Business Email Compromise (BEC), sometimes also referred to as “CEO Fraud”, is nothing but a modern twist on the financial scams of old. Cybercriminals engaging in BEC attacks rely on social engineering techniques such as phishing and spear-phishing, sometimes combined with credential harvesting and other attack patterns, to masquerade as an important company figure requesting information or the completion of an action by a lower-level employee.
At its heart, Business Email Compromise (BEC) is a deception game. The attacker pretends to be someone of authority and influence, such as a CEO or another executive. The attacker would send an urgent request to a lower-level employee, instructing them to disclose sensitive information such as trade secrets or private financial information, or to urgently transfer money to a foreign bank account.
Cybercriminals engaging in Business Email Compromise (BEC) attacks need to be convincing in order for them to pull-off the heist. For this reason, a BEC attack needs preparation – which starts with in-depth reconnaissance.
Apart from gaining as much information as possible from external sources, attackers will also typically attempt to compromise one or more employee email accounts to gather as much insider information as possible.
In general, attackers would be after information such as:
- Where and with whom the organization does business
- Who’s who, and who reports to who within the organizational structure
- Upcoming funding rounds, products, services and ventures
- Travel plans and vacation leave of key individuals
Once the attackers know who to impersonate, who to target and what message to send, it’s a matter of being patient enough to wait for the right moment to launch a swift attack.
The following are just a few examples of a Business Email Compromise (BEC) attack.
- Spoofed email to a financial controller from a company executive such as the CEO or CFO
- Spoofed invoice from a supplier or business partner
- Spoofed email from an attorney regarding a confidential business acquisition
- Spoofed email from the CFO asking for confidential financial information.
Business Email Compromise (BEC) gains less attention in the media than data breaches and ransomware. However, BEC is one of the cyberattacks that continues to inflict serious monetary and intellectual property losses.
The FBI has been tracking Business Email Compromise since 2013. They estimate that since 2015 BEC attacks have affected every state in the US, as well as 100 countries and triggered losses totaling over $5 billion.
While technical security controls such as DMARC, DKIM, and SPF play an important role in preventing domain name spoofing, attackers typically bypass these by simply registering similar-looking, typosquatted domain names, or simply compromising legitimate user email accounts.
While all this paints a bleak picture, the best defense against Business Email Compromise (BEC) attacks is rooted in having clear and enforced policies, and awareness campaigns that encourage employees not to blindly trust email. This is especially true when dealing with financial transactions and sensitive information.
In other words, pick up the phone; or take the opportunity to stretch your legs and walk to the sender’s desk before wiring money down a deep-dark rabbit hole.