What is Business Email Compromise (BEC)?

BEC stands for Business Email Compromise. BEC involves attackers gaining unauthorized access to a company's email account or impersonating a trusted individual for the purpose of carrying out fraudulent actions such as transferring money or obtaining sensitive information through social engineering tactics.‍

According to the 2021 IC3 report "BEC is responsible for $2.4 billion in adjusted losses in 2021 and a 556% increase since 2016."

BEC is expected to continue growing given the increase in remote workers, openly available generative AI tools, and the multitude of business-related accounts organizations have. These affordances increase the potential attack paths for threat actors. Thus, keeping email accounts secure is becoming increasingly challenging.

‍

Business Email Compromise (BEC) is a type of cyber-attack in which an attacker impersonates a trusted individual, such as a senior executive or a vendor, in order to trick an organization or individual into divulging sensitive information or transferring funds. This attack vector has become increasingly prevalent in recent years and has resulted in significant financial losses for businesses of all sizes.

In a typical BEC attack, the attacker will conduct extensive research to learn about their target organization, including its key personnel, vendors, and business processes. They will then use this information to craft convincing emails that appear to come from a trusted source, often with a sense of urgency or importance, in order to prompt the recipient to take immediate action.

Now, with advancements in generative AI technology, BEC is becoming more common. Threat actors are able to generate textual messages that are believable and impersonate individuals, increasing their likelihood of tricking a victim.

To understand the various methods cybercriminals use to exploit businesses through email, let's explore some common business email compromise examples:

CEO Fraud

CEO fraud involves attackers’ impersonating high-ranking executives to solicit information from other members of the organization, whereas whaling involves attackers’ targeting high-ranking executives.

Data Theft

Threat actors attempt to obtain valuable personal information about an individual at a company. They could then use this information to launch future attacks. 

Email Account Takeover

This attack occurs when an employee's email is already obtained by a threat actor. The actor then uses these legitimate credentials to request valuable information from others within the organization.  

Lawyer/Attorney Fraud

Impersonating as the lawyer for an organization, a threat actor will contact low ranking individuals attempting to retrieve sensitive information. 

Account Compromise

In an account compromise BEC attack, attackers gain access to an organization's email account through phishing or malware. They then send fraudulent invoice requests, altering payment details to redirect funds to their own accounts. For example, they might use a finance employee's email to send fake invoices, directing payments to a deceptive bank account.

Identifying BEC Attempts

Spotting a Business Email Compromise (BEC) attempt involves being aware of specific characteristics often found in these fraudulent emails. BEC emails typically include a sense of urgency, employing words like "quick," "urgent," or "important" to prompt swift action. They often impersonate authoritative figures such as CEOs or CFOs, using tactics like mimicking the person’s writing style or spoofing their email address.

These emails usually contain justifications for unusual requests, making them seem legitimate. Specific instructions are provided, detailing the amount of money to send and the location. Additionally, BEC emails may instruct recipients not to contact the sender or verify the request with others, to avoid detection of the scam. By being vigilant about these red flags, recipients can better protect themselves from falling victim to BEC attacks.

In both cases threat actors seek to disrupt or damage systems in order to carry out malicious activity. However, a business email compromise involves the impersonation of an important figure in an organization in order to trick an employee. This is considered a social engineering tactic. 

Email Account Compromise (EAC) on the other hand, is the act of stealing legitimate login credentials. Sometimes phishing or social engineering is used to do so, but EAC is not overtly a social engineering tactic like BEC is. Instead EAC, is more closely aligned with the access to login credentials.

Any individual or company can be a victim or suspected target to a BEC attack. If you work at an organization that is small and does not have a robust security infrastructure, be particularly weary of the communication patterns between yourself and other high-ranking members at the organization.

Executives‍

Threat actors will likely do research on high-ranking individuals in an organization because they have public facing accounts with a lot of information readily available on them. These individuals are likely to be impersonated by threat actors for that reason and because the use of their name in an email might alarm or call for urgency from the recipient. 

New Employees

‍New employees are an easy target for threat actors because they don’t know yet what normal communication within the business might look like. Similarly, they are easier to get an emotional reaction out of. By engineering an email impersonating a CEO who is asking the new employee for login information, they might answer without reading into the situation. 

Employees with access to sensitive information

HR employees and those in the finance department are particularly vulnerable to BEC attacks because of the access they have to financial and personal information on other employees. 

Business Email Compromise (BEC) attacks are sophisticated forms of social engineering that can bypass standard security tools, as they often do not contain malicious links or malware. To effectively protect against BEC attacks, both organizations and individuals must adopt comprehensive security measures and remain vigilant.

Organizational Strategies

• Enhance Visibility of Account Activity and User Behavior: Implement systems that monitor and analyze account activities to detect unusual patterns indicative of a BEC attempt. ‍
• AI-Powered Security Solutions: Utilize advanced AI-driven security solutions to assist in identifying and responding to AI-powered attacks more effectively. ‍
• Automated Detection and Response: Deploy automated systems that can promptly detect and respond to potential BEC threats. ‍
• Employee Training and Awareness: Conduct regular training sessions to ensure employees, especially those in vulnerable positions, can recognize and respond to BEC attempts. ‍
• Regular Software Updates: Keep all software and security systems up to date to protect against known vulnerabilities.

