What is BEC?
The goal of a business email compromise (BEC) attack is trick an organization into making a fraudulent payment or giving up sensitive data such as personally identifiable information or intellectual property. According to the FBI, there were $43 billion worth of losses between 2016 and 2021 due to business email compromise.
How does business email compromise happen?
BEC attacks occur when a cybercriminal poses as a trusted source from within a business, such as a senior executive, or an external source such a vendor within an organization's supply chain or a government department. Attackers will either compromise a legitimate email account through account takeover or use a spoofed email address that closely resembles a real one.
From there, attackers usually rely on text-based social engineering rather than malicious links or attachments. They use their pretend authority to trick an employee into paying a fraudulent invoice or giving up sensitive data. By the time the mistake is realized, it's usually too late.
A real-life example of a BEC attack
The world-famous toy manufacturer, Mattel, fell victim to a business email compromise attack in 2015.
The hackers had conducted in-depth research on the company structure before committing the crime. Subsequently, they knew who to target and what their payment patterns were. Posing as new CEO, Christopher Sinclair, cybercriminals emailed a finance executive who had the authority to approve large cash transfers.
Having convinced the finance executive that their request was legitimate, the impostors managed to steal $3 million.
Why do cybercriminals carry out business email compromise attacks?
There are many motivations behind a business email compromise attack, which we'll explore below:
1. Financial gain
BEC attacks are one of the most lucrative forms of cybercrime, making them popular amongst cybercriminals. On average, hackers made $80,000 per successful attack in 2020.
Cybercriminals make money from BEC in two key ways:
- Wire transfer: Often, a hacker will impersonate a senior business leader to convince a member of staff to send a large sum of money to an account that they control.
- Selling data: If a cybercriminal gains access to company data, they can sell it on the dark web for a profit.
2. High success rate
Not only are BEC attacks financially rewarding, but they're also notoriously difficult for email security that relies on signature-based detection to catch.
Instead of using suspicious links or attachments which will usually get flagged by secure email gateways (SEGs), cybercriminals employ social engineering techniques to trick victims into willingly handing over sensitive data or money.
Attackers will spend time up-front to research the company structure, build up a strong email sender reputation and sometimes even build rapport with victims to build up trust and fly under the radar until the damage has been done.
As a result, a BEC scam presents the perfect opportunity for a cybercriminal to pull off a high reward, high success crime with relatively low effort or risk.
3. Easily-scammed victims
Although businesses are becoming increasingly aware of the importance of cybersecurity training, employees are - surprisingly - getting worse at detecting email attacks. To make matters worse, a study from Lloyd's Bank revealed that 25% of staff who fell victim to BEC scams admitted to concealing their error.
Employee negligence, therefore, creates the perfect environment for a cybercriminal to strike. Not only can they catch out their victims easily, but hackers are aware that many employees will be too embarrassed to own up to the incident, leaving them free to continue conning other members of staff.
ICES solutions can protect you
The most powerful defense against business email compromise (BEC) is to bolster your existing email security with an ICES (Integrated cloud email security) solution. ICES solutions such as Egress Defend analyze both the content and context of emails using a combination of machine learning, natural language processing, and social graphs.
This means every email is treated with zero trust and analyzed for the underlying signs of phishing, rather than relying on detecting previously identified malicious signatures.