What is business email compromise and how is it evolving?

January 21, 2020

Business email compromise (BEC) scams have been growing in prevalence and creativity over the past couple of years. Today, it is recognized as a major financial cyberthreat, impacting businesses across the globe.

In January 2015, the Internet Crime Complaint Center (IC3) and the FBI released a public service announcement that warned of a sophisticated scam targeting businesses that work with foreign suppliers. According to authorities, there was an increase in computer intrusions linked to BEC scams. By 2018, the FBI received more than reports of 351,000 scams with losses exceeding $2.7 billion. In 2019, it was reported that cybercriminals stole a total of $301 million per month through BEC scams —a substantial spike from the $110 million monthly average in 2016.

So what is BEC anyway and why should you care?

What is business email compromise?

BEC scams also known as “CEO fraud” and “whaling” is a sophisticated scam that targets unwitting employees who are authorized to make wire transfer payments. Formerly known as man-in-the-email scam, a BEC involves cybercriminals compromising official business email accounts to conduct unauthorized fund transfers.

How does it work?

BEC scams begin with an attacker infiltrating a business executive’s email account or any publicly listed email. This is done using a keylogger or phishing scam. Upon monitoring the compromised email account, the scammer will try to determine who can make payments and who requests them.

Attackers often perform a fair amount of research, looking for companies that have had a recent change in leadership in the C-suite or finance function or businesses with executives who are traveling. They use these as a window to execute the scheme.

Moving targets, changing methods

As awareness of the BEC scams grows, the techniques and tactics used by fraudsters have also changed accordingly. The previously most deployed method where attackers impersonate the president or CEO of a company declined from 33% in 2017 to 12% in 2018.

Nowadays, BEC scammers have started impersonating individuals outside the organization. Based on a report, the scam now typically involves scammers masquerading as realtors to trick targets into making fraudulent “real estate transactions.”

Manufacturing and construction are also highly targeted industries, while retail and restaurant businesses have been steadily seeing more BEC scams since 2018.

How can you defend your business from BEC scams?

BEC remains popular because it doesn’t require complex tools — all it takes is a convincing ruse to trick a potential target. To prevent your business from falling for BEC attacks, you must practice prudence and raise security awareness within your organization.

Here are some best practices to apply:

  • Always verify fund transfers and payment requests. All transactions, especially those that involve large amounts should always be verified by contacting the supplier via a phone call. If possible, a secondary sign-off by someone higher up in your company should also be in place.
  • Be on the lookout for red flags when it comes to business transactions. A change in bank account information with no prior notice is a red flag and a possible BEC attempt. BEC scammers try to masquerade as a member or individual connected with the organization. Your employees must be trained to scrutinize every email they receive for any suspicious signs. Some signs to look out for include unusual domains, unsolicited links, or changes in email signatures.
  • Commit to training employees. While your employees are your biggest asset, they’re also usually your weakest link when it comes to security. Training them regularly so they develop and apply good security habits can go a long way in protecting your company.
  • Stay updated on your customers’ habits. This should include details and reasons behind payments. Make sure to confirm fund transfer requests when using phone verification as part of multifactor authentication (MFA).
  • Report suspicious activity immediately. If you suspect that you have been targeted, report the incident to law enforcement or file a complaint with the IC3.
  • Invest in email security. Since BEC scams continue to multiply and evolve, you should set up a multilayered email defense system to mitigate the risks that email threats pose.