Table of contents

    How to Protect against Business Email Compromise (BEC) Attacks

    Business Email Compromise (BEC) attacks can be devastating for any company, and they’re becoming increasingly common with every passing year. Cybercriminals are quick learners, and they’re always developing new ways to make their attacks more difficult to detect and stop.

    The term BEC refers to any cybercrime that uses fraudulent emails to target an organization. While the malicious practice has existed for years, it’s recently become an even bigger threat for companies in the United States and around the world. The FBI received 19,369 complaints in 2020 alone, with the total losses adding up to more than $1.8 billion.

    Bad actors are always updating their tactics, and security leaders can expect the threat to grow in the months and years ahead. Without the proper protection, organizations will remain at risk. Some attackers extract money from their victims, hampering business operations or holding networks hostage for a ransom that can escalate in the millions of dollars, while others pursue sensitive data. Whatever the criminals’ motives, organizations have a lot at stake.


    How BEC Attacks Work

    The FBI recognizes five different categories of BEC crimes. While each category involves different tactics and distinct objectives, they all share a reliance on social engineering.

    In CEO fraud, criminals pretend to be the chief executive of a company in order to extract funds or information. The psychology behind these methods is simple. Employees are inclined to trust the biggest boss at the company, and they sometimes obey the request for money or data before stopping to question the legitimacy of the message. Individuals in the finance department are especially likely to encounter these types of schemes, and they should be prepared to identify suspicious correspondence.

    In account compromise attacks, the bad actors manage to take over an employee’s email account. From there, the attackers can use the compromised account to request money from outside vendors. This money is then sent to an outside bank account of the attackers' choosing.

    With false invoice schemes, a criminal impersonates a supplier and asks for money from an organization. These attacks are often very sophisticated, with bad actors going to great lengths to duplicate the style and substance of a typical invoice. The criminals usually do their research, and fraudulent requests are likely to match standard payments from the past.

    In attorney impersonation scams, criminals pretend to be a lawyer who is working with an organization. The supposed lawyer may ask for money or data, and lower-level employees are often the targets. Convinced by the apparent authority of the sender, recipients sometimes fulfil the request before double-checking the message’s authenticity.

    With data theft, an attacker infiltrates an organization’s system to steal key information. In many cases, the criminals extract personal data relating to a company’s top executives. They can then use this information to commit CEO fraud within the company.

    Each of these categories requires breaking through the barriers to a company’s internal systems or tricking an unwitting employee. Regardless of the type of BEC attack, there are four core stages, part of a large chain of events, that can lead to a successful attempt.

    Stage 1: Picking the Right Target

    The first phase of the attack is choosing the right target. During this process, an essential aspect is how feasible it is to obtain the money by impersonating someone and convincing employees of the business to wire money into an account. That is why BEC attacks usually target CEOs, lawyers, and accounts payable personnel.

    Selecting the right target requires attackers performing reconnaissance over days or weeks. Today’s fraudulent messages are often extremely realistic, with legitimate information included. Personalization, detailed specifications, and time sensitivity are needed to make the malicious email seem more genuine.

    Cybercriminals take the time to study, analyze, and understand the business they are attempting to attack. One way to achieve this is through the internet footprint of a person, including personal information on social media, internet presence in general, geolocation information, and any sensitive data which may provide too much personal information about activities performed by the employee. The larger this footprint is, the easier it becomes for the malicious actors to use this information and, in turn, attempt a successful BEC attack.

    Stage 2: Setting Up the Attack

    In contrast to the more common phishing campaigns, which are created in mass to reach as many targets as possible without a particular business or person in mind, everything used for a BEC campaign is tailored as closely as possible to real versions. When setting up these attacks, bad actors spoof email addresses, create lookalike domains, impersonate trusted vendors so that their emails come across as believable and legitimate.

    Another important part of setting up the attack may involve compromising email accounts, either from the target business, or a vendor or third party which works directly with the business being targeted. While this email address may belong to someone that is not directly involved with the target, it is a steppingstone into what becomes a very believable, trusted source. If not identified and stopped in time, the compromised email can be effectively used to perform the BEC attack.

    When a third-party account is identified as being compromised, it is a crucial step to report this to the affected party, so they can put their own plan in motion to identify, assess, and mitigate the affected account and the source of the attack. Failure to do so may allow for the malicious actors to continue their attacks on the business or other parties.      

    Stage 3: Executing the Attack

    The execution of the attack can involve a single email enticing the receiving party to click or engage with the sender. Sometimes, no direct interaction is needed. For instance, the receiving party opens a document that contains an infected file, which in turn is used to open a remote access tunnel, also known as a RAT, or download files from the internet from servers controlled by the malicious actors.

