What is business email compromise?
Business email compromise attacks are impersonation scams: Hackers create emails impersonating a senior executive of the company or one of its business partners in an effort to steal money. Sometimes, it involves the compromise of a legitimate business email account but often it’s accomplished through social engineering: By convincingly masquerading as a CEO, for example, in an email that tells an accounting employee to wire money to a supplier — but to a bank account controlled by the hacker. In another type of BEC attack, hackers intercept emails from suppliers and substitute their own account numbers for the supplier’s.
How does business email compromise work?
Business email compromise is an exploit through which attackers obtain access to a business email account in order to use that account to pretend to be the account’s owner. This is usually done to defraud the company, its employees, customers, and/or partners. This is usually done by sending an email that is designed to trick the recipient into sending money or other resources to the attacker, or to divulge confidential company information.
Business email compromise examples
BEC attacks take many forms, limited only by the creativity and resourcefulness of criminals. A few of the most common BEC attacks include:
Spoofed emails to HR professionals asking that an employee’s direct deposit information be changed to an account controlled by a criminal.
Requests for forms of personally identifiable information such as an employee’s social security number, employee ID, place or date of birth, credit card account number or passport number — information that can subsequently be used to impersonate the individuals, access their resources or establish credit accounts in their names
Supply chain attacks that infiltrate one supplier’s finance department, surveille its messaging to uncover real transactions, and then intervene with highly realistic fraudulent messages requesting payment on these actual transactions, but to fake accounts.
7 most common types of business email compromise
The first and most familiar form of BEC is known as CEO fraud: a business leader’s email is hacked or spoofed, and fraudulent emails are sent in his or her name instructing subordinates to immediately wire payments to fraudulent locations. Subordinates, accustomed to following instructions from senior business leaders without question, often do so without independently confirming the legitimacy of the transaction. While called CEO Fraud, these BEC attacks have often been made in the name of a senior financial executive such as a CFO.
Since then, BEC has morphed into multiple variants, including these seven:
CEO Fraud
CEO fraud is a spear phishing email attack during which an attacker pretends to be a company’s CEO in order to trick employees into transferring money to a bank attack owned by the attacker. This method can also be used in order to trick employees into divulging company or personal employee information to the attacker.
CFO Fraud
Similar to CEO fraud, CFO fraud is made up of the same type of attack, just in this instance, the bad actor pretends to be the company’s CFO. This usually broadens the range of financial transactions the attacker can ask for and may also increase the plausibility of the financial request since it appears to be coming from the CFO.
Personal email compromise (PEC)
These attacks are similar to CEO fraud but spoof an executive’s personal email account. They can be even more convincing, since recipients may have received private emails from the executive before and may assume the account is legitimate.
Vendor email compromise (VEC)
In this case, the criminal impersonates a vendor by spoofing the vendor’s legitimate email account. Acting as the vendor, the criminal instructs the recipient to make payments or change payment destinations to an account controlled by the criminal. By doing careful research about vendors over time, criminals may be able to identify multiple target victims throughout a company’s entire supply chain.
Spoofed lawyer or real estate email accounts
In these attacks, a criminal impersonates one party to a sizable financial transaction, spoofing that party’s email address. The transactions often involve real estate, but sometimes relate to other commercial transactions. The messages often include transaction details gleaned through social engineering or a computer intrusion. The criminal may instruct the recipient to change previously anticipated payment information — for example, updating a wire transfer destination or account number.
Requests for W-2 information
Instead of asking for cash, the cybercriminal (posing as a senior employee) asks an HR professional for an employee’s W-2 data. Given this data, the criminal may attempt to file fraudulent income tax returns in the victim’s name, appropriating the victim’s refunds; or use the victim’s social security number and other data to pursue other fraudulent activities that might not be uncovered until the victim’s credit is ruined.
