What is a Business Email Compromise and How to Protect Against it?
Email fraud can take different forms. Email security mistakes cost businesses billions of dollars per year. One particularly effective and dangerous type of email scam is the business email compromise attack, or BEC attack.
What is a BEC attack?
A BEC attack is a type of email scam in which the attacker targets an organization’s email account and impersonates an employee with access to company funds in order to transfer money to the account controlled by the hacker.
This type of email attack is also known as the “Man-in-the-email” attack.
Types of BEC Attack
According to the FBI’s Internet Crime Complaint Center, business email compromise attacks and email account compromise attacks were responsible for $1.7 billion in reporting losses due to fraud out of $3.5 billion in 2019.
At the same time, credit card frauds amounted to a little over $110 million in losses.
The FBI specifies 5 different types of BEC attacks:
- CEO Fraud is probably the most common type of this attack. In it, the hacker impersonates himself as the executive (CEO or different) of the company and sends an email to an employee with access to funds (usually in the finance department) to send the money to a bank account controlled by the hacker;
- Attorney Impersonation usually targets someone lower in the corporate hierarchy, where the attacker impersonates a legal representative or lawyer. Typically, the attacker will send an email threatening with a lawsuit unless the victim sends the money;
- False Invoice typically goes after foreign suppliers. In it, the fraudster acts as a supplier and will request funds to be transferred to their fake account. Vendor Email Compromise (VEC) came up as the favorite BEC scam for criminals (you can read more about email security trends here);
- Data Theft is often used to leverage CEO fraud. In this attack, the scammer targets the HR department to procure information about a particular individual in the company, such as the CEO, which he (attacker) can then use to scam that executive;
- Account Compromise is a type of BEC where the attacker hacks an employee’s email account and then uses it to request payments to vendors, which are sent to a bank account owned by the attacker.
How Does the BEC Attack Work (BEC Attack Example Email)?
In its most basic form, a BEC attack example email looks something like this:
However, it’s usually much more sophisticated and complicated than that and typically goes on in several phases.
In the first phase, the attacker will mine various sources like the company website, LinkedIn profiles, or business email databases for contact information.
Next, the hacker will launch their attack. They’ll usually send a mass email using fake email names and domains. For instance, the attacker might use typosquatting to send the victim to a fake email or domain that looks like the real one. One example of this is the fake PayPal.com domain PayPa1.com.
From here, the scammer will impersonate a CEO or someone within the financial department of the company and send an email with an urgent request, usually for money transfer.
If the scam was believable enough, the victim will transfer the money to the scammer’s fraud bank account.
Here are some BEC attack examples:
- Mattel
The famous U.S. toymaker was a victim of a phishing email attack that could have cost it more than $3 million. The scammer, who was impersonating the new CEO of Mattel, Christopher Sinclair, requested from a finance executive in the company to transfer large amounts of cash from Mattel’s account to the Bank of Wenzhou in China.
Luckily for Mattel, they were quickly made aware of the fraud and contacted the bank and the FBI to return the funds.
- Scott County School Kentucky
Where Mattel was lucky enough to notice the scam on time to have their funds returned, the Scott County School in Kentucky wasn’t so much, as, by the time they noticed and contacted the FBI, two weeks had already passed.
What happened here was that the school got notified that they have an outstanding invoice. Upon investigation, it was revealed that the payment was not made to the vendor but to the scammer’s fake account.
How to Protect Against a Business Compromise Attack?
A BEC attack can be difficult to notice until it’s too late (see the Scott County School example above) because it’s not doesn’t rely on malware or other software.
Instead, the attacker typically takes great effort to research the company for the best email accounts to target and social engineer everything.
As a result, these attacks can be very believable.
For example, if a new employee receives an urgent wire transfer request from the CEO, who they maybe haven’t even met or talked to yet, they’ll often do it, thinking that’s how things are run in that company.
So what are some of the ways to protect against a BEC attack?
First, there are a couple of tell-tale signs of a BEC email:
- The “Reply To” and the sender’s email addresses do not match;
- The request doesn’t come from a usual channel, like the finance department or the accounting system;
- The email asks the recipient to “keep it confidential” and communicate only with the sender;
- It requests some unusual information, like individual tax information for an employee;
- The date format is wrong. The U.S. date format is: “month, day, year”, whereas most of the world use “day, month, year” format. The scammer might also be writing the date as “8, 18, 2020”, but the company uses the “Aug. 18th. 2020” format;
- Poor grammar and broken English. Finally, an email riddled with grammar mistakes and broken English could also alert you to a possible BEC scam attack, although that’s not 100% sure way of detecting one, especially if the CEO is already a non-native speaker.
As for some of the ways to protect against a BEC attack, here are a few tips:
- Always confirm the request with the person or vendor who made the request outside of that email, whether on phone or in person;
- Double-check the sender’s email address (and if it matches the “Reply To” as well in the email. For example, if the real email is [email protected] and the sender’s email is [email protected], that might be difficult to notice at first glance. If the person receiving this is already busy with something else, they might do it without much thinking;
- If you discover that a fraudulent transfer has been made, contact your bank or the bank to which the transfer was made to stop it or return the money. That’s how Mattel was able to return its $3 million;
- Use company domains for email instead of free Gmail or Yahoo ones. If the company uses @company.mail for its emails, and you get one from @gmail.com, that’s a good sign that something is wrong and that you should be suspicious of that email;
- Authenticate emails using DMARC, SPF, or DKIM to verify that the email came from the person it claims to have come from;
- Be careful of what you put online. If you’re an executive and you post on Facebook that you’re going on holiday, you are essentially telling scammers that you’re out of the office and that’ now is the time for them to strike. Keep such announcements private;
- Save all suspicious emails as evidence of a BEC attack that you can give the authorities;
- You should also know how to securely send bank account information via email.
Finally, don’t forget to use a secure and encrypted email like CTemplar to protect yourself and your organization against email scams, phishing attacks, but also malicious software, Man-in-the-Middle attacks and similar. Sign up today for your free and secure CTemplar account.