Introduction

Enterprise employees are inundated with dozens of emails each day. This endless stream of inbound information is full of intra-team messaging, external sales & partnership outreach, and other legitimate communications. Of course, it’s also accompanied by a high volume of fraud.

Threat actors typically play a numbers game when targeting enterprises with email fraud campaigns. They’ll send thousands of emails to thousands of recipients, hoping that just ONE will click a compromised link or take some other socially engineered action.

These emails have a very low success rate; they’re either quickly identified and sorted into designated spam folders by enterprise network security policies, or they’re identified and deleted by employees themselves thanks to tell-tale signs of fraudulent communication (misspelled email addresses, malformed links, attachments with suspicious names, etc.).

In some cases, however, email fraud isn’t just a numbers game. Much unlike mass spam attacks, Business Email Compromise (BEC) attacks are well-researched, targeted ventures carried out by threat actors with intimate knowledge of specific internal or external relationships and hierarchies within an enterprise. Enterprise employees subjected to BEC attacks will typically receive emails from a “higher up” entity within their organization or an external “trusted vendor” entity they’re familiar with, and the email will request that they send money or information to the “trusted” entity both urgently and quietly.

BEC attacks continually catch enterprises off guard, and as a result, they’re one of the most financially damaging cybercrimes in the world today. In this article, we’ll cover everything you need to know about BEC attacks, and we’ll discuss how they can be mitigated with better awareness, verification procedures, and AI-powered fraud detection security policies.

Defining BEC in Plain Terms

Business Email Compromise (BEC) is a scam where criminals pretend to be someone you trust, such as your boss, your coworker, or a vendor you work closely with. Criminals carrying out BEC attacks use carefully crafted emails to trick you into sending them money or sharing sensitive information with them.

It’s critical to understand that BEC attacks are most often NOT about hacking into or gaining control of your enterprise network. Their goal is to exploit a trust relationship for a specific gain as quickly and cleanly as possible.

How BEC Works

BEC attacks are engineered with careful research, and they don’t necessarily contain suspicious links or attachments. This is what chiefly separates BEC attacks from mass spam email attacks.

Criminals will identify a vulnerable enterprise and begin investigating potential targets within it. Once a viable target is selected (i.e., someone who is likely to have access to sensitive information or enterprise financial accounts), they’ll gather as much information as they can about the environment their target works in, such as who their target reports to internally and/or which external vendors or partners their target works with.

From there, criminals will decide which trusted entity to impersonate, and they’ll use information about that entity to craft an email that establishes trust solicits urgency.

Common Examples

One of the most common cases of BEC is Chief Executive Office impersonation. In most enterprises, CEOs are powerful individuals; their title inherently commands attention, and nobody wants to disappoint them. A direct email request from a CEO comes with a baked-in sense of urgency, and criminals exploit this urgency to goad employees into making hasty wire transfers or releasing sensitive data.

Another common case of BEC is vendor impersonation. Many vendors bill their clients on steady, predictable schedules, and this presents criminals with an opportunity to hijack the vendor payment process. A criminal might research and impersonate a marketing agency that their target enterprise works with, emailing the enterprise an invoice of their own with near-identical copy and adjusted payment details.

Similarly, it’s also common for criminals to exploit compromised employee accounts used to regularly request sensitive data or redirect payments. Matching the typical tone and urgency of these emails is a straightforward way for criminals to make their targets take normal, cyclical actions with seemingly only a few minor adjustments to the usual routine.

Preventing BEC Attacks

Preventing BEC attacks requires extra diligence from enterprise employees. Most importantly, it’s critical that employees rely on multiple forms of communication and verification before acting upon unusual or high-value requests. For example, if an employee receives a high-priority email from their CEO requesting the transfer of a large sum of money, they should not carry out the request until they receive vocal verification (in person or on the phone) from the executive confirming the request is valid.

In some cases, it’s prudent to remove a single point of failure in large financial transfers altogether. Requiring multiple executives to be involved in the approval of large financial transfers or changes to vendor payment details reduces the likelihood of a successful scam.

Perhaps most importantly, it’s critical for enterprises to remove some of the onus placed upon employees to identify scams. AI-driven email threat detection can play a critical role in mitigating BEC attacks for any enterprise by indicating the likelihood that a given email from an executive or vendor is illegitimate. AI-driven security solutions can investigate components of email files in a way regular employees cannot at first glance, noting inconsistencies in where (geographically) the email originated from or which account the email address actually points to. It can also compare phrasing, writing styles, and other social engineering characteristics against databases of known scams.

Conclusion

BEC attacks continue to be a significant threat for enterprises of all shapes and sizes. Falling victim to a single targeted BEC attack can lead to devastating financial loss and an erosion of trust both inside and outside of an organization. It’s critical that enterprises stay up to date on BEC trends to secure their networks against BEC scams.

For expert advice on handling BEC attacks against your organization & to discuss mitigation with AI-security, please feel free to contact a member of our team.