If you can drop into a company executive’s inbox and convince them that you’re legit, the financial rewards can be enormous. Threat actors are all too aware of this, which makes business email compromise (BEC) one of the most significant cyber security risks out there.
Let’s face it; if you’re a chief financial officer who’s just been hoodwinked into signing off on a fraudulent transaction, you’d probably rather not tell the world about it. This helps to explain why, compared to attack vectors such as ransomware and stolen credentials, business email compromise tends to attract relatively low levels of attention.
But especially given how financially destructive a successful BEC attack can be, this is something that needs to be on every IT decision-maker’s radar. And of course, it’s vital to ensure that your organisation’s stakeholders are alive to the risk, too.
Read on for an overview of the business email compromise threat, and the steps you can take to safeguard your business.
What Is Business Email Compromise?
Business email compromise is a highly-targeted form of social engineering cyber attack. Like all types of social engineering, it works by manipulating individuals into taking a particular course of action.
With BEC, the motive of the threat actor is almost always financial. A scammer will typically spend time researching a particular company, establishing who its key insiders are (especially those with the authority to make transactions).
Based on this intelligence, the attacker will then seek to create and send a legitimate-looking email to the target (e.g. purporting to be from another internal stakeholder or a known third-party associate). This email will generally request that payment be authorised to a particular account.
How Does Business Email Compromise Work?
Here are a couple of examples to illustrate how threat actors conduct BEC scams…
Example 1: Business Email Compromise and VIP Invoice Authentication Fraud
The attacker chooses a particular company as a BEC target. Monitoring socials and industry press, they identify a supplier who the target company almost certainly sends regular payments to.
The attacker emails an invoice request to the target, purporting to be from the supplier, CCing a spoofed domain resembling their boss’s email.
The attacker replies to the email, pretending to be the boss, instructing the target to make immediate payment to the account detailed in the invoice.
Example 2: Business Email Compromise and Conversation Hijacking
The attacker buys a batch of breached corporate email credentials over the dark web.
Signing in using some of these credentials, the attacker lurks for a while on an email account, exploring how the company’s payment procedures operate, including things like proformas used, dates and times when transactions tend to be processed, and sign-off workflows.
They then put this information to work to impersonate convincing-looking domains,and make the content, tone, and timing of their business email compromise attack as realistic as possible.
Business Email Compromise and AI: What Does the Future Hold?
Sometimes, an email just feels wrong. Even if you do not check and double-check the domain, telltale anomalies in tone and phrasing will (hopefully) alert you of a possible scam.
However, generative AI has the potential to eliminate many of these discrepancies, making it easier than ever for even non-sophisticated threat actors to mount increasingly convincing attacks. Evidence suggests that this is happening already.
Notably, ChatGPT started gaining in popularity in 2022. In its first quarterly report of 2023, Darktrace picked up on a 135% increase in malicious BEC campaigns demonstrating advanced syntax, semantics, grammar, and sentence structure. This was thought to be down to increased AI takeup (especially ChatGPT) across the cyber criminal fraternity.
BEC Statistics: How Common is Business Email Compromise
In 2023, data from Microsoft indicated that its systems detect and investigate an average of 156,000 BEC attacks daily.
Microsoft’s findings also suggest that the number of business email compromise attacks grew by 38% between 2019 and 2023.
The FBI found that BEC attacks made up the second highest losses of any cyber attack technique in 2023, at $2.9bn. To put that into perspective, the figure for ransomware for the same period was just under $60m.
How to Prevent Business Email Compromise
Good practice for reducing the risks associated with BEC includes the following:
Business Email Compromise Training for Employees
Many cyber attack techniques rely on human error to succeed. This is absolutely the case with business email compromise, as it relies entirely on human vulnerabilities. As such, effective employee training is essential.
Training should stress the point that BEC can have significant financial and reputational implications, and needs to be taken seriously. In this context, there should be absolute clarity on what’s expected of employees, including the telltale signs of BEC to look out for; e.g. irregular email domains or attachments, display name mismatch, or an undue sense of urgency within the request.
Consistent Workflows for Transactions
If payment requests are routinely flowing through your organisation in an ad-hoc manner with no set procedure, it becomes much more difficult for employees to distinguish fraudulent communications from genuine ones.
For accounts payable, have set workflows in place - and make sure everyone follows them. Very senior stakeholders may sometimes be tempted to bypass standard forms and permissions by simply sending over a quick email to an accounts administrator to get a payment actioned. If this is happening, technical managers should stress that this is exactly the type of behaviour that threat actors capitalise on.
Multi-Layered Defence
While user awareness is paramount, you should also seek to put in place multiple layers of defence as part of your wider communications security policy.
There is no one-size-fits-all approach here, and your approach ought to be guided by company-specific cyber security risk analysis. However, some of the measures to consider include implementation of appropriate email authentication protocols designed to quarantine or reject suspicious traffic, domain protection preventing attackers from registering domains similar to yours, and the implementation of secure encrypted channels for sensitive messages - including those linked to financial transactions.