Gift card fraud
In this variant of CEO fraud, a criminal may impersonate an executive and ask an assistant to purchase multiple gift cards that will be used as employee rewards. In the interests of rewarding employees as quickly as possible, the phony “executive” will request the serial numbers for the gift cards, and then use those serial numbers to make fraudulent purchases.
How to protect against business email compromise?
Align people, processes and technology to prevent costly BEC fraud
According to the FBI, Business Email Compromise (BEC) is the costliest of internet crimes, accounting for 44% of the $4.1 billion in US losses reported in 2020. It gets worse: half of security executives surveyed by Mimecast say BEC attacks using impersonation fraud rose in 2020. With BEC, attackers generate high ROI from low-tech attacks containing no payload other than social-engineered text. Cybercriminals now use sophisticated intelligence to divert legitimate payroll or vendor payments — and by the time these attacks are discovered, the money is long gone.
To outsmart BEC attackers, combine better human awareness with more sophisticated machine learning, threat detection and integration. Mimecast’s comprehensive business email compromise solutions can help.
Implement a complete, holistic strategy for reducing business email compromise (BEC) risk
Leverage Mimecast’s AI-based Brand Exploit Protect and DMARC Analyzer to monitor and respond to malicious brand impersonation attacks out in the web and through email.
- Give employees the knowledge and training they need to resist BEC fraud.
- Support your team with technology that analyzes every email for BEC risk, in real time.
- Stop emails that rely on domain spoofing before they reach employees or partners.
Systematically analyze every inbound email for business email compromise (BEC) risk before it’s delivered
Most BEC attacks impersonate real people or organizations: executives, colleagues, partners, customers, lawyers. Inbound BEC fraud may originate from compromised accounts or spoofed domains, and rely on lengthy intelligence gathering to make emails appear realistic. Even vigilant employees need technology help to prevent such attacks. Mimecast’s cloud-based Secure Email Gateway with Targeted Threat Protection safeguards them, no matter what cloud or on-premises email platform is used.
With Mimecast’s Impersonation Protect service, every inbound message is analyzed in real time for signs of risk, from sender spoofing to suspicious international characters or body content. Email administrators have granular control over how risky messages are handled and centralized tools for managing, reporting and uncovering attacks. Plus, using Mimecast’s unmatched library of off-the-shelf integrations and open APIs, threat intelligence can be shared instantly across your security stack, empowering all security systems to respond more quickly and effectively.
Prevent business email compromise
The DMARC authentication standard has rapidly matured into a key element of a layered-defense strategy against BEC. DMARC can help protect employees against BEC phishing attacks that seem to originate within your organization but were actually crafted by distant criminals. It can also help protect business partners against fraudulent emails that look like they came from your organization, so criminals can’t divert payments.
With Mimecast’s 100% SaaS-based DMARC Analyzer, applying DMARC is finally practical. A valuable complement to Mimecast Secure Email Gateway with Targeted Threat Protection, it empowers organizations to authenticate email more reliably, identify senders and block delivery of unauthenticated messages from their domains. Many BEC attacks that rely on domain spoofing can now be halted before they arrive on employees’ devices or those of third-party partners.
Stop business email compromise with Mimecast
To prevent BEC attacks, security teams need to integrate multiple proven methods. A comprehensive BEC solution leverages threat feeds, email authentication protocols and advanced AI-driven detection capabilities. To confidently identify anomalies and suspicious emails, Mimecast’s advanced email security includes authentication protocols, reputation checks, threat feeds, proprietary signatures, and AI to stop attacks at the point of detection. But with Mimecast, AI is more than just a last line of defense. Billions of signals across our platform strengthen our AI detection to continuously identify and block advanced BEC attacks, adapting to evolving threats.
Our protection doesn’t stop there. Mimecast’s unified detection capabilities protect against any type of email-based attack – not just BEC.
Advanced BEC (Business Email Compromise) use cases
Defend against BEC threats: Eliminate BEC threats by identifying anomalous activity and building a social graph of user interactions, analyzing risky phrases and semantic intent to determine an email’s purpose.
