Every year, companies lose billions of dollars to business email compromise (BEC) or email account compromise (EAC) scams.
Cybercriminals have become increasingly adept at hacking or spoofing accounts and posing as executives or business partners to trick businesses into transferring enormous sums of money or sharing sensitive data. Scammers depend on social engineering techniques to manipulate victims and orchestrate these malicious schemes.
It can be incredibly difficult to prevent BEC scams, but there are ways to mitigate the risks to your organization:
- Educate your employees about BEC scams.
- Use 2FA email authentication.
- Control your domain.
- Practice good security hygiene.
- Frequently check your systems for irregularities.
- Double-check requests for payment or information.
- Use BEC prevention tools.
While it may not have the notoriety of phishing or ransomware attacks, business email compromise (BEC) or email account compromise (EAC) is one of the primary threats to organizations today.
According to the Federal Bureau of Investigation (FBI), between June 2016 and December 2021, organizations lost over $43 billion to BEC scams. A study published earlier this year by Proofpoint revealed that 83 percent of organizations fell victim to email-based phishing attacks in 2021. Threat actors successfully tricked employees in these organizations into clicking on malicious links, transferring money, and sharing credentials.
BEC/EAC scams are successful because it can be challenging to differentiate a scam message from legitimate correspondence. This article will tell you about some common BEC/EAC scams, how to spot them, and how to protect your organization from these “sophisticated” attacks.
Man-In-The-Email: What Is Business Email Compromise?
BEC is a type of phishing attack that usually involves an attacker hacking or spoofing an executive, employee, or vendor and requesting payment from an organization. According to the FBI, BEC “is one of the most financially damaging online crimes.” While hackers may use different techniques, the goal is to defraud a business.
Cybercriminals take advantage of the central role of emails in business communication to launch BEC scams. They know employees are unlikely to question official emails, and they exploit this trust.
Note: It’s important to note that BEC/EAC scams are not limited to emails. Since the COVID-19 pandemic, the FBI’s Crime Complaint Center (IC3) has received complaints about criminals using virtual meeting platforms to carry out BEC attacks.
Social engineering: The power of manipulation
In a BEC/EAC attack, cybercriminals falsify a company email account or hack into official accounts to request financial transfers. Their targets comply with the demands under the impression they are responding to a legitimate request from an executive, colleague, or vendor. They usually only realize they’re being scammed when it’s too late.
BEC/EAC scams, also known as man-in-the-email attacks, are often tailored to each organization. This makes it very difficult to prevent. Criminals rely on manipulation and social engineering techniques to trick employees into making payments or sending over sensitive data.
Perpetrators exploit the relationship between colleagues and business partners — such as a CEO and finance director or a vendor and supplier. By tracking or examining the communication history between two parties, scammers can craft convincing messages to their targets.
BEC/EAC messages often have a false sense of urgency. Fully aware of the chances that their schemes will crumble, scammers push employees to act quickly. And operating under fear or stress makes it more difficult for an employee to pick up on any clues that they’re being scammed.
Types of Business Email Compromise Scams
Business email compromise scams evolve quickly and often overlap or lead into one another. These are some of the most common types of BEC/EAC scams:
CEO fraud is possibly the most popular type of BEC/EAC scam. Posing as the CEO of a company, criminals will instruct accountants and other individuals in a company to transfer money to fraudulent bank accounts.
Cybercriminals will hack into an employee’s business email account and use it to request payments. The attack may start with a phishing email containing malicious links and other attachments. Once the targets click the link or attachment, the hacker can hijack their accounts.
Scammers leverage compromised accounts to steal confidential information or get an inside view of a company’s operations.
False invoice scheme
Scammers will pose a company’s supplier or partner to request invoice payments. This scam often involves intercepting or manipulating a legitimate invoice request and sending out a fake one.
Cybercriminals will impersonate a legal representative and request confidential information from employees in a company.
Hackers will steal sensitive information from a company and use it for future attacks, like CEO fraud or doxing.
