What is business email compromise (BEC) and how to help prevent it?

For many organizations, the weakest link in the corporate cyber security chain is still their people—74% of data breaches involve the human element, according to Verizon's latest Data Breach Investigations Report (DBIR). This figure is not only about employees clicking on a malicious link or booby-trapped attachment. Business email compromise (BEC) is an example of growing sophistication by the cyber crime community as they aim to generate ever bigger profits. Unfortunately, they appear to be succeeding.

According to the FBI, in 2022, the IC3 received 21,832 BEC complaints with adjusted losses over $2.7 billion. With nefarious tactics, techniques and procedures (TTPs) evolving apace, it's time organizations got better at minimizing their risk exposure.

At its most basic level, business email compromise (also known as “email account compromise”) is a type of social engineering attack. Recipients are tricked into following the instructions of the sender, who masquerades as a member of their organization, a supplier or another "legitimate" source. They may request a money transfer to an account outside the company or even the purchase of gift cards.

The threat could perhaps be more accurately dubbed "BEC phishing." In fact, traditional phishing can also play a key part in the build-up to attacks.

Here are some of the most common variations:

• CEO fraud: The recipient, often a member of the finance team, is tricked into believing their CEO, CFO or other senior exec is emailing them with an urgent wire transfer request. In fact, the funds will head straight to an account under the control of the scammer.
• Supplier/invoice fraud: The recipient is tricked into believing that a regular supplier needs payment for a recent project.
• Account takeover: An employee account is phished/hijacked to request fake invoice payments from company vendors/partners.
• Generic spray-and-pay BEC: Sometimes threat actors use "as-a-service" offerings bought from the cyber crime underground to spam large numbers of recipients with vague requests for a fund transfer. They'll often not use a compromised account to do this but possibly a generic webmail one.

As Verizon explains in its DBIR, "BECs come in many forms: your organization may be targeted due to a breach in a partner, your partners may be targeted due to a breach of your emails, you may be breached and then targeted using your own breach, or … there may be no breach at all, just an attacker with a convincing story about why they need your money."

In the more targeted campaigns, threat actors typically follow a specific set of steps:

1. Reconnaissance: The scammer will research potential targets via social media, perhaps obtaining sensitive data from dark web breach sites to help. As the FBI notes, they will seek to build a profile of the company and its executives.
2. Preparation: Next, the attacker needs to ensure they have the right email infrastructure in place to facilitate stage three. This could mean hijacking a CEO's account via a phishing attack, compromising an employee account to monitor emails sent to and from suppliers, spoofing a partner's domain or buying log-ins on the dark web. According to Verizon, 41% of attacks in 2022 year involved phishing. Of the remaining 59%, over two-fifths (43%) involved the use of stolen credentials. According to the 2023 DBIR, BEC attacks (which are in essence pretexting attacks) have almost doubled across our entire incident dataset.
3. Execution: The threat actor uses their best powers of social engineering to send the money transfer request from a spoofed or hijacked domain.
4. Laundering: Once the money has been transferred, it will likely be distributed across multiple accounts and potentially laundered by money mules.

The bad news for network defenders is that the scammers are still innovating. It usually starts with a spear-phishing email. This is a type of phishing attack that targets specific individuals or organizations, typically through email, in an attempt to trick someone into divulging confidential information or clicking on a malicious link.

For instance, a threat actor or scammer who has gained access to log into a corporate user's inbox can then monitor the emails passing through it and enter into what appears to be a legitimate conversation with known and trusted contacts. This technique is often called conversation hijacking and is typically used by the hacker to gain additional information. These techniques are especially useful for launching supplier/invoice BEC attacks.

Some of the biggest victims in previous years have included tech giants. According to NPR.org, Google and Facebook were targets of an elaborate scheme involving a fake company, fake emails and fake invoices. These companies paid tens of millions of dollars in fraudulent bills from 2013 to 2015. In this case, the hacker was extradited back to the United States to face charges.

In 2022, the IC3’s Recovery Asset Team (RAT) initiated the Financial Fraud Kill Chain (FFKC) on 2,838 Business Email Compromise (BEC) complaints involving domestic-to-domestic transactions with potential losses of over $590 million.

The Verizon DBIR also illustrates the extent of the threat. Pretexting attacks, many of which are BECs, accounted for 50% of social engineering breaches studied in the report. That’s nearly double from the year prior.

Beyond losing potentially hundreds of millions of dollars, victim organizations can also see the departure of senior executives and suffer significant reputational damage in the process.

Another concerning trend is the convergence of business email compromise with deepfake technology, which is designed to spoof audio or video. The FBI has warned that deepfake audio is being used on video collaboration platforms to trick attendees into wiring money, among other scams. The typical progression of this type of attack starts with the compromise of the inbox of a C-level executive or upper management. The scammer then sends invitations to targeted employees to join a virtual meeting. During the meeting, the scammer inserts a still image of the CEO, using deepfake audio to mimic their voice. They'll use the meeting to instruct employees to make the wire transfer. AI-powered deepfake technology is already becoming both convincing and cheap enough to make scammers serious money.

The classic challenge with business email compromise scams is that there is no malware for traditional cyber defenses to detect. That said, AI-powered tools are getting better at spotting suspicious email patterns and even unusual writing styles that could indicate account takeover.

Once money is transferred, there's little chance of seeing it again unless the scammers are using domestic banks to receive the funds. That makes prevention essential. Consider some of the following best practices:

• Buy advanced tooling, which uses AI to baseline "normal" and then spot suspicious email patterns and sender writing styles.
• Update business processes so that large wire transfers must be double-checked by more than one employee.
• Tweak employee security awareness training to include BEC scenarios in phishing simulations.
• Update defensive posture dynamically according to the latest emerging BEC TTPs, such as use of deepfake audio on video conferencing.