Business email compromise (BEC) is a major and rapidly growing cybersecurity threat that has caused billions of dollars in losses globally.
According to a recent report by Arctic Wolf, in a survey of over 1,000 senior IT and cybersecurity decisionmakers from 15 countries, 70% reported that they were targeted by attackers with the goal of business email compromise.
The FBI’s 2022 Internet Crime Report tallied 21,832 BEC complaints resulting in over $2.7 billion in adjusted losses, a significant increase from previous years. BEC attacks are lucrative for cybercriminals as they require relatively low effort compared to other cyber threats like ransomware.
Common Business Email Compromise Tactics
Business email compromise (BEC) attacks employ various tactics to deceive victims and appear legitimate. Some common tactics used by cybercriminals include:
- Display Name Spoofing: This involves using the name of an executive or trusted individual in the “From” field of the email, while the actual email address belongs to the attacker, often from a free email service like Gmail. This exploits the tendency to focus on the displayed name rather than scrutinizing the email address.
- Domain Spoofing: Attackers hijack a company’s trusted domain to send fraudulent emails, exploiting the trust people place in that brand.[1] Without proper email authentication controls, anyone can spoof a domain to send messages impersonating that organization.
- Lookalike Domains: Cybercriminals register domains that are very similar to a legitimate company’s domain, differing by just a few characters. These lookalike domains can easily deceive recipients into thinking the email is from the real organization.
- Email Account Compromise: Attackers gain unauthorized access to an employee’s legitimate email account, often through phishing or malware. They can then send emails from this trusted account to other employees or partners, making the requests appear genuine.
- Social Engineering: BEC attacks heavily rely on social engineering tactics like urgency, authority, and specificity to pressure victims into acting quickly without verifying the request. Attackers may research their targets to make their emails more convincing.
- Conversation Hijacking: Cybercriminals compromise email accounts and hijack existing conversations or threads where trust has already been established between parties. This allows them to seamlessly insert fraudulent requests into an ongoing legitimate exchange.
By understanding these common BEC tactics, organizations can better train employees, implement technical controls like email authentication, and have robust incident response plans to mitigate these insidious attacks.
How To Protect Against BEC
Insurers and cybersecurity firms recommend the following as best practices to protect against BEC attacks, companies should take the following steps:
- Use Secure Email and Multi-Factor Authentication: Implement a secure email solution like Office 365 that can automatically detect and block suspicious emails. Enable multi-factor authentication (MFA) which requires additional verification beyond just a password to access email accounts, making them much harder to compromise.
- Train Employees: Conduct regular training to teach employees how to identify BEC red flags like spoofed domains, urgency demands, requests for secrecy, and other warning signs. Simulate phishing attempts to keep employees vigilant… Ultimately, employees should function as a “human firewall” for your organization, and the most important line of defense.
- Implement Security Best Practices: Use email authentication protocols like SPF, DKIM, and DMARC to prevent spoofing. Restrict email forwarding rules that attackers exploit. Consider using a secure payment platform instead of emailed invoices.
- Have an Incident Response Plan: If a BEC attack occurs, act quickly – contact your bank to reverse any fraudulent wire transfers and file reports with law enforcement and the FBI’s IC3 center. Conduct a full cybersecurity analysis, reset credentials, and review email systems for unauthorized access.
By utilizing robust email security, training personnel, adhering to best practices, and having an effective incident response plan, organizations can significantly reduce their risk of falling victim to costly BEC scams.