Business email compromise: The ABCs of BEC

BEC poses a significant risk to companies. As a form of social engineering, it’s undetectable with most cybersecurity tools. Explore best practices you can implement to remain vigilant against this scam.

Business email compromise (BEC) – also known as email account compromise (EAC) – takes advantage of the fact that so many of us use email to conduct business. In a BEC scam, criminals send an email message that appears to come from a known, trusted source making a legitimate request.

This type of scam remains one of the costliest cybercrimes for businesses of all sizes, especially common in investment banking, as fraudsters become more sophisticated and able to circumvent established preventative measures. In 2022, the FBI’s Internet Crime Complaint Center received 21,832 BEC complaints with adjusted losses over $2.7 billion. The FBI also saw a slight increase in the targeting of victims’ investment accounts instead of traditional bank accounts.¹

So, why is BEC becoming such a large and looming threat? According to the FBI’s Internet Crime Report, BEC is difficult to detect as it doesn’t use malware or malicious URLs that can be analyzed with standard cyber defenses. It relies on impersonation and social engineering techniques (phishing is often a pre-cursor to a BEC attack) to trick people into interacting with the attacker.

BEC scams are popular because they are: (1) simple to execute, (2) don’t require advanced coding skills or complex malware and are (3) hard to detect with software protections.

Types of BEC

According to the FBI, there are five major types of BEC:

1. CEO Fraud: Attackers position themselves as the CEO or executive of a company and typically email an individual within the finance department, requesting funds to be transferred to an account controlled by the attacker. Cybercriminals can combine their knowledge of an executive’s communication style with details gathered from social media and other public sources of information to create targeted, realistic BEC attacks.
   
   
2. Account Compromise: An employee’s email account is hacked and modified payment information is sent to vendors, redirecting payments to bank accounts owned by the attacker.
   
   
3. False Invoice Scheme: The attackers commonly target foreign suppliers and the scammer acts as if they are the supplier and requests fund transfers to fraudulent accounts.
   
   
4. Attorney Impersonation: The attacker impersonates a lawyer or legal representative. Lower-level employees are commonly targeted through these types of attacks where one wouldn’t have the knowledge to question the validity of the request.
   
   
5. Data Theft: This type of BEC typically targets HR employees to obtain personal or sensitive information about individuals within the company such as CEOs and executives. This data can then be leveraged for future attacks such as CEO fraud.

Examples of how criminals carry out BEC scams

A bad actor might leverage some of these tactics to carry out BEC:

• Spoofing an email address
  • Slight variations on legitimate addresses ([email protected] vs. [email protected]), or forgery to fool victims into thinking fake accounts are authentic.
     
• Sending spear-phishing emails (Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business)
  • These messages look like they’re from a trusted sender but are designed to trick victims into revealing confidential information. This information lets criminals access company accounts, calendars and data to carry out BEC schemes.
     
• Using malware
  • Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. This information may be used for example, to send messages or time requests so accountants or financial officers don’t question payment requests.
  • Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.

Best practices to help mitigate BEC fraud

While BEC scams are hard to detect, here are some examples of best practices/tips that might help avert an incident:

• Educate and train employees to understand the signs of BEC and how to report it. The primary defense against many types of cyberattacks is employee training and education.
  
  
• Don’t react hastily because there’s a sense of urgency in an email; rushing to action is one of the hallmarks of business email compromise incidents.
  
  
• Avoid supplying login credentials or Personally Identifiable Information (PII) of any sort via email. Be aware that many emails requesting your personal information may seem to be legitimate, but they aren’t.
  
  
• Verify the email address you are using to respond to an email, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from.
  
  
• If a request comes from a company you have never done business with before, independently confirm that this is a real supplier/vendor (find a phone number for it on a known/valid website; don’t use the number from the email).
  
  
• Employ strict procedures around wiring money, and consider…
  • Always have a “maker” and “checker” in the payment process and ensure there is a segregation of duties. Risk is significantly higher when the same user can create and send their own payments
    • Requiring a second form of verification before wiring funds
    • Confirming wire instructions verbally; make a phone call to the vendor or requestor (from a phone number already on file) to validate the legitimacy of the request
    • Establishing limits on the accounts and users (daily or transactional)
    • Being prudent about who is entitled to execute money movements; periodically review user roles and entitlements within your company, paying special attention to ACH and wires 

Raise awareness throughout your organization

Technological controls, like firewalls and antivirus software, cannot defend against BEC scams. Of course, these are good basic controls to help prevent cyberattacks. However, you can limit the damage of BEC attacks by following some of the above tips and training employees how to spot BEC red flags (e.g., high level executives asking for unusual information, urgent requests, requests that bypass normal approval channels, and requests that ask individuals not communicate with others).

If you believe you/your company may have been a victim of a BEC crime, contact your financial institution and your local FBI office.

At U.S. Bank, your privacy and security are our priority. We’re constantly enhancing our systems to keep your data secure and provide seamless technology experiences. Learn more about protecting your organization with our fraud prevention checklist or contact U.S. Bank for help with your fraud prevention plan.