Business Email Compromise (BEC) is a social engineering attack in which cybercriminals gain unauthorised access to a company’s email account to impersonate trusted partners, high-ranking executives, and employees. This type of attack targets businesses that heavily rely on email as an inexpensive, fast, easily replicated, and accessible method of communication, making them vulnerable to cyber threats like BEC.
How Does Business Email Compromise Work?
BEC begins with cybercriminals conducting thorough research to identify key individuals, typically CEOs, finance personnel, and CFOs. Once cybercriminals pinpoint these targets, they employ phishing and social engineering techniques to compromise their email accounts.
Once cybercriminals gain access, they study the organisation’s communication patterns. They then use the compromised email accounts to send fraudulent requests to partners and employees. These requests, which are usually financial, are carefully crafted to create a sense of urgency, deceiving recipients into opening them and taking immediate action as per the message’s instructions.
An illustrative incident occurred in 2019, where cybercriminals contacted the finance and accounting department of a Toyota Boshoku subsidiary, posing as one of their business partners. They created urgency by falsely claiming that immediate payment was necessary to avoid disrupting Toyota’s production. The auto parts supplier fell victim to the ruse, sending $37 million, before realising that they had been scammed.
Common Types Of Business Email Compromise
According to the fourth edition of Cyber Signals by Microsoft, there has been a notable surge in cybercriminal activity related to BEC. Microsoft Threat Intelligence detected and investigated a staggering 35 million BEC attempts, with an average of 156,000 daily attempts. Additionally, there was a 38% increase in Cybercrime-as-a-Service specifically targeting business emails between 2019 and 2022.
Common types of business email compromise are:
Data Theft
In a data theft attack, cybercriminals target HR and finance team members to steal sensitive information regarding the business’ customers and employees. This information can be used for future attacks or sold on the dark web to allow other criminals to utilise the data.
False Invoice Scheme
Also known as Invoice Fraud, this type of financial fraud targets businesses who regularly process a high volume of invoices and payments. Cybercriminals create legitimate looking invoices from the victim’s existing service providers or suppliers. These fake invoices may include accurate company logos, contact information and payment details to make them appear authentic. The fraudulent invoices, which often contain urgent payment requests are then sent to the targeted business.
CEO Fraud
Cybercriminals impersonate business leaders and high-ranking executives to deceive employees into taking specific actions, including sharing sensitive information or transferring funds. This is usually effective as it leverages the credibility and authority of top-level executives to manipulate executives into carrying out the cybercriminals’ fraudulent requests.
Account Compromise
In account compromise attacks, the cybercriminal gains unauthorised access to an employee’s email account and uses it to request invoice payments to vendors listed in their email contacts.
Lawyer Impersonation
Cybercriminals pose as the victim’s lawyer or legal team member to pressure or manipulate employees into taking action. This attack primarily targets junior or newly hired employees who may lack the authority or knowledge to question the validity of the communication or requests.
How To Prevent BEC Attacks
While there is no one size-fits-all approach, certain best practices can mitigate email security risks and prevent cyberattacks. These include:
Employee Education and Training
Conduct regular cybersecurity training for all employees at least twice a year to educating them about the tactics cybercriminals deploy in BEC attacks. Teach employees to identify suspicious emails and promptly report potential threats. During training, define and communicate what constitutes an unusual, inappropriate, or atypical executive request. Emphasise proper processes and procedures for financial transactions, including who is authorised to approve financial request. Lastly, communicate the correct procedures for managing vendor invoices, even in urgent situations.
Adopt a Zero Trust Architecture and Strategy
A Zero Trust Architecture eliminates implicit trust and continually validates every digital interaction. Trust no entity inherently, whether within or outside the network, or organisation. Verify and validate all users and devices before granting access to resources. Similarly, scrutinise and authenticate all requests before granting approval.
Implement An Incident Response Plan
An incident response plan is crucial for a well-coordinated and structured response to security incidents. Regardless of safety measures in place, it is crucial to have a comprehensive plan that covers all possible scenarios, including responding to a data breach.
Implement Multi-Factor Authentication
Enforce the use of MFA for all email accounts and critical systems. MFA adds an extra layer of security by requiring users to provide multiple forms of identification before accessing accounts.
Protecting Your Business from Cyber Threats
We take away the pain out of cybersecurity, so you don’t have to worry about it. Our dedicated cybersecurity experts provide direction and guidance to securing your organisation. Modalit uses a variety of technologies including multi-factor authentication, email security, encryption, email security, vulnerability assessment, mobile device management.
We provide employee awareness training to educate employees to recognise suspicious emails and report potential threats immediately. We also offer pre-written policy and procedure templates to ensure your documentation is complete and in line with best practices.
Contact us today for a no-obligation review of your cybersecurity infrastructure.