Business Email Compromise (BEC) is a type of cyber crime that involves misusing or impersonating a corporate email address to manipulate a company’s employees or contractors. The goal of BEC is normally to trick an employee into transferring funds or sharing sensitive information. BEC attacks are often sophisticated, and exploit email communication systems to impersonate high-level executives or trusted parties.
Email-based cyberattacks are nothing new. Long-standing phishing techniques such as the “wealthy prince” scam used social engineering methods to manipulate victims. Crude “pray and spray” email attacks aimed to spread malware or obtain sensitive information from as many recipients as possible.
These early forms of email-based scams laid the foundation for the more sophisticated and targeted BEC attacks we see today. Over time, cyber criminals have refined their tactics, exploiting human psychology, social engineering techniques, and technology to craft convincing emails that appear legitimate.
How a BEC attack is cooked up
BEC attackers typically start by gathering information about the target company, its employees, and its business relationships. This information might be obtained from publicly available sources, social media, or previous data breaches.
Next, the attackers impersonate someone—normally someone in a position of authority within the company, such as a CEO, CFO, or other high-ranking executive, or a representative from one of the company’s trusted vendors.
BEC attacks rely on impersonation via email. This impersonation can occur via a compromised corporate email account—attackers might hack the email account themselves, or obtain credentials on the dark web—or via “spoofing”, which involves creating an email address that looks like the legitimate sender’s address.
Using the compromised or spoofed email address, the attackers send emails to their target employees. The emails typically concern financial matters, such as invoices, payments, wire transfers, or changes in account information, and are designed to create a sense of urgency, pressure, or confusion.
If the BEC attack succeeds, the recipient is convinced by the fraudulent email. The victim might click malicious links within the email, leading to malware infection, transfer funds to a fraudulent account, reveal sensitive information, or make changes to existing vendor or partner relationships.
By the time the target organisation realises it has been scammed, the damage is often done. Transferred funds might be irretrievable, security systems might be compromised, or ransomware could already have taken hold of the company’s sensitive data.
Battening the hatches against BEC attacks
To defend against BEC attacks, organisations should implement strong cybersecurity practices such as multi-factor authentication, secure email gateways, employee training on recognising phishing and BEC attempts, and verification protocols for fund transfers or significant changes in financial processes. Employees should be encouraged to maintain a healthy scepticism when receiving unexpected requests, especially those involving financial matters, even if they seem to come from familiar sources.
While cybersecurity regulations are evolving, the legal framework for addressing BEC attacks is still developing in many jurisdictions. This makes it challenging to recover stolen funds or hold perpetrators accountable.
Cybercriminals continuously adapt their tactics to bypass security measures and exploit new vulnerabilities. This agility allows them to stay ahead of defences and maximise their success rates.
Here are some of the ways businesses can prevent BEC attacks:
Employee Training
- Training your team on phishing and BEC attacks is essential. Such training could occur via tabletop exercises, phishing simulations, or guidance on how to spot rogue or spoofed email addresses and malicious URLs.
Secure cyber protocols
- Enforce Multi-Factor Authentication (MFA) for email accounts. This process adds an extra layer of security that can prevent unauthorised access, even if login credentials are compromised.
- Implementing email authentication protocols such as SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) can help prevent email spoofing and phishing attacks.
- Enforce strong password policies, regular password changes, and secure password management practices to prevent unauthorised access to email accounts.
- Advanced email filtering solutions can detect and quarantine suspicious emails before they reach the recipients.
Robust incident response
- Develop a comprehensive incident response plan that outlines steps to take in the event of a suspected BEC attack. The plan should include communication protocols, steps to attempt recovery of compromised funds, and a process for reporting the incident to law enforcement.
Vendor due diligence
- Regularly audit financial transactions and vendor relationships to detect anomalies or unauthorised changes. Conduct due diligence on vendors and partners to ensure their cybersecurity practices are up to par.
- Avoid sharing sensitive information through email where possible.
By combining these preventive measures, ongoing employee training, and a vigilant attitude towards email communications, organisations can significantly reduce their vulnerability to Business Email Compromise attacks. It’s important to foster a culture of cybersecurity awareness and proactive defence throughout the organisation.
As a B Corp Data Protection Office, HewardMills is dedicated to assisting clients to address internal data privacy concerns and business practices. If you have any concerns on your organisation’s cyber security measures, or any other global data privacy issues, we can support your team.
