It’s an all-too-common scenario: You receive an email from your CEO asking you to urgently transfer money, make a purchase, or share sensitive information. The message seems legitimate, and it implores you to take quick action. However, the urgent nature of the email is a big red flag — you may just be the target of a Business Email Compromise (BEC) attack.
What is a Business Email Compromise?
The Dangers of Business Email Compromise
Types of Business Email Compromise
High-Profile BEC Attacks that Made Headlines
Protect Yourself Against Business Email Compromise
Business Email Compromise is a type of sneaky cyberattack that is a growing threat worldwide. The perpetrators use social engineering tactics — the act of psychologically tricking the receiver into giving up sensitive information, authorizing fraudulent transactions, or taking other actions that could compromise the security of the targeted organization.
The attackers behind BEC frauds often spend time researching their targets, using social media and other online resources to gather information about employees’ job titles and email addresses.
Using this information, cybercriminals create spear phishing emails — highly targeted phishing attacks — where they pose as high-level executives or trusted vendors. These carefully crafted emails appear to be from legitimate email IDs, convey a sense of urgency, and use persuasive language to manipulate the target to act quickly and impulsively.
Business Email Compromise or Email Account Compromise (EAC) attacks are particularly successful at bypassing traditional email security measures. Unlike traditional malware-based attacks, these cybercrimes are designed to exploit human vulnerabilities, making them harder to detect and defend against.
The consequences of a successful Business Email Compromise attack can be devastating. Organizations can suffer significant financial losses, reputational damage, and potential legal liabilities, depending on the nature of the data stolen.
Attacks related to BEC have resulted in over $43 billion in losses globally from June 2016 to December 2021, according to statistics collected by the FBI’s Internet Crime Complaint Center (IC3), law enforcement, and filings with financial institutions.
The recent rise in remote working culture has led to an increase in this form of cybercrime. Recorded BEC attacks increased by more than 81% during 2022 and by 175% over the past two years, with open rates on malicious emails also surging, according to Abnormal Security's latest report on business email compromise trends and statistics.
BEC attacks are ever-evolving, with the scope of the crimes getting wider. Here are some of the prevalent types of business email compromise and the strategies used by cybercriminals to carry them out.
The attacker poses as a high-level executive or the CEO of a company to send emails to employees who typically handle financial requests. The email often has a pressing tone which forces the employee to act quickly without checking the validity of the email. It could be a request for purchases, wire transfers, or other financial transactions to an external bank account.
In this type of attack, the cybercriminal poses as a legitimate supplier or vendor and sends a fraudulent invoice to the company for goods or services. The attacker replaces the vendor’s bank account details with their own. These frauds can be difficult to detect since the attackers often use the supplier or vendor’s legitimate information.
An attacker poses as an attorney and contacts a company to request urgent payment for legal fees or settlements. The email is crafted to instill fear and often includes threats of legal action or other consequences if the payment is not made on time. These prey on the vulnerability of lower-level employees who may fear the alleged legal consequences.
A cybercriminal targets HR and Finance personnel to steal sensitive information about an organization’s CEO, employees, invoices, or contracts. The attacker can then use the data in future attacks like CEO fraud.
This attack combines aspects of both the fraudulent invoice scheme and the CEO fraud. The attacker gains access to a company's email system and sends fraudulent emails to external vendors requesting payment or changing the bank account information of a vendor in the database. An individual executive or employee’s email contact list could also be compromised.
In this attack, the criminal poses as a supervisor or high-level executive with authority and sends an urgent email to an employee requesting help to buy gift cards for staff or customers. The email asks for serial numbers so it can be emailed out right away.
Business Email Compromise is now a growing threat to businesses of all sizes with attackers employing increasingly sophisticated social engineering tactics to carry out wire frauds, invoice frauds, and various other forms of cybercrimes. Security awareness and education play a crucial role in protecting companies from potential attacks.
There are ways for organizations to mitigate the risk of BEC. We at SSH Communications Security recommend sending emails containing sensitive or critical information only by using solutions tailor-made for such purposes.
One easy way is to use encrypted secure email, like our SalaX Secure Mail. Its robust encryption ensures that the message cannot be intercepted in transit and the sender-recipient verification gives you the confidence that the email has been sent from a legitimate source.
Learn more about SalaX Secure Mail >>>
Start your journey toward enterprise email security and reach out to us to see SalaX Secure Mail in action >>>