BEC Scams

Chris Swagler | December 15th, 2023


In today’s digital landscape, the threat of Business Email Compromise (BEC) attacks has grown significantly. According to a 2023 Phishing Threats Report from a cybersecurity company, BEC attacks are now among the top global cybersecurity threats, affecting a staggering 71% of organizations in 2022. This article aims to shed light on the nature of BEC attacks, their potential impact on companies, and most importantly, the strategies organizations can employ to protect themselves against these BEC scams.

Understanding Business Email Compromise

BEC is a form of phishing scam meticulously designed to steal money or sensitive information from organizations. Perpetrators often impersonate trusted entities, such as vendors, government agencies, or even high-ranking executives like the CEO. They craft convincing emails that appear to originate from these trusted sources, targeting one or more individuals within the target organization. The goal is to deceive victims into believing they are responding to a legitimate request. Once trust is established, the scammer can compel the victim to engage in various activities that ultimately benefit the threat operators. These activities may include disclosing sensitive information, transferring funds to the scammer’s account, purchasing gift cards, paying fraudulent invoices, or even taking control of the victim’s email account to send fake invoices to vendors. Regardless of the specific objective, BEC scams can wreak havoc on an organization’s finances and reputation.

The High Cost of BEC Scams

The report highlights the alarming increase in global BEC losses, rising by 17% from December 2021 to December 2022. In 2022 alone, there were nearly 22,000 BEC complaints, resulting in losses exceeding $2.7 billion. These staggering figures underscore the severity and financial impact of BEC attacks, surpassing even the notorious ransomware threats. Given the widespread threat that BEC poses, organizations must remain vigilant and proactively implement defenses to minimize the risk and safeguard their financial assets and sensitive data.

The Surge in BEC Attacks

Recent years have witnessed a meteoric rise in BEC attacks, making them one of the most critical cybersecurity concerns for organizations of all sizes. According to the FBI’s Internet Crime Complaint Center (IC3), BEC incidents resulted in losses exceeding a staggering US$1.8 billion in 2020, rendering it one of the costliest cybercrimes. These insidious attacks spare no industry, ranging from finance and healthcare to manufacturing and technology, underscoring their indiscriminate nature. The COVID-19 pandemic compounded the BEC threat as remote work elevated reliance on email communication. Cybercriminals seized the opportunity to exploit the uncertainty and disruption caused by the pandemic, rendering employees more susceptible to phishing emails and fraudulent solicitations.

Seven Effective Prevention and Mitigation Strategies for BEC Defense

To shield your organization against BEC attacks, the implementation of robust prevention and mitigation strategies is paramount:

  1. Enable Multi-Factor Authentication (MFA)

Traditional password-based authentication methods are no longer sufficient in the face of BEC attacks. Usernames and passwords can be easily compromised, making MFA a crucial defense mechanism. MFA requires users to provide multiple factors to verify their identity, such as one-time passwords (OTPs), biometrics (e.g., iris scans or fingerprints), or physical security tokens. MFA adds a layer of security, making it significantly more challenging for threat operators to compromise user accounts and carry out unauthorized financial transactions or data breaches.

  1. Enforce Strong, Unique Passwords

In conjunction with MFA, organizations should implement robust password policies. These policies should require employees to:

  • Use strong, lengthy, and unique passwords for each account.
  • Avoid password reuse across multiple accounts.
  • Regularly change passwords.
  • Never share passwords with others.
  • Avoid documenting passwords in insecure locations.
  • Include a mix of letters, numbers, and special characters in passwords.
  • Avoid using easily guessable information.

To simplify password management, consider utilizing password manager tools, which enable users to generate and securely store strong, unique passwords while also allowing IT and security teams to enforce password policies effectively.

  1. Implement Privileged Access Management (PAM)

Many BEC attacks target employees with access to privileged accounts containing sensitive data. Privileged Access Management (PAM) solutions offer visibility into privileged system usage, prevent unauthorized access, and allow for monitoring of user activity. PAM can also identify suspicious behaviors indicative of BEC attacks, such as unexpected financial transfer requests from high-ranking executives.

