Understanding BEC and How to Prevent the Attacks

The FBI’s Internet Crime Complaint Center (IC3) received 21,832 business email compromise and email account compromise reports in 2022, resulting in damages totalling more than $2.7 billion. 95% of BECs result in financial losses ranging from $250 to $985,000, with a median of $30,000. The most serious threat to companies’ cybersecurity is business email compromise (BEC). Threat actors can access systems and convince employees to disclose important company information. Additionally, malicious false company emails can be trojan horses for ransomware. BEC attacks can have disastrous financial impacts on clients, and there are ways to prevent them. Here’s how BEC attacks work and how people can recognize them before they cause damage.

How Do Business Email Compromise Attacks Occur

What exactly is a business email compromise? Business email compromise (BEC) is a cybercrime in which fake emails deceive people into giving over money or sensitive information. It’s nothing new when it comes to business email compromise. Email scammers are innovative, continuously altering and refining their tactics to deceive misinformed or irresponsible employees. According to the FBI, the following are some of the typical schemes used by cybercriminals to exploit emails for financial gains:

• Email or website spoofing – Threat operators can alter legitimate companies’ email or website addresses to deceive people into clicking on malware-loaded links. One example is a client’s employee accustomed to receiving emails from Kelly.jones@testcompany.com. Threat operators can create a similar-looking version like Kelley.joes@testcompany.com. Individuals are more inclined to open what appears to be emailed from recognized sources and click links or download files that appear safe but can open doors into systems and information.
• Spear Phishing – Spear phishing is another type of email that looks to be from a trusted sender. This attack harvests confidential information from eager but unwilling victims, including company accounts, calendars, and data. The information is a prelude to a broader onslaught.
• Malware – Malware is something every MSP is familiar with. However, concerning BEC attacks, malicious software infiltrates companies’ networks to obtain access to billing and invoice emails. The information is used for time requests, ensuring financial officers don’t question payment requests. Additionally, the malware allows cybercriminals to obtain unauthorized access to data, including user passwords and account information.

Some business email compromises are more subtle than others. Anyone can become a victim of sophisticated, cutting-edge cyber schemes.

Different Types of Business Email Compromise

There are several significant types of business email compromises that people need to be aware of:

• Impersonating Attorneys – Threat operators will impersonate attorneys to contact employees and request sensitive information. Employees willingly provide the news because they believe they speak with trustworthy attorneys. The schemes target lower-level, less sophisticated end-users.
• CEO Fraud – Threat operators may request employees transfer money into threat operators’ bank accounts by posing as the CEO of a company using a fake email. Employees may willingly follow orders from higher-ups, believing they’re doing so without question. This is a particularly heinous misuse of intra-company trust.
• Data Theft – The attacks are more about obtaining vast amounts of sensitive information for future attacks, including locking down companies’ systems, targeting individual employees’ finances, or holding companies hostage by threatening to sell the sensitive information to potentially more vicious cyber criminals.
• Account Compromise – Threat operators use fake email domains to trick employees into sending money to illegitimate vendors’ bank accounts.
• Fake Invoice Scam – This supply chain attack is when supplier-side companies request fund transfers from overseas recipients, who are more likely to be deceived by a language barrier.

Any attacks mentioned above can also smuggle in spyware, malware, and viruses, in which the payloads can be very destructive. Even though these attacks are the most common business email compromise scams, cybercriminals are inventive and can develop more devious ways to capture sensitive information.

History of Business Email Compromise Attacks

Examples of business email compromise attacks act as both a warning and a learning opportunity for MSPs. Among the most significant historical attacks are:

• Between 2013 and 2015, Facebook and Google lost $121 million from coordinated attacks. A Lithuanian was posing as a Taiwanese investor sending fake invoices from Quanta Computer. The scam convinced Google and Facebook that they owed Quanta money for computer components they had never purchased. The criminal was caught, pled guilty to one count of wired fraud, and served 30 years in prison.
• The Puerto Rico Industrial Development Company’s finance director was duped into transferring over $2.6 billion to a threat operator’s bank account. The scam occurred after Puerto Rico was devastated by a massive hurricane in 2020 and was still recovering. No company or government, no matter how large or powerful, is completely safe from business email compromise attacks.

How to Prevent and Reduce Risk of Business Email Compromise

All companies and global governments are vulnerable to BEC attacks. MSPS must provide its clients with the proper education and tools to prevent BEC. A BEC checklist shows what threats to watch for, how to monitor them, and how to deal with them when they occur. Here are a few steps to protect clients from BEC attacks.

• Training – With end users being the primary target of BEC attacks, implementing a cybersecurity awareness training program is crucial. People need to be educated to recognize suspicious emails. Additionally, they must know what to do if they suspect they have received potentially suspicious communication. People can do it further by implementing zero-trust network architecture, ensuring no employee is granted more access than is strictly necessary to execute their job.
• Performing risk assessments – MSPs must fully understand potential cybersecurity risk vulnerabilities. Initial security risk assessments will enable companies’ teams to be proactive and reduce the chance of BEC attacks.
• Check and double-check any changes to the Accounts Payable (AP) process – Check all invoices and look for anything suspicious.
• Review the technical controls – Companies must examine clients’ systems for evidence of unusual activities. What kind of activities do people notice in Microsoft Office 365 or Google apps, for example? Companies need to take the time to look for things like a new forwarding rule or strange logins from a new location they saw before. Companies need to ensure their clients have not disabled multi-factor authentication.
• Use modern email security solutions – Companies should bring comprehensive cybersecurity technological techniques to automate endpoint detection and response protocols. This covers risk assessment, dark web monitoring, cloud app security, and 24/7 incident response service. Companies need to provide clients with the peace of mind that comes with comprehensive cyber threat prevention.

What to Do After Discovering Business Email Compromise Attacks?

If a BEC attack occurs, companies must instruct their clients to remain calm while acting promptly behind the scenes. The following are the primary steps that MSPs can take to prevent attacks from worsening:

• To prove the transactions were fraudulent, request a recall or reversal from the financial institution in question, a Hold Harmless Letter, or a Letter of Indemnity.
• Collect all information about the attacks.
• Make a report to the FBI’s Internet Crime Complaint Center.
• Companies must create new, complicated passwords for their clients’ email accounts. Clients who don’t have one must incorporate a multi-factor authentication (MFA) protocol into the login process.

Threat operators seek to evolve tactics by utilizing more business email compromise (BEC) attacks. So, companies must remain vigilant of the current threat landscape and train their employees to detect suspicious emails. Cybersecurity awareness training educates individuals and companies about best cybersecurity practices and provides the knowledge and skills necessary to protect their systems and data from cyber threats. Our training covers password security, phishing scams, social engineering, malware, data protection, and network security. By providing cybersecurity awareness training, companies and their employees can better understand the risks of the cyber landscape and develop impactful cybersecurity practices that reduce the likelihood of cyberattacks. Cybersecurity awareness training is an essential component of any comprehensive strategy to protect sensitive information, such as personal data, financial information, or intellectual property, and prevent data breaches, system downtime, and other negative consequences from cyberattacks.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.