Business Email Compromise (BEC)

Business email compromise (BEC) is an exploit in which an attacker obtains access to a business email account and imitates the owner’s identity, in order to defraud the company and its employees, customers or partners. Often, an attacker will create an account with an email address almost identical to one on the corporate network, relying on the assumed trust between the victim and their email account. BEC is sometimes described as a “man-in-the-email attack.”

Carried out by transnational criminal organizations that employ lawyers, linguists, hackers, and social engineers, business email compromise can take a variety of forms. In most cases, scammers will focus their efforts on the employees with access to company finances, and attempt to trick them into performing wire transfers to bank accounts thought to be trusted, when in reality the money ends up in accounts owned by the criminals.

In a BEC exploit, the attacker typically uses the identity of someone on a corporate network to trick the target or targets into sending money to the attacker’s account. The most common victims of BEC are usually companies that utilize wire transfers to pay international clients.

Although the perpetrators of BEC use a combination of tactics to trick their victims, a common plan involves the attacker gaining access to a business network utilizing a spear-phishing attack in conjunction with some form of malware. If the attacker stays undetected, they can spend time studying all facets of the organization, from vendors, to billing systems, to the correspondence habits of executives and other employees.

At an appropriate time — usually when the employee being impersonated is out of the office — the attacker will send a bogus email to an employee in the finance department. A request is made for an immediate wire transfer, usually to any trusted vendor. The targeted employee thinks the money is being sent the expected account, but the account numbers have been altered slightly, and the transfer is actually deposited in the account controlled by the criminal group.

If the money fraud fails to be spotted in a timely manner, the funds can often be close to impossible to recover, due to any number of laundering techniques that transfer the funds into other accounts.

• Spoofing email accounts and websites: Slight variations on legitimate addresses (john.kelly@abccompany.com vs. john.kelley@abccompany.com) fool victims into thinking fake accounts are authentic.
• Spear-phishing: Bogus emails believed to be from a trusted sender prompt victims to reveal confidential information to the BEC perpetrators.
• Malware: Used to infiltrate networks in order to gain access to internal data and systems, especially to view legitimate email regarding the finances of the company. That information is then used to avoid raising the suspicions of an any financial officer when a falsified wire transfer is submitted. Malware also lets criminals gain access to their victim’s sensitive data.

Often, messages sent by perpetrators will follow a number of archetypes. As defined by the FBI, there are 5 major types of BEC scams:

• False Invoice Scheme: Companies with foreign suppliers are often targeted with this tactic, wherein attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.
• CEO Fraud: Attackers pose as the company CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control.
• Account Compromise: An executive or employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts.
• Attorney Impersonation: An attacker will impersonate a lawyer or other representative from the law firm responsible for sensitive matters. These types of attack often occur through email or phone, during the end of the business day where the victims are low level employees without the knowledge or authority to question the validity of the communication.
• Data Theft: HR and bookkeeping employees will be targeted in order to obtain personal or otherwise sensitive information about the employees or executives. This data can be very helpful for future attacks.

There are many ways to defend against business email compromise. Common techniques that are employed include:

• Intrusion Detection System Rules: these flag emails with extensions that are similar to company email. For example, legitimate email of xyx_business.com would flag fraudulent email of xyz-business.com.
• Email Rules: these flag email communications where the “reply” e-mail address is different from the “from” email address shown.
• Color Coding: virtual correspondence so e-mails from employee/internal accounts are one color and e-mails from non-employee/external accounts are another.
• Payment Verification: ensures security by requiring additional two-factor authentication.
• Confirmation Requests: for fund transfers with something like phone verification as a part of a two-factor authentication scheme. Also, confirmations may require that company directory numbers are used, as opposed to numbers provided in an email.
• Careful Scrutiny: of all e-mail requests for transfer of funds to determine if the requests are out of the ordinary.