  1. Educate Employees to Recognize and Guard Against BEC Attacks

Human error remains a significant vulnerability in BEC attacks. Employee awareness programs can help strengthen this weak link by training staff to recognize common BEC tactics, such as brand impersonation, CEO fraud, and false invoices. Employees should also learn how to spot signs of BEC scams, respond to incidents, and report them promptly.

  1. Email Authentication Protocols

Implement email authentication protocols like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance) to validate the authenticity of email senders and avert spoofed emails from infiltrating inboxes.

  1. Verification of High-Risk Transactions

Stringent verification processes for high-risk transactions, such as wire transfers or sensitive data sharing, are indispensable. Require multiple layers of approval and confirm requests via alternative communication channels before proceeding. 

  1. Strengthen Security Controls

Robust email security controls play a crucial role in BEC defense. Authentication protocols like SPF, DKIM, and DMARC help authenticate senders and prevent recipients from falling victim to fake email addresses or domains. However, organizations should not rely solely on authentication protocols. Instead, they should also consider these security best practices:

  • Implement advanced email security solutions to protect against BEC and other threats.
  • Utilize VPNs to secure sensitive data and communications.
  • Prohibit automatic email forwarding to external addresses.
  • Employ proxies to view websites while maintaining privacy.
  • Deploy encryption software for email authentication.
  • Implement strong controls to safeguard financial processes, systems, and transactions.

BEC attacks represent a substantial threat to organizations worldwide, both in terms of financial losses and reputational damage. To protect against this menace, organizations must adopt a multi-faceted defense strategy that includes MFA, strong password policies, PAM solutions, employee training, and robust security controls. By taking proactive measures, organizations can reduce their vulnerability to BEC scams and safeguard their financial and data assets in an increasingly perilous digital environment. SpearTip’s engineers have the experience to integrate MFA quickly and seamlessly into companies’ current systems. This enables companies to immediately enhance their security posture. SpearTip’s proactive remediation team will go to work identifying the systems that will require MFA and develop a plan to implement the MFA tailored to companies’ environments and needs. SpearTip can help train companies’ users in the new MFA solution for a seamless rollout and ensure their IT team knows how to administer the new systems and configurations. SpearTip offers phishing training as mitigation to enhance skills related to defending against these threats. The training tests the discernment of companies’ teams, educates employees regarding common phishing tactics and indicators, and identifies related security gaps in their environments. Our team creates phishing email simulations like those threat actors use and sends them throughout the organizations. We provide insight and feedback to improve the cyber defenses of their team, leading to a profound decrease in the likelihood of being victimized by phishing scams. After the training, our team provides precise and thorough strategies about how to harden their environments and implement ongoing awareness training.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.


Connect With Us

Featured Articles

Cybersecurity Health Checks
Cybersecurity Health Checks: Why Companies Need Them
22 April 2024
New Loop DoS Attack
New Loop DoS Attack Affecting Linux Systems
19 April 2024
Possible Cyberattack
Possible Cyberattack During 2024 Summer Olympics
15 April 2024
Tabletop Exercises
Tabletop Exercises: Transformative Impact on Companies
12 April 2024

See ShadowSpear in Action

Identify, neutralize, and counter cyberattacks - provide confidence in your security posture

Stay Connected With SpearTip

Inside the SOC Newsletter

View our articles that cover trending topics in cybersecurity with insights from our 24/7/365 Security Operations Center.

ShadowSpear Platform

Cybersecurity actors are working around the clock, shouldn’t your security team be too? Technology solutions and security controls fail for a number of reasons, poor deployment, improper implementation, or just no one monitoring the alerts.

ShadowSpear Demo

Experience ShadowSpear for yourself. Our lightweight, integrated solution will help you sleep easier at night and provide immediate confidence in your security posture.