Business e-mail compromise (BEC) is when an attacker hacks into a corporate e-mail account and impersonates the real owner to defraud the company, its customers, partners, and/or employees into sending money or sensitive data to the attacker’s account.
BEC is also known as a “man-in-the-email” attack. This is derived from the “man-in-the-middle” attack where two parties think that they are talking to each other directly, but in reality, an attacker is listening in and possibly altering the communication.
A BEC scam starts with research. An attacker will sift through publicly available information about your company from your website, press releases, and even social media posts. He/she might look for the names and official titles of company executives, your corporate hierarchy, and even travel plans from email auto-replies.
The attacker will then try to gain access to an executive’s e-mail account. To remain undetected, he/she might use inbox rules or change the reply-to address so that when the scam is executed, the executive will not be alerted.
Another trick is to create an e-mail with a spoofed domain. For example, the attacker might use firstname.lastname@example.org instead of email@example.com, or firstname.lastname@example.org instead of email@example.com. If you do not pay close attention, it is easy to get fooled by these slight differences. One of the most famous spoofed domain tricks ever was the “PayPa1.com” – a scam site imitating money transfer website Paypal.com.
After scouting corporate communications for some time, the attacker will probably have a good idea of scam scenarios that might work. For instance, if the company has a lot of suppliers, he/she can send invoices to accounting for the rush payment of materials. The attacker would know who is responsible for wire transfers and be able to craft a convincing scenario that would require the immediate transfer of funds.
While a BEC scam can target anyone in the company, high-level executives and people working in the finance department are the most likely targets. According to Krebs on Security, phishing attacks that spoofed the CEO or company director were among the most costly scams reported in 2016. “Whaling” and “CEO Fraud” are two emerging terms used to describe the phenomenon of targeting high-level executives, and are typically more difficult to detect than traditional phishing scams since they are so targeted.
Some of the most prevalent examples of BEC scams are:
However, business e-mail compromise attacks do not only involve money; sometimes, attackers seek PII or trade secrets.
One high-profile BEC case involved a Lithuanian cybercriminal that used the e-mail addresses of suppliers. Companies that were targeted include Apple and Facebook. By impersonating suppliers, the hacker was able to steal $100 million in two years. In another case, the FACC AG CEO was fired after such an attack cost the company $54 million.
Business e-mail compromise attacks have already cost U.S. businesses at least $1.6 billion in losses from 2013 to the present. According to the Federal Bureau of Investigation, that number could easily be as high as $5.3 billion around the world.
In 2016, there were at least 40,000 incidents of business e-mail compromise or other incidents that involve e-mails—an increase of around 2,370% since January 2015. In the second half of 2016 alone, the FBI reported more than 3,044 victims in the United States, with a combined loss of around $346 million.
Where does most of the money go? Most of the victims are told to send the money to an Asian bank, usually in Hong Kong or China, or a bank in the United Kingdom.
Business e-mail compromise attacks are successful for three main reasons:
Multi-factor authentication should be implemented as an IT security policy. This will help prevent unauthorized access of e-mails, especially if an attacker attempts to login from a new location. In addition to stronger security protocols, employee education is also important. Employees should be trained on identifying fraudulent e-mails. Always be skeptical of urgent and rush money transfer requests, especially from C-level executives, and verify those requests, either by phone or in person.