Most skilled cyber attackers don’t need exploits to access an enterprise network. In many examples of Business Email Compromise (BEC) attacks, all it takes is a simple phishing scam to trick the user into handing over their login credentials.
In these attacks, a hacker will send an employee a phishing email posing as a trusted individual to trick the victim into handing over sensitive information about the company, sending money, or sharing intellectual property.
Research shows that BEC attacks increased by more than 81% over the past year and 175% over the last two years. They began targeting smaller companies, with a 145% increase in malicious emails targeting SMBs.
This article will examine how this scam works, the five examples of BEC attacks, and how to protect your organization against it.
How Most BEC Attacks Work
Source: Infosec Institute
Generally, a BEC attack begins when a cyber criminal gathers intelligence on a target company. During this phase, the criminal will collect publicly available information about company personnel (such as names and titles) from press releases, social media accounts, and website content.
Using this information, the cyber criminal will then attempt to gain access to the company email system with a phishing email or spoof the email account of a key employee.
After gaining email access, the attacker will send targeted, high-pressure emails to employees to trick them into handing over protected information.
This tactic often works because the employee sees the email is from a trusted individual like a colleague or lawyer and doesn’t think twice about handing over information or funds.
Part of the challenge with mitigating these threats is that most employees don’t know how to spot phishing scams. According to the 2022 Gone Phishing Tournament Report, 44% of employees click email phishing links.
5 Examples of Business Email Compromise
Example of a bogus invoice. Source: PhishLabs
Most attackers use some variation of 5 examples of business email compromise. These include:
1. Bogus Invoice Schemes
In these scams, a cyber criminal will take over or spoof an employee’s email account authorized to process invoice payments and fund transfers. The attacker will then use this account to ask another employee to transfer the funds or pay an invoice to the fraudster’s account.
2. CEO fraud
A cyber criminal steals or spoofs an executive’s email account and uses this to trick other users into giving up sensitive information or money. The hacker will email the victim requesting a money transfer.
3. Account Compromise
One of the most common BEC attacks is where the hacker obtains access before mining the employee’s contact list for company vendors, partners, and suppliers. The attacker will then message these contacts requesting payments be sent to a fake account controlled by the cyber criminal.
4. Attorney Impersonation
Sometimes cyber criminals will even go as far as impersonating an organization’s attorney to contact company employees or the CEO and request funds.
Skilled attackers usually do this on Friday afternoons or before the holidays when workers rush to get things done and don’t think to question the details.
5. Data Theft
Intruders often take over the company email of one or more Human Resources staff so they can send requests for confidential information about employees, partners, and investors. The cyber criminal later uses this data as part of a wider BEC or cyber attack against the company.
How to Recognize Business Email Compromise Attacks
A BEC attack can come in many forms, but they can easily be identified because most of them follow the following format:
- Spoofed sender domain
- Contains typos and grammatical errors
- Urgency in the e-mail subject and body
- Requests for a fund transfer
- The sender is an influential person in the company
How to Prevent BEC Attacks
Security leaders can take some simple steps to prevent BEC from taking place. These include:
1. Raising awareness of examples of BEC attacks
Educate your employees about the five types of BEC attacks. Use phishing simulations to teach employees how to identify BEC and phishing attempts.
2. Issue regular security awareness training
Provide employees with regular security awareness training and phishing simulations to keep BEC and social engineering risks in mind. You can support this further by creating internal cyber security heroes committed to keeping your organization cyber secure.
3. Monitor employee awareness
Encourage security leaders and cyber security heroes to monitor employees’ BEC and phishing awareness with regular phishing simulations. Use microlearning modules to educate, train, and change employees’ behavior towards cyber security best practices.
4. Send ongoing communications about threats
Provide employees with constant communication and campaigns about cyber security, BEC, and social engineering. This includes establishing strong password policies and reminding employees about the risks of emails, URLs, and attachments.
5. Set network access rules
Establish network access rules to limit personal device use and prevent information sharing outside the network’s perimeter.
6. Update all infrastructure
Ensure all applications, operating systems, network tools, and internal software are up-to-date and secure. Install malware and anti-spam software.
BEC Prevention Starts With Your Employees
Like all cyber threats that rely on manipulation, it only takes a single employee to make a misguided decision to click on a malicious link or hand over personal information before dealing with a data breach that impacts your entire organization.
By giving employees a heads-up on some common examples of business email compromise attacks, you provide them with the tools to spot manipulative phishing emails. You also reduce the chance of an attacker being able to trick your users into giving up sensitive information.
Protect Your Company from BEC Attacks
Protect yourself from BEC attacks by training your employees to identify and prevent them. Conduct a regular phishing simulation to determine your company’s cyber security resilience.