Virtual meeting scams
Hackers will organize or join virtual meetings to steal information and request bogus payments. They usually do this while pretending to be the CEO or employee in a company. According to the FBI, virtual meeting scam complaints have increased with the rise in remote working since the COVID-19 pandemic.
The Cost of Business Email Compromise Scams: Examples
In 2021, the reported losses due to BEC/EAC scams increased from $1.9 billion in 2020 to $2.4 billion, according to the FBI’s Internet Crime Report. The agency received 19,954 BEC/EAC-related complaints last year. The top destinations for stolen funds in 2021 include Thailand, Hong Kong, China, Mexico, and Singapore.
The spike in BEC/EAC scams correlates with restrictions on in-person meetings and the rise of online meetings.
Here are a few popular BEC/EAC scams:
|Affected organization||Description of Attack|
|FACC Operations GMBH||In 2016, airline parts maker FACC Operations GMBH lost €50 million in a BEC/EAC attack. A hacker impersonated the company’s CEO, Walter Stephan, in emails to request a transfer into their bank account.|
|Xoom Corporation||In 2015, money transfer company Xoom lost $30.8 million after a scammer, posing as an employee, ordered a bank transfer to overseas accounts.|
|Mattel||In 2016, toy maker Mattel nearly lost $3 million after Chinese scammers pretending to be the company’s CEO, ordered a transfer of the sum to an account. Thankfully, the company realized the scam and stopped the transfer.|
|Leoni AG||In 2016, wire and cable manufacturer Leoni AG lost €40 million in a BEC attack. A scammer, posing as one of the company’s German executives, requested a transfer to a foreign bank account.|
How Business Email Compromise Scams Work (And How to Spot It)
BEC and EAC scams follow a similar pattern. The process can take weeks or sometimes even months as the threat actor tries to build trust. These are the four phases of BEC/EAC scams:
1. Identifying a target
When cybercriminals identify a potential target for a BEC/EAC scam, they usually build a profile of its executives and compile a list of employee emails. Scammers can gather a lot of information about a company and its employees by sifting through LinkedIn and scanning online databases.
2. Launch attack
Scammers usually rely on hijacking, spoofing, or spear phishing to launch BEC/EAC attacks.
Hackers steal employees’ login credentials and hijack their emails using malware, brute-force attack, and other nefarious schemes. Once in control of their victims’ accounts, they can launch BEC/EAC scams.
Scammers also spoof an employee’s email account to orchestrate BEC/EAC scams. Over 70 percent of the BEC scams surveyed for the 2021 Cybersecurity Insiders’ Business Email Compromise Report involved spoofed email accounts.
Spoofed email addresses are very similar to the actual addresses that they might be mistaken for them. If a company uses a standard email structure for their employees (like [email protected]), it is easy for a hacker to create something slightly different (like [email protected]s.com).
After gathering information about a company through phishing attacks and identity theft, hackers can launch spear phishing attacks, targeting particular individuals in a company. At this stage, they usually know how to make their messages appear legitimate.
3. Social engineering and grooming
Social engineering is central to BEC/EAC scams. For a BEC scam to work, scammers must convince employees that a request for money or information is legitimate. This involves grooming. Scammers try to persuade and manipulate their targets into doing their bidding.
4. Financial gain or data breach
After establishing trust, hackers request funds or sensitive data. Criminals usually learn how a company works and pore over their transactions. They exploit this to make their request seem legitimate.
How to Protect Your Organization From BEC/EAC Scams
While preventing your employees from falling for BEC/EAC attacks is difficult, there are ways to reduce the chances of this happening.
1. Educate your employees about BEC/EAC scams
The most effective way to prevent business email compromise scams is to ensure that everyone in your company is aware of this threat. Employees in finance departments particularly must be familiar with the ways scammers try to manipulate their targets.
2. Use robust email authentication
Use two-factor authentication (2FA) across all business email accounts. Email systems like Gmail offer 2FA through the mobile app or via SMS.
Note: SMS 2FA has some known security issues. Thus, a mobile app code may be more secure.
3. Control your domain
Spoof email addresses used by hackers often have similar domains to legitimate ones. To avoid this, buy up all domains that are similar to your main domain.
