Business Email Compromise (BEC) attacks are more than a security threat — they’re an attack on the way we establish and maintain trust. In a BEC attack, someone can say they’re your CEO, talk like your CEO and use your CEO’s email address and not be your CEO. Through the use of a compromised email account and an array of hacking techniques, a BEC attacker can scam you, your employees, your business partners or your customers out of huge amounts of money or valuable data.
To defeat BEC attacks it’s not enough to address conventional enterprise data security gaps. You also need to rethink your business processes themselves, and look for stronger ways to ensure the person on the other end of the system is who you think they are.
BEC Attacks: The Compromised Email Con
Hackers aren’t megalomaniacal supervillains intent on perpetrating the perfect plot. They’re people driven by motives — usually the profit motive. That means that 9 times out of 10, they’re going to use the simplest means to get the biggest payout they can. Spending months stealing and selling data can be tricky and time-consuming. Often, it’s much easier to use a compromised email account to get a foothold and then trick businesses out of their money.
The business email compromise attack is a type of cyber security attack, but it differs from the way we usually think of cyber attacks. Instead of gaining access to the system in order to steal valuable information for its value, the hacker impersonates a trusted agent in order to trick the target into giving them money.
A BEC attacker generally uses a compromised email account or spoofed address — along with information gleaned from social media, reports and other sources — to impersonate someone with access inside the target organization. They’ll then use that access to get the organization to pay them money — often by directly contacting a financial agent and requesting a wire transfer for a plausible reason.
Because BEC attacks can involve an array of tactics, there’s no single solution to BEC-proof your organization. To defeat the hackers, you’ll need to address both the attack vectors they use to get inside your system, and the tactics they use to exploit that access for financial gain.
Business Email Compromise Attacks Are On the Rise
While companies have struggled to defend against more traditional types of attacks, BECs have exploded. Anti-phishing information security company PhishMe notes that researchers have been tracking BEC attacks since at least 2011, but the number of attacks has dramatically increased in the last few years.
According to a report released in June 2016 by the Internet Crime Complaint Center (IC3), BECs had grown 1,300% since January 2015. Prior to the release of the report there had been at least 22,143 victims of business email compromise attacks, with a total of $3,086,250,090 in exposed losses. The IC3 identified a high concentration of attacks in the U.S., with 14,032 victims and an exposed dollar loss of $960,708,616 between October 2013 and May 2016.
Types of BEC Attacks
A business email compromise attack is part cyber attack, part scam. There are five major types of BEC attacks security experts identify, but it’s important not to see this as a complete list.
As we’ll explore in the next section, BECs are based around flexible tactics, and scammers may use techniques in new and unexpected ways. Additionally, although the name implies that an attacker uses compromised email, scammers can also use other communication methods, such as phone calls, SMS texts and apps.
1) Business Executive Scam
In this business email compromise attack, also known as a CEO fraud attack, the attacker impersonates the CEO or another exec, sending a request for a wire transfer to another employee. Usually, the attacker will stress the urgency of the transfer, and construct a plausible reason why the money needs to be wired. The wire transfer goes to an account controlled by the attacker or a partner.
In an alternate version, the executive sends a forwarded message from another employee’s account, appearing to come from the CEO. In some cases, they may setup an email account with a very similar name, so they can pose as the CEO and confirm the transfer, if the target checks. The attacker may use social engineering and time the attack so that it’s more difficult to reach the CEO to verify — for example, when they’re traveling or on vacation.
2) Account Compromise
This attack targets customers of a compromised supplier or service provider. The attacker takes control of a personal email account of an employee at the supplier’s company, then sends requests for invoice payment to customers in the target’s contact list. They may say that there’s an issue with payment, and request the victim send money to a different account, controlled by the hacker.
This attack is particularly insidious, because it usually isn’t detected right away. The supplier may assume that payment is just late, leading them to only contact the customer after a considerable delay, giving the attacker plenty of time to cover their tracks. Small businesses that handle billing through email instead of an automated system are particularly vulnerable to this attack.
3) Bogus Invoice
The bogus invoice is similar to the account compromise attack, but involves a spoofed invoice and can be done without compromising an email account. The attacker sends an invoice from a supplier to a client — often one with which the supplier has a longstanding relationship. It is often used to target companies working with foreign suppliers, although this is not always the case.
The attacker will often create a very accurate copy of the supplier’s invoice, making it very difficult for the victim to recognize that they’re the target of a scam. This attack can also use other invoicing and communication methods, such as a fax or telephone call. In such cases, this attack may require no hacking skills at all, which means there’s very little chance of thwarting it with traditional cyber security techniques
4) Attorney Impersonation Scam
In this version of the attack, the scammer poses as a representative of a law firm using a compromised email account, and contacts a high level employee or executive at the target company. They’ll concoct a time-sensitive issue — for example, a completed acquisition deal — and request an urgent funds transfer. The hacker will often demand strict secrecy, for example by invoking SEC regulations. This attack often comes at the end of the day or workweek, so that the target feels pressured to send money to resolve the issue quickly.
5) Data Theft
Unlike other BEC attacks, this one targets Personally Identifiable Information (PII) rather than money. The attacker poses as an executive, and contacts HR or another entity that holds employee information. The attacker will request W-2 forms, or other PII from the target for some plausible reason such as an audit.
Stolen data is valuable in itself, but in a business email compromise attack, it typically isn’t the main target. The hacker is more likely to use a data theft attack as a way to setup other BEC attacks. For example, an attacker could use a worker’s social security number, birthdate and other number to call tech support and reset a worker’s password to gain access to their account.
