 2021 IC3 report. "BEC is responsible for $2.4 billion in adjusted losses in 2021, and a 556% increase since 2016."

BEC is expected to continue growing given the increase in remote workers, openly available generative AI tools, and the multitude of business-related accounts organizations have. These affordances increase the potential attack paths for threat actors. Thus, keeping email accounts secure is becoming increasingly challenging.

Business Email Compromise (BEC) is a type of cyber-attack in which an attacker impersonates a trusted individual, such as a senior executive or a vendor, to trick an organization or individual into divulging sensitive information or transferring funds. This attack vector has become increasingly prevalent in recent years, resulting in significant financial losses for businesses of all sizes.

In a typical BEC attack, the attacker conducts extensive research to learn about their target organization, including its key personnel, vendors, and business processes. They will then use this information to craft convincing emails that appear to come from a trusted source, often with a sense of urgency or importance, in order to prompt the recipient to take immediate action.

Now, with advancements in generative AI technology, BEC is becoming more common. Threat actors can generate believable textual messages and impersonate individuals, increasing their likelihood of tricking victims.

To understand the various methods cybercriminals use to exploit businesses through email, let's explore some common business email compromise examples:

CEO Fraud

CEO fraud occurs when attackers impersonate a CEO to trick other members of an organization into revealing sensitive information.

Data Theft

Threat actors attempt to obtain valuable personal information about an individual at a company. They could then use this information to launch future attacks. 

Email Account Takeover

This attack occurs when a threat actor obtains an employee's email and uses legitimate credentials to request valuable information from others within the organization.

Lawyer/Attorney Fraud

Impersonating as the lawyer for an organization, a threat actor will contact low-ranking individuals attempting to retrieve sensitive information. 

Account Compromise

In an account compromise BEC attack, attackers gain access to an organization's email account through phishing or malware. They then send fraudulent invoice requests, altering payment details to redirect funds to their own accounts. For example, they might use a finance employee's email to send fake invoices, directing payments to a deceptive bank account.

What are some identifiers of a BEC attack?

Spotting a BEC attempt involves being aware of specific characteristics often found in these fraudulent emails. BEC emails typically include a sense of urgency, employing words like "quick," "urgent," or "important" to prompt swift action. They often impersonate authoritative figures such as CEOs or CFOs, using tactics like mimicking the person’s writing style or spoofing their email address with minor modifications to trick recipients.

Attackers provide detailed instructions to create an illusion of legitimacy. If they request a fund transfer, they will specify an exact amount and provide a reason for the request to enhance its credibility. Additionally, BEC emails may instruct recipients not to contact the sender or verify the request with others to avoid detection. By being vigilant about these red flags, recipients can better protect themselves from falling victim to BEC attacks.

Learn how modern threat actors use AI to turbo-charge their BEC attacks in the white paper "Beyond the Inbox: A Guide to Preventing Business Email Compromise."

In both cases, threat actors seek to disrupt or damage systems in order to carry out malicious activity. However, a business email compromise involves impersonating an important figure in an organization to trick an employee. This is considered a social engineering tactic.

Email Account Compromise (EAC), on the other hand, is the act of stealing legitimate login credentials. Sometimes, phishing or social engineering is used to do so, but EAC is not overtly a social engineering tactic like BEC is. Instead, EAC is more closely aligned with the access to login credentials.

Business Email Compromise (BEC) attacks are sophisticated forms of social engineering that can bypass standard security tools, as they often do not contain malicious links or malware. To effectively protect against BEC attacks, both organizations and individuals must adopt comprehensive security measures and remain vigilant.

Organizational Strategies

• Enhance Visibility of Account Activity and User Behavior: Implement systems that monitor and analyze account activities to detect unusual patterns indicative of a BEC attempt. ‍
• AI-Powered Security Solutions: Utilize advanced AI-driven security solutions to assist in identifying and responding to AI-powered attacks more effectively. ‍
• Automated Detection and Response: Deploy automated systems that can promptly detect and respond to potential BEC threats. ‍
• Employee Training and Awareness: Conduct regular training sessions to ensure employees, especially those in vulnerable positions, can recognize and respond to BEC attempts. ‍
• Regular Software Updates: Keep all software and security systems up to date to protect against known vulnerabilities.

Individual Precautions

• Scrutinize Unusual Communications: Be cautious of emails from high-ranking officials that seem out of the ordinary. Verify any unexpected requests directly through known communication channels.
• Carefully Assess Emails: Pay close attention to the details in emails, especially those requesting sensitive actions. Look for signs such as unusual language, poor grammar, or a sense of urgency that might indicate a scam.
• Verify Requests for Money: Adhere to your organization's established procedures for money transfers and information sharing. Be suspicious of any attempt to bypass these protocols via email.

A successful BEC attack can be extremely costly and damaging, but taking proactive measures can significantly reduce the risk. Here are some essential tips:

• Use Multi-factor Authentication (MFA): Enhance email security by enabling MFA, which requires a second form of verification, such as a code, PIN, or fingerprint, in addition to a password.
• Implement Anti-Phishing Protections: Deploy advanced anti-phishing solutions capable of identifying BEC red flags, such as mismatched reply-to and sender addresses. These solutions should also use machine learning to analyze email language for indications of an attack.
• Employee Training: Regularly educate employees on identifying and responding to BEC attacks. Conduct simulations of BEC scams to ensure they recognize warning signs like phishing links and domain mismatches.
• Set Security Defaults: Administrators should enforce stringent security measures, such as mandatory MFA, challenging new or risky access attempts, and enforcing password resets if credentials are compromised.
• Email Authentication Tools: Protect against email spoofing by using authentication protocols like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).
• Adopt a Secure Payment Platform: Shift from emailed invoices to secure payment systems designed to authenticate transactions and prevent fraudulent activities.
• Use Secure Email Solutions: Utilize email platforms that automatically flag and delete suspicious emails or alert users to unverified senders.
• Label External Emails: Configure email systems to mark emails coming from outside the organization as external, helping to identify potential impersonation attempts.

Darktrace has developed a fundamentally different approach to email security, one that doesn’t learn what’s dangerous from historical data but forms an in-depth understanding of each organization and its users.

Darktrace / EMAIL focuses on individuals - how each person uses their inbox and what constitutes “normal” for each user - in order to detect what’s not normal. Our AI technology builds profiles for every email user, including their relationships, tone and sentiment, content and link sharing patterns, and thousands of other signals.

Because Darktrace understands the human behind email communications rather than knowledge of past attacks, it can stop the most sophisticated and evolving email security risks like generative AI attacks, BEC, account takeover, supply chain attacks, data loss, and ransomware.  

To learn more about Darktrace / EMAIL read our Solution Brief.