Business Email Compromise 101: Definition, Techniques, Types, And Precautions Against It

by | October 26, 2021 | Cybersecurity, How to

Business email compromise (BEC) is a form of phishing in which the attacker impersonates someone on a corporate network to trick the target into sending money to the attacker’s account. BEC scammers usually pick on companies that use wire transfers to pay international clients.

In this article, we’re covering the BEC basics and giving you some tips on how to protect your company from this nasty fraud.

Business Email Compromise is a particular form of phishing.

What is Business Email Compromise?

BEC is an attack in which a scammer illicitly obtains access to a business email account and mimics the rightful owner’s identity in order to trick the company and its employees, customers or partners, into transferring money to the scammer’s account. Usually, the attacker spoofs an email address on a corporate network and relies on the trust between the recipient and the sender. Thus, BEC is sometimes referred to as a “man-in-the-middle” attack.

In most cases, scammers focus on employees with access to company finances and try to trick them into transferring money to an attacker-controlled bank account.

Business Email Compromise Techniques

  • Spoofing email accounts and websites – attackers modify legitimate addresses ever so slightly to make victims believe the bogus accounts are legitimate.
  • Spear-phishing – targeted, heavily-researched phishing attacks
  • Malware – programs or files designed to cause harm intentionally or to exploit devices, networks, or services. Attackers use it for crimes such as stealing sensitive data, monitoring users’ activity, compromising or deleting information from the device. 

Types Of Business Email Compromise

Usually, malicious massages used in BEC fit into a pattern. FBI defines the following five major types of BEC frauds:

  • Fake Invoice Scam – Scammers often use this strategy when targeting companies with foreign suppliers. They impersonate the suppliers and request fund transfers for payments.
  • Attorney Impersonation – Attackers pose as a lawyer or other representative from the law firm responsible for sensitive matters. This type of scam is carried out through email or phone, especially towards the end of the business day. The preferred targets are low-level employees with no knowledge or authority to doubt the legitimacy of the message.
  • CEO fraud – Cybercriminals impersonate the company CEO or other executives and require employees, usually in the HR or accounting departments, to send out a wire transfer, updating account data, or providing account information.
  • Account Compromise – Attackers hack into an executive or employee’s account and use it to solicit invoice payments to vendors in their email conatct list. The funds are transferred to illicit bank accounts.
  • Data Theft – Refers to whenever hackers steals the victim’s personal information, such as Social Security Number, and uses it to create accounts, apply for credit, get medical services, make a purchase or commit any other fraud that comes to mind in their name. HR and bookkeeping workers are targeted to obtain valuable data that can be used in future attacks.

Security Measures To Fight Business Email Compromise

To prevent attacks, you should consider implementing the following security practices in your company:

  • Email Rules – these flag emails where the ‘reply’ email address differs from the visible ‘from’ address.
  • Color Coding – use different colors for internal and internal accounts.
  • Intrusion Detection Systems – these flag emails with extensions that rsesmble company email. For instance, real email address emily_bates@business.com would flag fraudulent email emily-bates@business.com.
  • Payment Verification – at least two-factor authentication (MFA) is highly advisable.
  • Confirmation Requests – for transfers with phone verification as a part of a MFA scheme. Also, confirmations can solicit company directory numbers rather than numbers provided in an email.
  • Vigilance – your employees should be cautious of all email requests for fund transfers to make sure they are legitimate before they take any action.
  • Security Awareness Training – educating your employees on BEC through ongoing life-like phishing simulations will help you fight attacks. This is the most important and affordable measure you can take prevent all kinds of scams, especially phishing-based ones.

Why ATTACK Simulator?

We know there are plenty of choices out there. But look no further, as ATTACK Simulator offers an affordable and customizable security awareness training solution for every company, no matter the size.

Let us elaborate on that and explain why ATTACK Simulator is the way to go:

  • We offer security awareness training for companies of all sizes – the importance we place on improving the employee’s vigilange regarding cybersecurity is the same.
  • Our training method features an automated function, which requires little to no manual intervention. Time is, after all, money, and we wouldn’t want you to waste any of it.
  • We offer quick in-house support straight from our developers themselves. We like our customers happy and satisfied.
  • We provide affordable security awareness training.
  • Our software interface is user-friendly, so you’ll be able to learn it in no time.

Don’t waste another minute counting on luck, and invest now in a solid cybersecurity awareness program. Get your quote today here.

Attribution:

Web illustrations by Storyset

Internet illustrations by Storyset

Image by Tumisu from Pixabay

by Diana Panduru

Content writer for Attack Simulator. Passionate about all things writing and cybersecurity, and obsessed with driving. I sometimes indulge in pencil drawing, poetry, and cooking for fun.

There’s no reason to postpone training your employees

Get a quote based on your organization’s needs and start building a strong cyber security infrastructure today.