Beyond Compromised Email: Why BEC attacks Challenge Security
Business email compromise attacks are often technically simple, but they can be incredibly difficult to stop. Here are a few of the reasons they challenge traditional approaches to IT security.
Business Email Compromise Attacks Are Flexible
Protecting email security can close off some avenues of attack, but still leaves the hacker with a lot of options. BEC attackers can use a huge range of techniques to gain access to a compromised email account or impersonate a target, including:
- Phishing the target
- Waterholing (i.e. infecting a website the target is known to frequent)
- Hacking the target’s password
- Using social engineering to gain account access from the provider
- Using a compromised email from another company
- Spoofing another email address
Attackers also have a wealth of publicly-available information to sift through, allowing them to flexibly target whoever poses the best target. This information, known as open-source intelligence (OSINT), includes social media, professional networks, industry sources and mainstream news.
A BEC attacker will use this data to profile and track executives and employees, then look for the right opportunity to strike. There’s no single hole you can plug — you can’t fix the problem just by improving password practices, and it’s very difficult to protect online privacy enough to curtail OSINT. A determined hacker will find a way in.
A Compromised Email Account and a Little Research Earns Trust
We’ve all heard the saying, “if it looks like a duck, swims like a duck, and quacks like a duck, then it’s a duck.” People make assumptions about who they’re talking to all the time, and these assumptions are often adequate for doing business face-to-face.
Unfortunately, it’s much harder to detect someone impersonating a business partner over email or phone than face-to-face — particularly in a large company, where you might not have had any contact with the sender. It’s probably not that hard to impersonate your CEO’s official business emails. It’s even easier to impersonate the form letters your billing department sends out to collect on invoices — particularly if the hacker gains control of the account.
BEC Attackers Can Target Workers Outside of Work
The way the digital age blurs the boundary between work and personal life can be a major security challenge. It’s not just that your workers might telecommute from home or order products online during their lunchbreak from work — it’s that there are connections between their apps, devices, accounts and activities on and off the clock, and hackers can exploit these connections in an almost endless number of ways.
For example, a BEC attacker could hack into a website a worker visits in their free time and infect their device, hacking both the personal and work accounts on their smartphone. Alternately, they could hack the password file at a 3rd party service — for example a music streaming service — and try your user’s password on their business account. If it works, they’re in.
If the hacker discovers evidence that a worker has engaged in an illicit activity, they could even blackmail them into cooperating. And it’s not just the personal lives of your workers that can provide an attack vector — your business partners, clients, friends and even family can all expose you to danger.
How to Restore Trust in the Age of BEC Attacks
Teach the Warning Signs of a Compromised Email
The good news is most BEC attacks can be thwarted or mitigated if people know how to spot a fraud. Business email compromise attackers almost always ask employees to break or bend the company’s rules and routines — for example, by changing the recipient’s account number, or by forwarding money secretly. You can decrease the risk by teaching your team to be wary of unusual requests for:
- Sensitive information (e.g. W-2 Forms)
- Altering financial sender or recipient data
- Altering business processes (e.g. going through a different payment procedure)
- Urgent action (especially urgent payment)
Workers can also check email addresses to make sure they’re not spoofed. BEC attackers often will try to spoof email addresses, not to mention invoices and financial forms. The majority of BEC attackers give themselves away if the recipient is looking carefully.
Use Business Processes That Minimize the Risk of BEC Attacks
BEC attacks all exploit human error and/or deception. They can be thwarted by altering your business processes to prevent or detect error, and minimize the opportunity for deception.
This is particularly key for processes involving payment or the transfer of sensitive data, such as PII. Changing payment data should be difficult, and require multiple pieces of verification from more than one party. At the minimum, there should be a secondary sign off on both ends (preferably using a second channel, such as a phone number you know to be accurate).
Access control is also a key defense against BEC attacks and other techniques that involve compromised email accounts. This involves both a technical component and a policy component. On the technical end, employees should have access to only the data they need, limiting the damage any individual account can do.
On the policy side, you should have rules that strictly determine when PII and other sensitive data can be shared. For example, there’s probably no reason an executive should ever email HR and ask for everyone’s personal data over email (and doing so will almost certainly violate HIPAA email rules and other regulations).
If you explicitly forbid HR data from being shared in this fashion, you’ll reduce the risk of a hacker using a compromised email to steal data posing as an exec.
Layer Technology Against Business Email Compromise
BEC attacks hinge on impersonation, so tech that correctly verifies employees and partners is key. This starts with basic security techniques to protect accounts, such as requiring employees to use strong passwords, and multi-factor authentication. Beyond that, you’ll benefit from an email encryption solution such as Virtru. This will stop hackers from intercepting data that can be used against your company, and make it harder for them to successfully impersonate your workers or partners.
Virtru Pro has a number of features that help protect against BEC attacks. Read receipts let you know exactly who has opened an email, which can be used to verify a CEO has responded to a message verifying a transfer, preventing impersonation. Virtru Pro also allows you to rescind messages, disable forwarding and set time limits, reducing the risk of accidentally exposing data.
Virtru DLP (now available in Outlook in Gmail) reduces the risk of business email compromise attacks in two ways. First, it reinforces organizational rules that can reduce the risk of attacks — for example, not sending financial data over email. Secondly, it alerts admins to suspicious behavior that may be a sign of a compromised email. Virtru DLP can forward suspicious emails to administrators, or inform them when an employee breaks a rule, allowing them to address an attack in progress.
Email Security Starts With Education
Business email compromise attacks aren’t going away. Attackers will continue to become more sophisticated and use an increasing range of techniques to steal money and valuable data. To stay ahead, you need to educate yourself about their techniques, and incorporate security into your day to day business processes. Use these resources to get started: