Business Email Compromise (BEC): Types & How To Prevent

Many of us think we’re too smart to get scammed by fake company emails. We also believe our biggest cybersecurity threats will be more complex than they have been in the past, and that today’s scammers and phishers will only target government and financial institutions with cutting-edge hacking and infiltration techniques.

Regrettably, the threat of seemingly simple business email compromise (BEC) attacks is as prevalent as ever. According to the FBI’s Internet Crime Complaint Center (IC3), BEC complaints and financial losses have surged by almost 58% since 2020. This type of cybercrime could potentially inflict millions in economic losses, recovery, and reputational damage on your company, as it has on other companies in recent years. 

To help prevent your company and employees from falling victim to BECs, we’ll explore what makes them so insidious and share our best practices for prevention. 

What is Business Email Compromise (BEC)?

In a business email compromise (BEC), a scammer uses email to target and manipulate employees into sharing sensitive information or committing unknowing fraud or theft. Phishing scams and social engineering attacks are common types of BECs. In a typical scenario, a scammer might pose as someone the employee knows, asking the employee to share protected information or initiate a fund transfer. 

BEC attackers typically target companies that handle valuable financial, health, or government data. However, it’s crucial to understand that any business, irrespective of the industry, can fall prey to a BEC. This underscores the importance for all company leaders to educate themselves and their employees about the potential risks and prevention strategies.

Types of Business Email Compromise

A well-orchestrated BEC scam might incorporate one or more of these components to gain access to your data or initiate fraudulent money transfers that could cost your company, your employees, and even your partner organizations millions.

Data Theft

A scammer might send a phishing email posing as a colleague or supervisor, asking the employee to share passwords, email addresses, or any other sensitive information to which the team member has access. They may also leverage social engineering techniques, such as creating a false sense of urgency, to put extra pressure on the employee to leak the data.

Once they have the data they need, scammers may try to infiltrate your company’s network and accounts to steal data or intellectual property.

False Invoices

It’s also common for BEC attackers to pose as third-party vendors and send an email with a fake invoice. In a fake invoice scam, bad actors can hijack a legitimate email conversation about a fund transfer and make a request for a bank account change. They’ll typically include a false invoice and a claim that they still haven’t received payments from the victim.     

CEO Impersonation

In a CEO impersonation scam, also called CEO fraud, the BEC attacker will pretend to be a company executive. In these instances, the scammer might use an email domain similar to the authentic company domain. They might also use a display name spoofing technique in which the attackers’s email is clearly wrong. Still, the receiver can only see the seemingly legitimate name and even the profile picture of the CEO displayed at the top of the email.  

Compromised Accounts

Not all email scams involve fraudulent email addresses. Threat actors may start using fake accounts until they access an employee’s genuine email account. They’ll then use these credentials to infiltrate your network or move on to more ambitious email attacks.    

How Does a BEC Work?

Email scammers rely on a wide range of techniques to steal data or initiate fraudulent wire transfers, but here are some of the most common elements that BECs share: 

• Impersonating a business entity or individual — An attacker will often pose as an executive, supervisor, or colleague as well as an external business partner or vendor. 
• Impersonation tactics — Scammers may use domain spoofing or display name impersonation to mimic employees or vendors. They can also hijack a legitimate email account.
• Common BEC goals — In most BEC schemes, attackers are trying to:
  • Commit invoice fraud by posing as a third-party vendor sending an urgent invoice reminder or by pretending they need to update their banking details.
  • Commit payroll fraud by asking to update their direct deposit information and direct all future transactions to a fraudulent account.
  • Initiate a gift cards scam in which the attacker poses as a CEO or a manager requesting that the employee purchase a number of gift cards for team members and then sending the scammer the numbers on the back of the cards.
  • Gain access to privileged email accounts so they can access protected areas of your company network and steal and sell valuable client data or intellectual property.      

2 Real Examples of BEC

Let’s delve into a couple of real-world examples of BEC to make it easier to grasp the impact of these schemes. These will serve as stark reminders of the significant threat these types of scams pose to all companies, regardless of their size or industry.

The $121m Facebook and Google BEC Scam

In one of the biggest BEC scams in recent history, a man named Evaldas Rimasauskas and his associates set up a fake company called Quanta Computer, mimicking a real-life hardware supplier that Facebook and Google employees had dealt with before.

Between 2013 and 2015, Rimasauskas tricked team members into paying their convincing-looking invoices. They even reassured them with counterfeit letters from lawyers and contracts to make it look like the bank accepted their transactions. Rimasauskas was eventually caught and sentenced to five years in prison in 2019.

The Snapchat Payroll Leak

In 2016, a group of scammers impersonated Snapchat’s CEO and gained access to payroll information belonging to current and former employees. This meant the attackers obtained team members’ Social Security numbers, tax information, and information about their healthcare plans. To help employees recover, Snapchat offered every affected person two years of free credit monitoring and up to $1 million as reimbursement.

This highlights that your company isn’t only putting your IP and financial information at risk without the right cybercrime prevention measures. You’re also putting your entire organization — including your team members’ private lives — in a vulnerable position.

How To Prevent Business Email Compromise

A solid BEC prevention solution requires a multi-pronged approach, including shoring up your email security tech stack and making sure team members are savvy about the way that cybercriminals operate. Here are a few of the most effective options.

Use Email Monitoring Software

It’s too time-consuming and complicated to ask employees to share their email accounts with your security team and comb through every email for signs of suspicious activity. That’s why companies of all sizes use email monitoring software, which automatically indexes all received and sent emails and scans them for anomalous behavior. 

