Unmasking Business Email Compromise: Understanding, Identification, and Prevention
What is Business Email Compromise?
Business Email Compromise (BEC) represents one of the most insidious threats in the modern digital landscape, causing billions of dollars in losses worldwide.
Instead of relying on brute force or sophisticated hacking techniques, cybercriminals conducting BEC attacks relies on deception, manipulation, and exploiting human vulnerabilities.
In many cases, companies that conduct wire transfers with foreign suppliers or businesses that regularly perform online transactions are a good target for this type of attack. BEC attacks are gaining traction. In 2022 BEC increased by more than 81%, according to Abnormal Security, resulting in significant financial losses for organizations across different industries.
At its core, BEC involves these entities, the cybercriminals, and the impersonating of company executives, employees, or business partners. Typically this attack is executed through email when the victim is tricked into sharing sensitive information, IP, or wire money with the attacker without noticing that the person on the other side of the mail is not who he thinks it is.
BEC is a form of phishing attack where the attacker seeks to gain trust by masquerading as a legitimate entity. These scams are particularly effective as they exploit human psychology and organizational processes rather than depending on technological vulnerabilities (This is a subject for a different article). As such, hackers bypass traditional security measures and catch businesses off-guard, resulting in potentially significant reputational and financial damage.
Business Email Compromise Scenarios
To understand the workings of BEC better, we put together this made-up scenario:
An established organization, XYZ Corp, deals with multiple suppliers globally, including raw materials suppliers, financial suppliers, marketing, and business partners.
One of the organization’s accounting department team members receives an email from what seems to be one of their suppliers.
The email contains an invoice for a recent delivery but notes that their banking details have changed due to internal restructuring, and future payments should be sent to the new account.
The email appears legitimate: the sender's email ID closely resembles the supplier's, the email content maintains the supplier's typical tone, the invoice looks just like previous ones, and the request seems reasonable.
Any organization's CEO or CFO would expect that employee to open the email and complete the work to maintain a good relationship with the supplier and do their job.
The employee, therefore, processes the payment to the new bank account.
A few weeks later, the real supplier contacts XYZ Corp for payment, at which point they discover that they've been a victim of a Business Email Compromise.
The email had been sent by a cybercriminal who had carefully studied the organization and its suppliers, then convincingly impersonated the supplier to redirect the payment to his account.
At this point, only a few post-mortem actions can be done to learn and analyze what happened. But it’s most likely that the money wired to the hacker will not be paid back to XYZ Corp.
This case is 100% fiction, but dozens of similar topics are happening daily around the globe.
So, what you can and should do to prevent things like this from happening to you?
Securing Your Organization from Business Email Compromise
Preventing BEC, particularly in the context of supply chain management, requires a mix of technical, organizational, and procedural safeguards. Here are five key steps an organization should take with its suppliers to prevent these types of cybersecurity issues:
Supplier Verification Process: Establish a robust process for verifying changes in the payment details of suppliers, for example. This could include out-of-band communication, like a phone call to a pre-established number, rather than relying solely on email confirmation. In sensitive cases that deal with money wiring or other sharing of sensitive information, have another layer of authentication to be sure you are speaking with the right person.
Employee Training and Awareness: Regularly educate employees about the threat of BEC and how to spot suspicious emails. This should cover aspects like scrutinizing email addresses for subtle changes, checking for poor grammar or unusual language, and understanding that unusual requests for payment changes could be signs of a scam.
Email Security Measures: Implement advanced email security measures, including flagging emails from outside the organization that appears similar to internal email addresses and setting up system alerts for emails with extensions similar to company email. Here is a list of Email Security Tools that should detect messages with malicious content and steal confidential data.
Frequent Communication with Suppliers: Regular communication with suppliers can help build a familiarity that makes it easier to detect when something is off. Additionally, inform suppliers about your organization's policies, such as not making payment changes based solely on email communication.
Incident Response Plan: Have a detailed incident response plan in place and ensure your suppliers are aware of it. In the event of a suspected BEC attempt, clear steps should be taken to isolate the threat, prevent damage, and report the issue to the necessary parties.
Business Email Compromise (BEC) is a cybercrime that capitalizes heavily on human vulnerabilities, also known as the ‘human element’. It manipulates the psychological tendencies of trust, authority, and the natural inclination to act promptly when tasks are assigned, especially in a business setting. Here’s how its done in some cases:
Trust and Familiarity: BEC commonly involves cybercriminals impersonating colleagues, superiors, or known business contacts. By appearing to be someone the victim knows and believes, the scam is more likely to succeed.
Authority: BEC scams often exploit the power dynamics in a company. When a request appears to come from a high-ranking executive or a crucial business partner, employees might feel pressure to comply quickly without questioning the request's legitimacy. This is particularly the case if the request seems urgent or the executive is known to be strict or demanding.
Urgency and Fear: Many BEC scams create a sense of urgency or impending consequences. For instance, a false email from a CEO might insist on immediate payment to secure a vital business deal. Fear of missing out on an opportunity or causing a business problem can lead to impulsive actions.
Social Engineering: BEC cybercriminals often perform good research on the organization before executing the attack. The use of phishing to gather information about the victim, the organizational structure, and the relationships between different parties. This information enables them to craft convincing emails that mirror the style, tone, and typical requests the victim expects to see, making the scam hard to spot. With the increasing use of machine learning tools and AI like ChatGPT, crafting a convincing email becomes very simple.
Confirmation Bias: Once trust has been established, people tend to interpret subsequent information in a way that confirms their preconceptions. For example, once employees believe they're interacting with their CEO or supplier, they will likely interpret all further communication with that assumption, making it harder to spot inconsistencies.