    In other cases, executing the attack requires both parties to interact and potentially create a long thread to achieve the final result. The method can vary depending on the target but in most instances this will involve proceeding with a fraudulent transaction.

    Other attacks may entail impersonation of friends, family, coworkers, or management, including C-level members. This type of attack may involve exploiting business processes that are known to the malicious actors. The exploitation of these processes can be achieved by direct requests or documents which are as similar as possible to the originals, among others.

    Some other methods can also involve commonly available software, including free and/or open source, used legitimately but with malicious intent. When malware or ransomware is involved, there may be additional steps to undertake, such as recovering systems from their encrypted state and having to pay for the ransom to recover the information.


    Stage 4: Collecting the Payment

    Once the malicious actors have received the payment, it is, in most scenarios, quickly dispersed into different accounts, through smaller transactions, to prevent reverse retrievals or the money being frozen in the receiving account.

    When a business has identified that a malicious actor has managed to get the money into their accounts, it is imperative that the authorities are contacted, and the incident plan is quickly put into motion. Failure to do so may prevent the business from recovering the money.

    How the Most Significant BEC Attacks Unfolded

    As the COVID-19 pandemic progressed, BEC attacks became more frequent, far better tailored, and with a higher reward to malicious actors. A 2021 report found that 43% of businesses had suffered a serious cybersecurity incident just within the previous year. The same report found that 35% of these businesses accounted BEC attacks for over half of their security related incidents.

    The success of these attacks comes from social engineering tactics, tricking employees at all levels, including C-Suite members, into cooperating with malicious actors without realizing that they are being used as part of their attack vector. Since human interaction comes into play, and traditional email security solutions fail to identify these sophisticated threats, there is ample space for malicious actors to achieve their objectives without being caught until it is far too late. By looking at how some of the most significant BEC attacks unfolded and what made them successful, security leaders can identify and employ the right protection strategies for their organizations.

    How Most Significant BEC Attacks Unfolded

    $14.7 Million Attack on the State of North Rhine-Westphalia

    The healthcare industry faced unprecedented stress during the COVID-19 pandemic, with frauds becoming frequent and common from all sources. The State of North Rhine-Westphalia was no exception to this case. Malicious actors collected $14.7 million through an intricate BEC campaign.

    The method used by the cybercriminals consisted of cloning the website of a real company, a supplier of protective equipment, from Spain. They managed to compromise the supplier’s email and commence contact with the German health authority. Officials from the health authority went through with the process of buying what they had assumed, at this point, was equipment from a legitimate company, and wired the money to the requested accounts.

    This money was quickly moved from Europe to Nigeria, with the malicious actors managing to get away from immediate consequences. Through intervention of the Interpol and German authorities, the money was eventually refunded.

    40 Organizations Attacked by Cosmix Lynx in 2021

    Cosmix Lynx is a Russian criminal group. During 2021 alone, they launched 40 BEC attacks against organizations in 19 countries around the world. While this may be a lower number compared to their staggering 200 attacks from 2020, it is the amount they achieved to collect and their modus operandi which businesses should be aware of.

    Cosmix Lynx follows the standard method for BEC attacks. They manage to imitate partners and clients of major companies, with considerable success and payout from their targets. The group has a particular type of business in mind: companies that are looking to perform a buyout of another company. The cybercriminals can then impersonate the CEO of the company and email employees, asking them to consult with lawyers to complete the payment of the purchase.

    The group would also impersonate the lawyer and request the money from the employee who has been prompted to perform the wire. The average payout of Cosmix Lynx is $1.27 million, but higher payouts have also been achieved.

    BEC Attack on Non-profit Group One Treasure Island

    One Treasure Island is a non-profit group in the San Francisco Bay area, which provides assistance to homeless and low-income people in the city. In 2021, the group fell victim to a BEC attack through a third-party bookkeeper. The attackers broke into the email system of the bookkeeper and inserted themselves into existing email chains, posing as the non-profit executive director.

    Through this method, the cybercriminals managed to convince employees to wire $650,000 to their bank accounts. Only $37,000 was recovered after the FBI got involved.

    BEC Attack on Non-profit Food Bank Philabundance

    Philabundance is a hunger relief group in Philadelphia which fell victim to a BEC attack in early 2021. During the process of constructing a new building for the charity, one of the employees received an invoice from, what they assumed, a legitimate supplier. In reality, the criminals posed as a construction company working on the new building and asked for $923,533 to be wired to their account.

