Analyzing the Types of Email Services Used in BEC (Business Email Compromise)

In 2020, the FBI’s IC3 (Internet Crime Complaint Center) got 19,369 BEC (Business Email Compromise complaints, for an adjusted loss of $1.8 billion.

BEC scams are not a new thing and they’ve been around for a while, but they are getting more sophisticated as scammers invent new ways to fraud people via email.

We can see this, for example, in how BEC attacks differ depending on the type of email service used. Cyber security software company Trend Micro analyzed 5 types of email services used in BEC, so let’s take a look at how BEC attackers use email to gain access to sensitive information about an individual or their company.

What is a Business Email Compromise (BEC) Attack?

A Business Email Compromise (BEC) attack is a type of email scam in which an attacker targets a company using social engineering and publicly available information.

Typically, the scammer will impersonate someone like the company CEO to trick another employee into transferring money to the attacker’s bank account, or give him other sensitive information.

According to the FBI, there are 5 types of Business Email Compromise (BEC) attacks:

1. CEO Fraud, where the hacker impersonates the company CEO and sends an email to an employee for an “urgent” money transfer. Usually, such requests are made to someone in the finance;
2. Attorney Impersonation. In this case, the attacker impersonates an attorney or a legal representative and threatens a lawsuit unless the victim sends them money;
3. False Invoice Scheme. Here, the scammers pretends to be foreign suppliers for the company and requests the victim to transfer extra funds into their fake account;
4. Data Theft. This BEC attack is typically used to complement the CEO fraud. Here, the attacker is looking to gain information about the CEO from the HR department, such as their email address, and use that information to scam the exec;
5. Account Compromise. In this type of BEC attack, the attacker gains access to an employee’s email account and uses it to request payments which are then sent to fraudulent bank accounts that the scammer owns.

5 Types of Email Services Used in BEC Attacks

As you can see, the goals that a fraudster using a Business Email Compromise (BEC) scam will vary. This also means that their technique will be different as well.

Here is how BEC actors use different types of email services in BEC scams:

1. Free Email Services

According to the Trend Micro report, BEC scammers predominantly employ free email services such as Gmail, Microsoft Outlook, or Yahoo Mail for two reasons:

• They’re free;
• Customers already trust them.

This makes free email services a low-cost, high reward solution for scammers, as financially they don’t lose anything (being that the service is already free).

Such services, the report says, allow the BEC actor to create a fake or fake email account, using for example the CEO’s name to request money transfers into their bank accounts, or use a more indirect approach and ask for a “small favor”.

2. Local Email Services

The report also analyzed local email services in 15 different countries and their BEC footprint.

The countries in question were: United States, United Kingdom, Australia, Germany, Russia, France, Canada, Italy, New Zealand, Poland, Portugal, Ukraine, the Czech Republic and South Korea.

What Trend Micro found here is that BEC scammers were most interested in data such as aging reports and contact information from the victims themselves.

3. Encrypted Email Services

Using an encrypted email service, the report continues, BEC attackers can hide their actual email address using a forged From header, while the real email address is hidden in the Reply-to header.

When the victim clicks the Reply button, the message will go to the hidden Reply-to address and not the one they see in the From field.

4. Self-Registered Domains and Direct-to Featured Email Service

Using self-registered and custom domains, BEC attackers can create lookalike domains by just replacing certain letters or adding easy-to-miss characters like dots (.) and dashes (-) to the fake email address.

For example,

• l with I;
• d with cl;
• o with 0;
• w with vv;
• u with v.

In addition, BEC scammers also use SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to fool victims into believing that they are legitimate and trustworthy.

5. Stolen Email Credentials and Email Conversations

Finally, BEC attackers also use compromised email accounts to launch BEC campaigns. One technique they commonly use here is to send phishing emails with malicious attachments in them. If the victim clicks on the attachment it automatically installs a key logger that can then steal credentials or other sensitive information from the victim’s computer

How to Recognize BEC Scams?

As you can see from the report, Business Email Compromise (BEC) attacks come in different forms so knowing how to recognize them and protect your organization from them is important so it doesn’t fall victim to them.

The biggest problem with BEC emails is that they can be very believable. This is you need to be very careful with who you reply to and avoid giving up any confidential information such as banking details.

What kind of information is considered as “confidential information”?

Confidential information is any business information that is legally binding between two parties and protected with non-disclosure agreement (NDA).

Still, there are some signs that you are dealing with a BEC email that can raise user awareness, such as:

1. The sender’s email address and the “Reply-to” address are different;
2. It uses unusual date formats. For example, if the company regularly uses a DMY (Day/Month/Year) format, a MDY (Month/Day/Year) format used in an email might be suspect;
3. Another common sign of Business Email Compromise (BEC) is poor grammar since English is often not English speakers;
4. The scammer’s request is unusual. For example, the scammer impersonating as the CEO might ask that the employee only communicate with them and to “keep this between us”;
5. The request comes from a different channel than it usually does. For instance, if the finance department usually deals with payments, getting a request from the CEO for an urgent money transfer should raise the alarm.

How to Prevent and Protect From BEC Attacks?

When it comes to preventing and protecting from such attacks, once you understand how BEC attacks work it’s much easier to prevent them.

A typical BEC campaign is a well-planned scheme and it can be in motion for years without the target organization realizing it. It usually starts with scammers gathering information about their target using social engineering, creating spoofed email accounts, before finally sending a phishing email requesting sensitive information.

Luckily, recognizing Business Email Compromise is possible if you look for the signs we just explained.

Here are some tips to prevent a BEC email scam:

• Confirm the request with the person that “sent” it using a different channel like another email account, phone, or with them in person. If they are not available, ask someone else in the company, if this is standard procedure;
• Check the email address and see if it matches 100% with the real one. The difference might be subtle like CTemplar vs CTempIar or Omicron vs Omicr0n;
• Use a custom domain (yourbusiness.com) instead of a free domain like gmail.com;
• Be careful not to put any personal information on social media for scammers to easily see;
• If you find that a transfer is already made, contact the bank immediately to stop it and return the money. If the fraudster already has your bank info ask the bank to change banking details.

Conclusion

Business Email Compromise is on the rise and in its Data Breach Investigations Report 2021, Verizon put BEC as the 2nd most common social engineering attack.

Hopefully, however, this article will help you recognize and prevent BEC scams.

The best way to protect yourself and your organization against scams, phishing attacks, malware and account compromise is to use an encrypted email service like CTemplar. Sign up today to get your free and secure CTemplar email account.