Comprehensive BEC protection: Defending against BEC threats cannot rely solely on AI to identify patterns and abnormalities. It requires an approach that combines AI with proven indicators from signatures and threat feeds, ensuring attacks are stopped at the point of detection rather than relying solely on AI as the last line of defense.
Understand what is blocked and why: Being able to easily triage a BEC detection is important. Every detection from Mimecast’s Advanced BEC Protection lists not only the policy that triggered the detection but also the risky characteristics that led to the verdict. As a result, administrators spend less time determining the cause.
Policy modelling made simple: Constantly tuning BEC policies is unsustainable. Through the historical analysis of messages, identify the impact of a policy change and determine the potential messages caught via each level of sensitivity.
Business Email Compromise FAQs
What is a business compromise email?
Business email compromise is when at attack obtains access to an email account and can use that access to send and receive emails fraudulently, pretending to be the email account’s owner.
What is the difference between phishing and BEC?
A phishing attack can come from any source – it does not rely on there being a connection between the sender and recipient of the email. In BEC, the attacker is pretending to be someone the recipient either knows well or works with at the same company. BEC exploits the trust people have in their company and the security of its email systems.
Why is business email compromise such a problem?
The main factor that sets business email compromise apart from other attacks is the trust that employees put into their email systems and how easily that trust can be exploited by attackers who have taken over a business email account. That trust can lead to more potent attacks that result in greater financial loses than the average email-based attack.
How much does business email compromise cost?
BEC attack frequency doubled in 2023. That has led to increase costs to the organizations that are being attacked. According to FBI IC3 data, the average cost of a successful business email compromise attack is over $125,000.
In addition, in 2023, IC3 received a record number of complaints from the American public: 880,418 complaints were registered, with potential losses exceeding $12.5 billion. This is a nearly 10% increase in complaints received, and it represents a 22% increase in losses suffered, compared to 2022. And while investment fraud was once again the costliest type of crime tracked by IC3 with investment scams rising from $3.31 billion in 2022 to $4.57 billion in 2023, a 38% increase, the second-costliest type of crime was BEC with 21,489 complaints amounting to $2.9 billion in reported losses.
Why is business email compromise (BEC) protection important?
Business email compromise protection is crucial because of the profound risks BEC attacks create. BEC attacks can cause serious financial loss to companies, and can be equally costly to the employees, customers or partners who are victimized. When employees, customers, or partners are victimized because an organization failed to adequately protect against BEC, this can profoundly damage the organization’s reputation — costing it the confidence and trust that it needs to operate successfully.
How can organizations respond to business email compromise?
Effective prevention of phishing and BEC attacks demands more than a single-solution approach due to the limited view of the threat. Relying solely on artificial intelligence is insufficient, as AI alone may not catch all the nuanced tactics employed by cybercriminals. While AI is a powerful tool in detecting anomalies and patterns, it works best when complemented by other security measures.
Implementing robust email authentication standards helps verify the legitimacy of email senders and prevents email spoofing—a common tactic in phishing attacks. These protocols work together, ensuring incoming emails are from the claimed sources, significantly reducing the risk of impersonation attempts. Threat intelligence feeds play a vital role in this integrated approach. These feeds provide real-time information about emerging threats, known malicious actors, and current attack patterns.
AI detection capabilities, while not sufficient on their own, are a crucial element of anti-phishing and BEC strategies. Machine learning algorithms analyze vast amounts of email content, embedded links, sender behavior, and communication patterns to detect subtle signs of social engineering or fraudulent activity.
By utilizing a combination of threat intelligence, authentication protocols, and AI-driven detection, creates a comprehensive defense strategy against phishing and BEC attacks. This layered approach addresses various aspects of the threat, from preventing malicious emails from reaching inboxes, detecting sophisticated social engineering attempts, and blocking access to malicious links.