Also, train your employees to check the domain address of every message they receive. A difference in the address may indicate that the message is from a scammer.
4. Practice good security hygiene
It’s important to educate your employees about internet safety practices. They must refrain from sharing sensitive information online or clicking on unsolicited messages. It’s also advisable to keep your systems up-to-date.
We recommend using an antivirus to provide protection from malware, a password manager to create and store complex passwords, and a dark web monitoring tool to ensure sensitive information like employee login credentials isn’t leaked online.
5. Frequently check your systems for irregularities
Scan your email systems frequently for irregularities. Ensure there are no changes in the configuration of your employees’ accounts. Also, check your company’s transaction history for odd transfers, and conduct regular security audits.
6. Double-check requests for payment or information
To eliminate the chances of complying with the requests of scammers, double-check every email request with a phone call. This simple precaution can effectively prevent BEC/EAC attacks.
Also, put checks and balances in place to prevent BEC/EAC scams. For example, create a strict chain of command that employees must follow before sending money or sharing confidential information. Ideally, multiple parties should sign off beforehand.
7. Use BEC prevention tools
BEC prevention tools protect businesses from attacks. These tools usually monitor emails to detect phishing attacks or spoofed addresses and block them or send alerts. Today, BEC prevention tools — like Proofpoints‘ — are equipped with machine learning (ML), artificial intelligence (AI), and other advanced technologies to protect businesses effectively.
Key Takeaways: Business Email Compromise
Business email compromise scams capitalize on the trust between colleagues or between a company and its business partners. Preventing these scams requires diligence at every level of an organization. Educating your employees is one of the best defenses against BEC/EAC attacks.
If you believe your organization has been a victim of a BEC scam, you can lodge a complaint with the FBI at https://bec.ic3.gov/.
Optimizing your company’s cybersecurity minimizes the chances of falling victim to BEC/EAC and other scams. Check out the articles below to learn more about how to secure your company online.
- What is Ransomware as a Service?
- Man-in-the-Middle Attacks: Everything You Need to Know
- What is a DDoS Attack and How Do DDoS Attacks Work?
- What Is Security Awareness Training and Why Is It Needed?
- 10 Cyber Security Tips to Keep Your Small Business Safe
Do you have questions about business email compromise scams? Check out our FAQ section below.
BEC stands for business email compromise (BEC). This is a “sophisticated” scam where criminals hack or spoof emails to request money transfers or sensitive information from a company. They usually impersonate a CEO, financial director, or business partner to trick employees into complying with their demands.
BEC and EAC scams are the same. Both rely on social manipulation and are designed to steal information or solicit fraudulent payments from unsuspecting victims.
There are various types of BEC scams, including CEO fraud, false invoice scams, attorney impersonation, and virtual meeting scams. Check out our article on business email compromise to learn more.
These are some ways to protect your company from falling for BEC attacks:
- Educate everyone in your organization about BEC attacks and follow strict protocols for financial transfers or sharing confidential information.
- Use two-factor authentication for all your business accounts.
- Protect your email domain by buying up similar ones to prevent spoofing.
- Stay safe online by practicing basic cyber hygiene.
- Check your systems for irregular transfers or security breaches.
- Double-check every payment or information request.
- Use BEC prevention tools to monitor emails and detect scam messages.
In BEC attacks, cybercriminals hack or spoof email addresses to request money or confidential information from a company. They may pose as a high-ranking executive, vendor, or legal representative to trick employees into complying with their requests.
While it can be tricky to tell fraudulent emails apart from legitimate ones, there are some telltale signs that can help you identify a suspicious email. For example, is the domain address or email address different from the one you’re used to? Does the request seem odd? These are grounds to treat an email as suspicious.
Yes, BEC is a type of phishing attack. While BEC scams are usually orchestrated via emails, threat actors have shifted their tactics in the past few years and are also targeted victims on virtual meeting platforms.
A compromised email is an address that has been accessed by cybercriminals. This may be due to leaked credentials or hacking. If you suspect your email address has been compromised, we recommend you change your password immediately and also activate two-factor authentication (2FA).