What is Business Email Compromise (BEC) and How Does It Work?

Hands handing emails to laptop

We often hear that email is dying because of social media but the truth is that its use continues to grow. Research from The Radicati Group shows that email usage will increase to a massive 319.6 billion emails sent and received, per day, by 2021. That’s an awful lot of emails. Whilst it is true that much of this is spam and unwanted, email remains a very convenient way to communicate with both internal staff and external business associates and customers.

Since email is such a useful part of business communications, it will always be the number one way for a cybercriminal to target an individual and an organization. We have seen this borne out with 76 percent of businesses experiencing a phishing attack.

As always, the cybercriminal is a cunning adversary and will find many new and innovative ways to cause a cyber threat. Another highly successful email-based attack method is that of Business Email Compromise, or BEC for short. In this article, I’ll look at what BEC is and how we can try and protect our business against this most sinister of threats.


Business Email Compromise – Some Examples

Research carried out by the FBI focusing on the three years leading up to 2016, found that BEC was behind $5.3 billion USD in business losses across the world. Some examples of those who fell victim to BEC scams include:

Austrian company FACC Operations GMBH: The company lost 50 million euros through a BEC scam when hackers impersonated the CEO, Walter Stephan, in emails. The spoof emails asked to have urgent money transfers made – of course, the money went straight into the hacker’s bank account.

Californian company Xoom Corporation: A similar scam to the FACC Operations BEC incident; this time involving around $30.8 million USD being transferred to a hacker’s account. It caused the company’s share price to drop by 17% after the incident.

Toymaker, Mattel: The company handed over $3 million USD to scammers who used BEC techniques to trick the organization into thinking it was a legitimate financial transaction.

These example show the gravity of this problem. A BEC scam can cost a company millions. Enough reason to find out more about it.


What A BEC Scam Looks Like

Like many of the most successful methods used by cybercriminals, BEC is based on the common theme of manipulating human behavior and using technology in the process. The general term for this is “social engineering”. It uses our human sociability and normal connectivity with other people to affect the end goal of the criminal. Here are a few ways that BEC scammers go to work:


CEO Impersonation

Shady CEO With MoustacheThe FACC Operations scam was based on spoofing the CEO’s email. This can be done either by hijacking an actual account or using a spoof email address to trick others into thinking the email is legitimate. Hijacking involves hacking into an actual email account (by stealing login credentials) and taking it over. Spoofing is a simpler technique but can be less successful. However, a spoofed email can be very difficult to detect. Especially, if the scammer has watched how the CEO behaves and the type of language they use. Spoof email addresses are very similar to the real address. For example, if they change [email protected] to [email protected] only vigilant people would spot the different domain.


Bad Invoice

Hackers use surveillance techniques to build up intelligence on how a company’s finance department operates. The cybercriminal will use spear phishing emails to target an individual in the department, stealing their email account login credentials. They then watch out for invoice patterns and eventually send a spoof invoice out for payment or adjust payment details on a legitimate invoice.


Business Email Compromise and Us

BEC is like an old-fashioned setup . The scam is based on manipulating human behavior. The criminals use a combination of psychological tricks and know-how to get you to do their bidding. The following are some important elements that they employ:


Surveillance

BEC hackers often take their time to understand how a company and individuals in that company, work and communicate. They want to make their emails look as real as possible and mimic the employee they are impersonating. For this reason, they use similar wording to make their victim believe them.


Trust

The scam is built around trusted relationships. Often the trickster will use known trusted relationships like that between a CEO and Finance Director to initiate a money transfer. If we trust the person who is asking us to transfer money we are more likely to do so. Especially, if the language and words they use are the same as normally.


Good Employees

BEC scams are often most successful when they use a sense of urgency. This can manipulate an employee’s need to do a good job. Spoof emails will have action items like “Please process this transfer urgently; if we do not move this money by 12 noon we will lose this major deal”. The fear of getting the blame if something isn’t transferred in time, prompts the employee to comply. The urgency also causes people to stress, making them less likely to pick up any clues that it is actually a scam.


Ways to Prevent Being BEC Scammed

As with all cybersecurity threats, there are ways to reduce your risk and play the cybercriminal at their own game. Therefore we have listed some ideas of how to stay sharp and, consequently, protected.


1. Being Aware

First of all, make sure that everyone in your company, from the board to individual employees, is aware of what a BEC scam is and how it can come about. In particular, make targeted business areas, like finance, aware of the threat. Put checks and measures in place, like making a phone call to double-check a large transfer.


2. Use Robust Email Authentication

Although much of a BEC scam is based on social engineering, there are some scams that hack into email accounts. If you can, apply two-factor authentication (2FA) to access an email account. For example, email systems like Gmail offer this using a mobile app or an SMS text message. Take note that SMS text message 2FA has some known security issues. Thus, a mobile app code may be more secure.


3. Control Your Domain

The spoof email addresses that the criminals use, often have similar domains in the email address. Make sure you buy up all domains that are similar to your main domain. As a result, hackers won’t be able to abuse them.


4. Be Hygienic

Basic security hygiene measures like malware prevention should always be followed. To refresh your memory of what that means, you can take a look at our 8 steps to stay safe online. Although this is aimed at the individual, it is important that everyone in your company is aware of these steps.


Final Thoughts

What is so chilling about Business Email Compromise is that the hacker becomes a spy and uses our own behavior against us. BEC can be a very costly crime, putting businesses under grave financial strain. It sometimes even results in individuals being dismissed. Some simple methods like being security-aware can help to minimize the chance your company will be hit by this damaging cybercrime.

Corporate IT security expert
Susan has been involved in the IT security sector since the early nineties, working across diverse sectors such as file encryption, digital rights management, digital signing, and online identity. Her mantra is that security is about human beings as much as it is about technology.