A business email compromise (“BEC”) attack is a type of spear-phishing attack, in which a malicious actor specifically targets an employee with purchasing power, or authority, over email. The threat actor will impersonate a trusted contact, such as an executive or corporate client, and ask the recipient to share sensitive, confidential information or initiate a wire transfer.
BEC attacks have become commonplace across the globe – and their success rate is high when compared to other forms of social engineering, such as phishing or smishing. According to the FBI, in the last three years, global corporate losses to BEC scams have eclipsed $26 billion. Similarly, according to cyber insurance broker AIG, BEC attacks were the top cause of insurance claims in 2019, even before ransomware.
Why are BEC attacks effective?
While the threat of ransomware is ubiquitous in media headlines, BEC should be acknowledged as presenting a similar level of risk. Unlike generic spam or phishing campaigns – which cast the net far and wide in an attempt to deceive multiple recipients into sharing sensitive information with a malicious actor – BEC attacks target specific recipients.
Prior to sending the spoofed email, the malicious actor will likely research the target organisation using online tools like Google, LinkedIn and Facebook. They will mine for open-source information that will help them to build an accurate picture of the hierarchy within the organisation – such as who has purchasing power and the company’s executives.
They may also look for details that would indicate recent changes within the organisation – for example, the onboarding of a new client or the introduction of a new software tool. Armed with this knowledge, the actor can then create a spoofed email that is disguised as a realistic communication.
To further enhance the legitimacy of their request, the threat actor may also use a spoofed email address – one that is only slightly different from the company’s legitimate email addresses. Taking Evalian as an example, look at the slight variations between these email addresses: firstname.lastname@example.org vs email@example.com. Without close inspection and in the day-to-day rush of work, an employee may not notice that the email they’ve received is inauthentic.
Moreover, BEC attacks often have a sense of urgency to them. The threat actor will use the authority of the source they are impersonating to put pressure on the victim to act quickly. As an example, a common BEC attack that circulated over the pandemic featured a threat actor impersonating companies’ CEOs or managing directors, asking employees to purchase and share gift card serial numbers within the next hour.
Given the move to a work-from-home environment over the last year and a half, BEC scams have been further allowed to blossom. Prior to the pandemic, many people worked in the same office. If an employee received a request which seemed odd or off, they could walk over to their colleague to verify the request. However, with many of us now working from home, it is more difficult to authenticate such requests.
Email Account Compromise: A step further from BEC
In the same vein as BEC, organisations should also be aware of Email Account Compromise (“EAC”). These attacks are a sophisticated evolution of BEC.
- BEC: Impersonates an employee or trusted source but does not compromise the email account. These attacks rely on deception tactics such as email spoofing and domain spoofing.
- EAC: Compromises an employee or trusted source’s email systems, impersonating them from their actual email account.
EAC threats are highly targeted and consist of multiple steps. In the same way that threat actors impersonate senior managers during a BEC attack, they will seek to compromise the email accounts of executives or clients who have purchasing power, with the authority to perform electronic transactions. Namely, they target CEOs, managing directors and finance leaders.
To compromise the account, threat actors can use different tactics, such as malware, social engineering or, more rarely, brute-force attacks.
Most commonly, these attacks start with credential phishing, where the malicious entity will send a fraudulent email to a recipient, with the aim of deceiving them into their email login credentials. It’s likely that the email will impersonate an authoritative, legitimate source – such as a government body, banking institution, IT / cloud service provider or the target organisation’s own IT function. By impersonating a reputable source, and often adding a sense of urgency to the email request (e.g., ‘your password is expiring, and you’ll lose access’), malicious actors hope that the recipient will act quickly – without questioning its authenticity.
The content of the email will usually contain a malicious link, which the recipient is instructed to click. This loads up a fraudulent web application, where they are instructed to enter login credentials. Once these credentials are entered, they are then forwarded straight to the inbox of the malicious actor.
An example of this could be an email claiming to be from a member of the security team, asking the recipient to urgently login to their Microsoft Office 365 account through a specific link in the email, to update their system, fix a security risk or change their password. By harvesting these details, the attacker can then login to the victim’s webmail account.
Once the attackers have compromised the chosen account, the threat actor usually performs one of the following actions:
- Automatic inbox forwarding: The actor sets up emails containing specific key words relating to payments – such as “transaction”, “finance” or “banking” – to forward to their own email account.
- RSS Folder: They will create an RSS folder where messages with these keywords are automatically filed.
The owner of the account is none the wiser to this forwarding mechanism, enabling the threat actor to go undetected. Then, once the actor spots an email chain that gives them an opportunity to effectuate a fraudulent transfer, they will remove the legitimate account owner of the email chain and spoof their email address, similarly to a BEC attack. However, with EAC, the attack is more likely to go undetected, as the fraudulent email will incorporate an entirely legitimate and authentic email chain. The actor will then reply to the other recipients on the chain, using the authority of the fraudulent email chain to request a fund transfer to their desired account.
As an example, let’s say you are a managing director at a company, and you are discussing receiving payment from a client over email. If your email account has been compromised, then a threat actor could intercept your email chain. From there, they could take your email address off the chain and add a deceptive one that impersonates you. They will then reply to your client and say your company banking details have recently been updated and ask them to send the funds to the new account. The client has no reason to suspect this request is counterfeit, as it comes off the back of a trusted, legitimate email chain between you and them.
How to protect against BEC and EAC
There are several ways to reduce the likelihood of a successful BEC or EAC attack within your organisation.
Use multi-factor authentication: The growth of EAC attacks has been facilitated by the increased use of Software-as-a-Service (“SaaS”) solutions – like Office365 and Gmail. These solutions offer superb flexibility, allowing employees to log on from any device, anywhere. But, at the same time, if a threat actor intercepts these details, they can do the same. Therefore, multi-factor authentication (“MFA”) is extremely important to protect against EAC. MFA provides an additional layer of security when logging in to SaaS applications, preventing perpetrators from accessing them with simply a password. You can consider additional measures like single sign-on or a conditional access policy. The NCSC has further advice on multi-factor authentication.
Protect against phishing: Social engineering attacks begin with a successful phishing lure. By reducing the number of phishing emails your employees receive, you can reduce the likelihood of a successful BEC or EAC. Consider using anti-spoofing measures and filtering controls as part of your defence. For detailed guidance on these, read the NCSC’s guide on preventing phishing attacks in the enterprise.
Awareness and training: While you cannot rely on employees alone to catch BEC, you should nevertheless incorporate social engineering training into your learning and development programmes. Arming employees with the knowledge they need to detect these attacks is crucial and you should conduct regular security training. To reinforce this training, you can also consider performing employee phishing tests. This form of training simulates a phishing attack on your employees. It can help you to understand the effectiveness of your training programme while also improving your workforce’s detection capabilities. Read our guide on employee phishing tests.
Detection and flagging: Administrators should introduce measures to detect and flag BEC scams. Popular methods for doing this include:
- Create intrusion detection system rules, which mark email addresses with extensions that are similar – but slightly different to – the company email.
- Create an email rule to flag email communications where the “reply” email address is different from the “from” email address shown.
- Add coding to email correspondence, so it’s easy for employees to see if an email is from an internal account or an external one.
- Put in place policies that mandate employees must verify any payments with an additional step – such as via text, over the phone or on a collaboration tool. As part of this, you should guide your employees to use previously known phone numbers – not the phone number listed in the email – to confirm any transactions.
Incident response: If a successful attack does occur, you need to have a plan in place to minimise the damage caused. To help you formulate your own incident response plan, we’ve written a detailed guide on incident response.
If you need help to improve security awareness and reduce the risks of phishing and BEC, please get in touch with our friendly team today.