Individual Precautions

• Scrutinize Unusual Communications: Be cautious of emails from high-ranking officials that seem out of the ordinary. Verify any unexpected requests directly through known communication channels.
• Carefully Assess Emails: Pay close attention to the details in emails, especially those requesting sensitive actions. Look for signs such as unusual language, poor grammar, or a sense of urgency that might indicate a scam.
• Verify Requests for Money: Adhere to your organization's established procedures for money transfers and information sharing. Be suspicious of any attempt to bypass these protocols via email.

A successful BEC attack can be extremely costly and damaging, but taking proactive measures can significantly reduce the risk. Here are some essential tips:

• Use Multi-factor Authentication (MFA): Enhance email security by enabling MFA, which requires a second form of verification, such as a code, PIN, or fingerprint, in addition to a password.
• Implement Anti-Phishing Protections: Deploy advanced anti-phishing solutions capable of identifying BEC red flags, such as mismatched reply-to and sender addresses. These solutions should also use machine learning to analyze email language for indications of an attack.
• Employee Training: Regularly educate employees on identifying and responding to BEC attacks. Conduct simulations of BEC scams to ensure they recognize warning signs like phishing links and domain mismatches.
• Set Security Defaults: Administrators should enforce stringent security measures, such as mandatory MFA, challenging new or risky access attempts, and enforcing password resets if credentials are compromised.
• Email Authentication Tools: Protect against email spoofing by using authentication protocols like Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).
• Adopt a Secure Payment Platform: Shift from emailed invoices to secure payment systems designed to authenticate transactions and prevent fraudulent activities.
• Use Secure Email Solutions: Utilize email platforms that automatically flag and delete suspicious emails or alert users to unverified senders.
• Label External Emails: Configure email systems to mark emails coming from outside the organization as external, helping to identify potential impersonation attempts.

Preventing Business Email Compromise (BEC) attacks presents several challenges. Attackers often use legitimate domains, low-volume tactics, and pass DMARC checks, making detection difficult. Employee education is crucial but challenging to maintain, as awareness levels can wane over time. Balancing effective security measures with uninterrupted business operations is another key challenge.

Delivery Tactics

• Legitimate Sources: Attackers often leverage compromised accounts, making emails appear to come from trusted sources.
• No Attachments: BEC emails typically lack attachments, bypassing traditional malware scans.

Social Engineering Tactics

• Spoofing Executives: Attackers frequently impersonate high-level executives to add legitimacy and urgency to their requests.

While organizations can implement robust security systems and training for their employees, individuals can follow these tips in order to stay ahead of BEC attacks:

Unusual Communication

Attackers will often impersonate high ranking officials in an organization as a way to trick new employees into divulging sensitive information. If it is unusual for your CEO or other high-ranking officials to communicate with you be weary of these messages.

Assess your emails

With the high magnitude of email communication that goes on in business it might be difficult to read through each email carefully. However, if you are about to click on a link or download a file, be sure to verify the sender’s account and read the email carefully looking for unusual language or poor grammar. Be on the lookout for emails that might be labeled as “urgent” as attackers often try to get victims to make rash and quick decisions, increasing the chance of them being caught.

Requests for money

Most businesses have distinct processes to transfer money and keep strict regulations around how money moves in the business. If there is an attempt to bypass these regulations and transfer money or information via email, it is likely that this is a scam.

Modern security teams are often overstretched dealing with an increased attack surface, enabling workforces for secure remote work, and managing multiple security tools to protect that workforce. Now, AI tools are being used by attackers to make their attempted cyber attacks even more difficult to spot. With a growing attack surface, security teams are doing more “hand-to-hand combat” with attacks than they should be.

AI-powered email solutions can level up security teams in numerous ways. Historically, email security is trained on historical attack data, only alerting to previously seen threats. With an AI based model, it is possible to better prepare and stop unknown threats.

With the access to readily available AI tools that can assist with social engineering tactics, attack sophistication has increased. AI-driven security will understand behaviors of end users and how each individual operates within their inbox. In doing so, be able to detect and respond to threats that deviate from normal activity.

Prevent human error

By understanding you and your organization, Darktrace/Email can detect when an email is likely being addressed to the wrong person, and at the perfect time intervene with a warning before the email is sent.

Detect account takeover

‍Darktrace uses AI to learn what normal communication looks like for every email user, in order to spot the subtle signs of anomalous emails sent with malicious intent, no matter who has sent them.

Employee Input Feeding Back into AI

‍Over time, Darktrace/Email gradually factors employee feedback into its decision-making, improving productivity and overall security.

Self-Learning AI

‍Instead of looking at previous attacks to predict those of the future, Darktrace AI learns the ‘pattern of life’ of an organization, including its users, devices, and servers. This allows it to identify the first signs of a ransomware attack, regardless of whether the method or type of attack has been seen before.

‍