An email monitoring solution allows you to investigate individual emails independently for auditing purposes. It will even let you configure your email rules so that you get alerts for suspicious activities, or block them instantly if they come from an unknown organization or contain malicious links.

Still, to operate your business ethically, make sure you notify employees that you will be monitoring their emails for your protection as well as theirs.

Implement Data Loss Prevention Tools

Data loss prevention (DLP) tools stop employees within your organization (aka insider threats) from knowingly or unknowingly sharing sensitive information or valuable IP. DLP software accomplishes this by allowing you to track how data moves in, out, and through your email gateway, network, and cloud services and set up automatic blocks to stop users from sharing data with the wrong people. 

Account administrators can also set up alerts and warnings to notify them when someone with unauthorized access is about to access valuable information. 

Use Secure Email Clients

BEC attackers leverage email to run their scams by intercepting emails and tampering with them while they’re in transit. That’s why secure email providers like ProtonMail and Office365 offer end-to-end encryption, which means only the email sender and intended recipient can read the message.

Secure email providers also offer tools like multi-factor authentication and metadata email header stripping, which prevents bad actors from being able to pull identifying information from the email address.

Teach Employees How To Identify Scams

Team members need to know how real the threat of an email account compromise is as well as measures they can take to prevent themselves. This means you should offer training during employee onboarding and throughout their tenure as an ongoing prevention strategy. Train employees to be extra vigilant about:

• Unknown email addresses and domain names, particularly from senders claiming to belong to a third-party vendor or partner organization. 
• Unexpected typos, errors, or slight language variations that a colleague or manager doesn’t typically use in an email. 
• Verifying any emails making urgent requests for funds or wire transfers with someone from your company’s finance department so they can confirm or deny if it’s legitimate.   

Setup Regular Email Password Resets

Resetting your email passwords every six months or more makes it harder for scammers to compromise employee emails for future attacks. This also limits the time a threat actor can spend infiltrating your system if they’ve already gained access. Just ensure employees know to use a complex combination of letters, numbers, and symbols and that they don’t use the same password for multiple accounts.   

Implement Two-Factor Authentication (2FA)

Two-factor authentication (2FA) is a powerful way to prevent most malicious emails and phishing attacks. In fact, according to Google research, 2FA can stop 100% of automated bot hacks, 99% of bulk phishing attacks, and 66% of targeted attacks. 

By requiring employees to verify their authorized status with both their email password and a one-time verification code they receive on their mobile devices, you’ll make it much more difficult for scammers to hijack legitimate email addresses and get access to sensitive data.

FAQs

What is the difference between BEC and EAC?

BEC stands for Business Email Compromise, which involves scammers posing as trusted employees or business partners to deceive individuals into making wire transfers or revealing sensitive information. EAC stands for Email Account Compromise, which refers to unauthorized access to an individual’s email account to carry out fraudulent activities.

How much does a business email compromise cost?

A business email compromise can cost organizations millions of dollars. According to the FBI, the total losses from BEC scams exceeded $1.8 billion in 2020 alone. It is crucial for businesses to stay vigilant and implement strong security measures to protect themselves against this growing threat.

Can work emails be compromised?

Yes, work emails can be compromised through tactics such as phishing, social engineering, and email spoofing. It is essential for businesses to implement proper security measures, such as two-factor authentication and regular password resets, to protect against business email compromise.

What is the difference between BEC and spear phishing?

BEC and spear phishing are both forms of email-based scams, but they differ in their approach. BEC involves impersonating trusted individuals to deceive targets into making wire transfers or sharing sensitive information, while spear phishing is a targeted attack where scammers craft personalized emails to trick recipients into clicking on malicious links or divulging confidential data.

What is an example of what a BEC phishing attempt might look like?

A BEC phishing attempt might look like an email from a trusted CEO or executive, requesting an urgent wire transfer to a seemingly legitimate account. The email may appear convincing, with accurate company logos and email signatures, but it is crucial for recipients to verify such requests through alternative channels to prevent falling victim to this scam.

What is an example of BEC phishing?

An example of BEC phishing can be an email from a CEO requesting an urgent wire transfer to a seemingly legitimate account. The recipient may receive an email that appears authentic, complete with accurate company logos and email signatures, but it is crucial to verify such requests through alternative channels to avoid falling victim to this scam.

What are the red flags for BEC phishing?

Red flags for BEC phishing include urgent requests for wire transfers, email addresses that are slightly different from those of trusted individuals, and requests for sensitive information. Additionally, poor grammar and spelling errors can indicate a potential scam.

What is an indicator of a BEC email?

An indicator of a BEC email can be an urgent request for a wire transfer, especially if it comes from a high-ranking executive or CEO. Other indicators may include slight variations in email addresses or requests for sensitive information. It is crucial to exercise caution and verify such requests through alternative channels to avoid falling victim to this scam.

Who are the victims of BEC?

BEC victims can be anyone in a business or organization who receives targeted fraudulent emails. However, high-level executives and finance departments are often the primary targets due to their authority and access to financial information.

Conclusion

With the increasing digitization that remote work has brought to the working world, employee attention gets pulled in every direction as they bounce between work emails, messages, meetings, and tasks. That’s why it’s so important to create a security culture and ensure your team members aren’t so distracted that they don’t notice the hallmark signs of a BEC. 

Thankfully, a platform like Teramind allows you to monitor, detect, and block suspicious email activity before it spins out of control and causes irreparable financial damage to your business.