Email has been a popular delivery of malware and risk for decades. Since the first phishing schemes 1990s, phishing techniques have only become more sophisticated in the decades since. It’s particularly popular among criminals now; since 2019, the use of phishing scams has increased by 300%.
The reason for the increase? Despite the proliferation of easy-to-spot scams (Nigerian princes, for example) phishing works.
One of the most lucrative forms of phishing is business email compromise (BEC). According to the FBI, businesses worldwide lost more than $43 billion to BEC scams between July 2019 and December 2021. In fact, BEC scams made more money for threat actors than ransomware; In 2021, BEC attacks caused total losses of $2.4 billion in the US, while ransomware was the cause of just $49.2 million in losses the same year.
This article explores business email compromise, including what it is, why it’s used, and how you can reduce its impact on your organization.
What is Business Email Compromise?
Business email compromise, also called email account compromise (EAC), is a type of spear phishing. During a BEC attack, a threat actor impersonates someone within the victim’s trusted network, such as the CEO, an executive assistant, or a vendor.
The criminal engages in grooming behavior to set the target at ease, and then makes an urgent request, usually for business or financial information. The scammer will insist that the information is sent immediately, or there will be consequences such as a lost opportunity, or a legal impact to the company.
Criminals use BEC scams to steal personal information, finances, and credentials. They’re often after cryptocurrency, thanks to anonymity and speed of crypto transactions.
What tactics do BEC scammers use?
- Spear phishing: Spear phishing attacks are highly targeted. A criminal researches a company, its leadership, its employees, and the vendors the company does business with. They then create messages that look like they’re from a trusted person to trick victims into revealing confidential information.
- Malware: By using malware to spy on legitimate conversations and email threads, attackers can slip into a conversation, posing as one of the legitimate participants. They can also learn valuable information about the inner workings of a company, such as when and how invoices are submitted or paid.
- Spoofing: By using an email address that’s just one or two letters off from a real address, spoofers hope they can start a conversation with a target without the target noticing that the email address isn’t quite right.
- Using legitimate emails: Compromising a legitimate email account allows an attacker to use that account to send messages without fear of being discovered.
What are some examples of business email compromise?
The aim of all BEC scams is to trick a mark into divulging sensitive information, but because each scam is tailored to its target, they may look different:
- A contractor with your department sends an updated invoice from a slightly different email address.
- A CEO emails employees in the company’s financial department, asking them to transfer payments to a new account number.
- A CEO asks her executive assistant to purchase several gift cards to send out as employee rewards and asks for the serial numbers so she can email them out.
- During the COVID lockdown, a company executive emails employees requesting urgent, confidential wire transfers to cover costs due to unexpected issues arising from COVID-19.
Why/How BEC Has Increased Over the Years
BEC has become a go-to attack for cybercriminals in recent years, with attacks rising by 175% in the last two years.There are a few key reasons for this.
Information is easily accessible
Thanks to social media and platforms like LinkedIn, researching your employees and company is easier than ever. Social engineers use that information as well as the information they find on your website and the sites of your vendor to build scams targeting specific employees.
BEC scammers are excellent at using current events to their advantage, because they look for the opportunities in a crisis.The events of the last few years have presented several opportunities for fraud. During the pandemic, fraudsters posed as companies seeking funds from government agencies to order personal protective equipment. When Ukraine was invaded, scammers sent emails soliciting donations to help refugees. When supply chains were disrupted, BEC attacks targeted food shipments.
When remote work became the norm during lockdown, BEC scammers took advantage of the situation. Employees were no longer on site with co-workers and relied on email for communications, so it was easier to trick them into disclosing sensitive information in an email. Criminals even used virtual meeting platforms as part of their scams, sitting in on virtual meetings to collect information on organizations.
If BEC scams didn’t make money, criminals wouldn’t bother with them. BEC scams, however, have been responsible for billions of dollars in losses.
3 Steps to Reduce Business Email Compromise Risk
Nobody is immune to receiving a business-related spear phishing email, and plenty of people are tricked by convincing messages. However, there are some preventative measures that can greatly strengthen your organization’s defenses.
Train your employees
BEC scammers are con artists, and while some of their messages are very realistic, there are a few things BEC scams have in common, such as requests for sensitive information sent outside of normal channels, and a sense of urgency. Teach your team to pause whenever someone asks for money or information to be sent immediately. They should then double check using a different form of communication. Go beyond education by testing your staff periodically to see if they are putting this information into practice. It’s also important for your staff to know how much information criminals can get from social media, so they can be mindful about what they’re sharing online.
Secure your inboxes
Training is important, but it’s not enough. All the education in the world may not stop an unwary employee from falling for a scam. An employee cannot be scammed, however, if they don’t see the message at all. Machine-learning and other advanced solutions can help identify suspicious emails before your team even sees them, filtering or flagging suspicious messages. To keep intruders out of legitimate email accounts in the first place, use multi-factor authentication (MFA). MFA makes it difficult for criminals to guess passwords and force their way into accounts.
Know the recent attack trends
When you know which BEC attacks are likely to be used against your company, you can prepare to avoid them. Proactively search out information about business email compromise in your industry and in general, and use the information generated by security researchers and government agencies to inform your cybersecurity strategy.
Data Leak Monitoring with Flare
Although there is plenty of open source threat intelligence available to you, there’s one source of information that can be tough to access: the information criminals share with one another. How can you know if your credentials have already been stolen?
Flare’s threat intelligence platform scans the dark and clear web, as well as Telegram channels, for leaked or stolen account credentials that you may not be aware of, as well as other data that employees may have unknowingly disclosed during a BEC attack.
Flare’s automated platform provides Telegram monitoring across hundreds of Telegram channels, giving you the ability to track search terms for stolen information.
To start monitoring your digital footprint and protecting your organization, sign up for your free trial today.