Business Email Compromise
What is BEC
Business email compromise (BEC), also known as email account compromise (EAC), is a form of cybercrime where scammers use emails to trick their victims into sending money or disclosing confidential company information. It is one of the most financially damaging cybercrime. It takes advantage of the fact that so many people and businesses rely on email to do business.
The emails used in a BEC scam are created to appear to be coming from a known source with a legitimate request. Like these examples from the FBI website:
- A vendor your business regularly deals with, emails an invoice with an updated mailing address.
- A company CEO asks her assistant to buy gift cards to give employees as rewards. The CEO asks for the serial numbers so he can email them out to everyone.
- A homebuyer is sent an email from his title company with instructions on how to wire the down payment.
These and many more similar scenarios happened and still happen, to real victims all over the world. And in most cases, thousands, or even hundreds of thousands of dollars were transferred to the scammers instead.
BEC scams come in many forms, but they are all similar in how they work. These are standard practices within BEC scams:
- Email impersonation or website.
The scammers use sight variations on legitimate addresses. For example, [email protected] is turned into [email protected] This small variation fools victims into thinking fake accounts are authentic.
- Spearphishing emails.
These emails are created to like they come from a trusted sender to trick victims into sharing confidential information. They seek information that gives them access to company accounts, calendars, and data to gather the details they need to carry out the BEC schemes.
Many BEC scams emails contain malicious software to infiltrate company networks and gain access to legitimate emails about billing and invoices. They use that information to send invoices and payment reminders at the right time, so accountants or financial officers don’t question payment requests. Malware also gives criminals undetected access to a victim’s data, such as passwords and financial account information.
The Losses of Business Email Compromise (BEC)
Business Email Compromise or BEC is a form of a phishing attack. Phishing attacks are still one of the most prevalent forms of cybercrimes targeting businesses and organizations today. But Business Email Compromise has been especially lucrative for cybercriminals. According to the FBI’s Internet Crime Complaint Center (IC3), BEC attacks resulted in over $43 billion in losses between June 2016 and December 2021.
With tech evolving, and as businesses move to adjust to working from home, and remote collaboration, these losses are only expected to grow, with BEC attacks increasing in frequency and sophistication.
Recognizing Business Email Compromise
Like described above, there are multiple ways scammers convince their victims that their email is genuine. This includes email spoofing, email impersonation, and email account takeover. If you and your employees can identify these tactics, you can protect your business against business email compromises.
Email impersonation is a simple tactic where the scammer uses an email account that looks very similar to a real business email account. The email address or display name looks nearly identical to the actual sender’s account, but you can recognize these altered accounts. They use spelling tricks or special characters to make the email address look similar.
For example [email protected] vs [email protected] Or a change in the company name, like the example from Varonis below.
Email Impersonation is a common used and simple strategy where the attacker will set up an email account that looks very similar to an actual business email account. The attacker’s email address or display name will look almost the same as the actual sender or account but may utilize spelling tricks or special characters from different languages to make the email look convincing.
Email spoofing is when scammers forge the domain of their fake emails to represent the domain of the targeted organization. By evading email authentication standards such as SPF, DKIM, and DMARC, attackers can spoof their emails to make them look like it’s coming from a legitimate domain instead of the scammer’s email server. Like the example from Varonis below.
A misconfiguration of SPF and DMARC can allow attackers to spoof sender domains.
Email Account Takeover
Email Account Takeover is a more advanced way of business email compromise where the criminal obtains access to someone’s corporate email account. The criminal can obtain credentials via phishing or using usernames/passwords exposed in previous breaches.
By having access to a compromised business email account, the criminal can analyze the account’s contacts, emails, and other information. The criminal will also, in most cases, create forwarding rules to their own external email to gather information outside of the victim.
The criminal will search for emails with sensitive information or financial transactions. Once something of interest is discovered, they embed themselves within an ongoing email treat, or use email impersonation and spoofing to manipulate the trusting account holder to carry out a specific action, such as transferring money.
A common wire fraud tactic used with BEC scams is to steal a copy of a real invoice and only change the banking and routing information.
Additionally, a compromised email account may show some of the following indicators in Microsoft Exchange:
- Unintended profile changes such as changes to the name and contact information
- Inbox rules that the email account holder did not create, like automatically forwarding emails to folders like Notes or RSS
- Other people receive emails from the compromised account without those emails being present in the Sent folder
- The mailbox has been blocked from sending email
Business email compromise Investigation
Businesses that fell victim to a BEC scam, should report and submit a complaint form to the FBI’s IC3, and contact their financial institution immediately.
IC3 REPORTING EXPECTATION MANAGEMENT: In the USA, less than one in ten thousand cybercrimes are prosecuted, and other western countries are not doing much better, so don’t get your hopes up for justice. If you have suffered significant losses and can justify the cost of engaging a cyber investigator to value add or even solve your case for the Department of Justice, the chance of justice and recovery greatly increase. This is why Rexxfield has retired DOJ Special Agents in its team to finding the best venues for our client’s cases.