    The group only becoming aware after the construction company they had hired requested the same payment. While the FBI participated in the process, the money was not recovered and Philabundance had to enhance their security processes and procedures to prevent future incidents.

    $2.3 Million Attack on the Town of Peterborough

    Another significant BEC attack targeted the town of Peterborough in New Hampshire, costing the municipal government $2.3 million.

    The attackers spear-phished government workers, impersonating the local school district and a construction company, requesting money to be sent to their accounts.

    The government employees proceeded to send the funds without the finance department becoming aware of the wires. When the department became aware of the incident, it was too late to reverse the transaction as the funds had been converted to cryptocurrency.

    Although the United States Secret Service and ATOM Group, a cybersecurity company, got involved, they were still unable to get the money back.

    Observing the Constants in BEC Attacks

    These businesses were all victim to the same type of attack, and there are constants that can be observed and investigated for better prevention.

    1. Failure to identify an evolving threat

    The businesses did not manage to proactively identify and stop the malicious actors and fell victim to the attack. BEC attacks are becoming more common and sophisticated across industries, and organizations need to stay informed about current threats and have the right security solutions in place to stop malicious emails before they reach their employees' inboxes.

    2. Failure to prepare for an incident

    One of the most critical factors in how a business falls victim to BEC attacks is the failure to prepare for such incidents. Without proper email security systems, employee training, and a team to assist in identifying or responding to such threats, cybercriminals can act without being noticed in a reasonable amount of time.

    3. Long-term effects on businesses

    A BEC attack can have a potential lasting effect on the business, both in operation and how clients, providers and vendors perceive the interaction with the business.

    Best Practices for Protecting against Business Email Compromise (BEC) Attacks

    There are standard methods for avoiding these pitfalls and in turn achieving the best practices to protect a business from BEC attacks. Both human and tech-related elements should factor into an organization’s security approach. The people within the organization have to understand the types of cyber attacks they’re likely to face, and advanced email security systems are necessary to help identify and stop potential threats.

    t Practices for Protecting against Business Email Compromise (BEC) Attacks

    Continuous Security Awareness Training

    To prevent BEC attacks, it is key for all employees, regardless of position or tasks, to be trained in identifying, assessing, and acting upon finding any type of malicious actor attempting contact, impersonation, or spoofing. This also requires the employees to reach out to the security team involved in managing any cybersecurity incidents or attempts at commencing one.

    There are different methods of achieving training, such as in person or through platforms which provide guidance to employees on what to do according to what the business has established as their standard procedures and processes.

    In instances where new types of attacks are becoming more frequent in the industry, or around the world, employees should be immediately put up to date to prevent them from being part of the trend. This method applies both ways. When employees become aware of something that could be a new type of attack, the respective security team should be made aware to take the necessary preventing actions.

    The Importance of Not Ignoring the Red Flags

    Things employees should observe when receiving a suspicious email, or something that may come from a trusted source but may seem suspicious, can be simplified into the following items:

    • If an email is requesting the employee to take immediate action or has a noticeably short expiration date or time for completion;
    • If the person emailing does not have direct contact with the employee or does not manage them, especially if this person belongs to the C-Suite;
    • If the email is asking for information that is not normally shared;
    • If the accounts involved for a wire are not the usual accounts used or authorized by the business;
    • If the domain, content, format, or information provided in the email is not consistent with what is commonly seen in an email from the sender;
    • If something feels out of place, sometimes it may not be the most obvious; if in doubt, the user should contact the right person or the sender to confirm this is valid.

    Advanced Email Security Solutions

    While the human factor continues to be the core of BEC attacks, it is through the assistance of new platforms and technologies that the gap can begin to close, improving the general security posture of the business. Traditional methods of assessing BEC attacks are no longer providing an effective defense for organizations. With malicious actors rapidly changing tactics, it is not possible to keep up and implement the necessary adjustments to make such methods effective in a reasonable amount of time.

    Through the implementation of technologies that use machine intelligence, organizations can identify attempts to compromise or phish, including credential phishing and luring of high-level targets for hostile account takeovers. At the same time, they are able to gain greater threat visibility and enable employees to work without having to scroll over every single email trying to figure out of the information they are reading is legitimate or not. Solutions like xorlab Active Threat Defense (ATD) can automatically tailor their threat detection engine to the behavior of any organization to stop BEC, ransomware, phishing, and other emerging cyber threats at first sight. These solutions understand human communication behavior and relationships to uncover even the most sophisticated attacks.

    To find out more about how you can protect your organization against BEC attacks, download for free The Clear & Complete Guide to Smarter Email Security: