Lepide Blog: A Guide to IT Security, Compliance and IT Operations

What is Business Email Compromise and How Do You Detect it

Business Email Compromise

What is Business Email Compromise

Business Email Compromise (BEC) is an email-based phishing attack where financially motivated attackers trick unsuspecting executives and employees into making payments or sending sensitive data to fraudulent accounts. Business Email Compromise can be difficult to prevent as the attackers may utilize social engineering techniques such as impersonation and intimidation to manipulate users.

So, how do you detect business email compromise, and what do you do to prevent it?

Types of Business Email Compromise Scams

According to FBI’s 2020 Internet Crime Report, the FBI Internet Crime Complaint Center (IC3) received about 20,000 complaints about Business Email Compromise. The reported losses due to the Business Email Compromise increased to $1.86 billion in 2020, from $1.29 billion in 2018. This shows a worrying trend in these attacks. Some of the common Business Email Compromise scams include;

Account compromise

An employee’s company email account may be compromised and is used to send Business Email Compromise scams to other organizations and contacts from the compromised account.

Attorney or tax accountants impersonation

The attackers may impersonate an attorney, a tax accountant, or a representative from organizations like the IRS to scam the employees. These attacks usually attempt to pressure employees into acting quickly to avoid some kind of repercussions.

Data theft

The attackers may target employees who have access to employee data, such as HR, to obtain sensitive or private data regarding other employees and executives. They then use this data to plan future attacks.

CEO Fraud

In this type of attack, the attackers pose as a Company’s CEO or top executive and send emails to employees. They direct them to send money or expose private company data.

False invoicing schemes

Here, attackers spoof emails from different organizations or vendors that the victim works with. This email includes an invoice requesting payment to a specific account that the attackers control, thus stealing funds.

How do you detect Business Email Compromise

There are no foolproof ways for detecting Business Email Compromise attacks. However, there are common signs that your company and employees can watch out for to keep away from these attacks or reduce the impact of these attacks in case they happen. These attackers usually rely on access to corporate information to create a sense of authenticity. Employees should, therefore, always be on the look when reading internal emails from senior management. Some of the common signs of Business Email Compromise attacks include;

Spelling mistakes

You must have seen some emails filled with spelling mistakes or grammar errors. These should always raise a red flag. Employees should be suspicious of spelling mistakes and poorly worded emails, especially when dealing with requests for financial transactions. Business Email Compromise scams are likely to be more sophisticated than typical phishing attacks, but their messages may still contain spelling and grammatical mistakes that would help reveal a scam.

Suspicious emails from senior executives

Attackers may send emails pretending to be senior executives to ensure they gain a psychological advantage over their victims. Therefore, when receiving instructions from senior management, especially those that seem to be urgent in nature, employees should reflect whether it’s out of the character of the senior executive to send such requests, more so if the requests concern requests for sensitive information or financial transactions.

Requests to bypass set procedures

Many organizations, especially those that deal with large and time-sensitive financial transactions, have strict procedures in place for purposes of security. Employees should beware of requests that demand them to bypass routine procedures for whatsoever reason, regardless of the sender. The requests that ask you to skip protocol are usually the first and clearest indication of an impending attack. Employees should always confirm the source of the email containing the requests or instructions before carrying out similar requests. In case an employee is in doubt, it’s best to reach out to the sender in person to confirm.

How to Protect Against Business Email Compromise Attacks

A Business Email Compromise attack, when successful, can be extremely costly and damaging to an organization. These attacks, however, can be detected and defeated by taking some email security precautions, such as;

Anti-phishing protection

Business Email Compromise emails are a type of phishing attack. Deploying anti-phishing solutions is essential to protect against them. Any credible anti-phishing solution should be capable of identifying the attacks or any red flags of Business Email Compromise emails. These solutions will use machine learning to analyze the email language for any indications of an attack.

Employee education

Business Email Compromise attacks usually target an organization’s employees, hence making email security awareness training critical for cybersecurity reasons. Therefore, it is essential to train employees on how to identify and act on Business Email Compromise attacks to minimize the threat of this form of phishing.

Segregation of duties

Business Email Compromise attacks try to trick employees into taking high-risk actions such as sending money or sensitive information to persons seemingly known to them without verifying the request. Therefore, an organization should implement policies and rules for these actions that require independent verification from a different employee to decrease the probability of a successful attack.

Differentiating external from internal emails

Business Email Compromise attacks usually try to impersonate internal email addresses using domain spoofing or using lookalike domains. Therefore, an organization should configure its email programs to label emails coming from outside of the organization as external to help defeat this scheme.

Two-factor authentication

Most BECs usually require access to a senior executive’s email account. One way to help prevent them is to ensure that the executive accounts have the best protection. The two-factor authentication method increases protection against scammers since it requires access to the account holder’s device, in addition to login credentials. Using a unique dynamic passcode or PIN when accessing the account from new devices also makes it less likely that scammers obtain access to the executive accounts.

Anti-spam software

Anti-spam software solutions are capable of guarding against more sophisticated forms of phishing. They also offer ransomware attack protection. Traditional anti-spam solutions are configured to recognize falsified emails containing suspicious attachments and may have difficulties detecting emails sent directly from a compromised corporate email account. Nonetheless, they’re essential solutions that will protect an organization’s assets and information.

Closing thoughts

Business Email Compromise attacks can be catastrophic. In a typical Business Email Compromise scam, an attacker poses as someone the victim should trust, such as a colleague, a senior executive in the organization, or a vendor. The attacker may ask the victim to make a financial transfer, divert a payroll, or even change banking details.

The attacks are oftentimes difficult to detect because they don’t typically use malware or malicious URLs that can be easily analyzed using standard cyberattacks defenses. Business Email Compromise attacks usually rely on impersonation and other social engineering schemes to trick people into acting on behalf of the attacker. Because of this targeted nature and the use of social engineering, investigating to detect and remediate these attacks manually is difficult and time-consuming. Luckily, there are solutions that help detect Business Email Compromise attacks and warn you.

If you’d like to see how the Lepide Data Security Platform can help you detect and react to security threats within your infrastructure, schedule a demo with one of our engineers.