In the world of cyber attacks, few tactics are as damaging as Business Email Compromise (BEC). And it’s a problem that is rising in the SME world.
Despite its common occurrence, it remains relatively simple to defend against. This article aims to unpack how Business Email Compromise takes place and the measures organisations can take to protect themselves against it.
What is Business Email Compromise (BEC)?
Business Email Compromise is a type of targeted email fraud with the end goal of financial fraud or data leakage.
Unlike typical phishing scams – that are generally sent to a broad range of recipients in the hope that someone will bite – BEC is typically highly targeted and far more sophisticated. Cybercriminals carry out careful reconnaissance, often focusing on organisational hierarchy, roles, and responsibilities before launching an attack. They’ll often test different people in an organisation until they believe they have someone in a role of responsibility they can trick.
They’ll then try and gain control of an email account. Once successful, they will either immediately attempt to trick staff into transferring money to an unauthorised account or release sensitive information.
Alternatively, cybercriminals may inhabit the email account for weeks or months with the user unaware, learning about typical communication or waiting for an opportunity. At the right time, they will then send an email as that person’s account, typically switching details on an important document such as an invoice for external suppliers or internal finance teams. The fake invoice will have the cyber criminals’ bank details and money is rarely recoverable.
This may sound unlikely. But given each instance of cyber fraud typically runs to tens of thousands of pounds – and criminals may be managing tens of scams at the same time – it’s lucrative enough that there’s a significant rise in criminals attempting this tactic.
Given that most large organisations now have protection in place to prevent such attacks, the focus is increasingly on SMB organisations.
Typical BEC Attacks
- CEO Fraud: An employee in the finance department receives an email from the ‘CEO’ asking for an urgent money transfer. The email looks genuine, complete with the CEO’s email signature and company logo.
- Invoice Scams: A cybercriminal poses as a regular vendor (often using their invoice stationary) and requests payment to a new bank account, which belongs to the attacker.
- Account Compromise: An employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts.
- Data Theft: A Human Resources representative receives an email from a ‘senior executive’ requesting employee records or tax details.
- Legal Impersonation: Attackers pose as lawyers or legal advisors, often insisting on confidentiality and asking the target to take immediate actions that are supposedly legally required.
Why Is BEC So Dangerous?
The effectiveness of BEC attacks among SMEs now can be attributed to several key factors.
First, these scams leverage human psychology, often manipulating emotions such as urgency or fear to trick employees into taking undesirable actions. An organisation with a poor work culture (where staff are afraid to check details with management) is prime for such tactics.
BEC attacks generally have a low technical footprint, which distinguishes them from more easily detectable threats like malware or ransomware. Because they often don’t involve sophisticated software, they can be particularly challenging to identify until after they’ve happened.
The financial impact of BEC attacks is also alarmingly high, while awareness of tactics is typically low. Many organisations simply don’t train their finance staff on the risks of fake invoices or email compromise.
Lastly, cybercriminals are becoming adept at using publicly available information, including social media posts and company press releases, to personalise their deceptive approaches, making the scams even more convincing.
How to Protect Your Organisation
With such high stakes, the ways to defend against BEC are surprisingly simple. Yet many are yet to embrace them:
Employee Training
Education and awareness are the first lines of defence. Employees should be trained to recognise the signs of BEC scams and to verify any unusual email requests.
Two-Factor Authentication (2FA)
Enabling 2FA wherever possible, especially for email accounts and financial systems, will stop BEC in its tracks in most cases. Adding a secondary user-based confirmation for account access
Multi-Level Verification
For financial transactions, a multi-level approval process can add an extra layer of security. This may include blocking access to systems from locations or IP addresses away from the main business premises.
On a simpler level, just having a policy of having a phone call (or better yet a video call) to confirm any changes in payment or bank details can be enough to prevent scams.
Monitor & Filter Email Traffic
Email filtering solutions that can flag emails with similar-looking domain names and other suspicious markers. It’s not a perfect solution but will weed out some of the cyber carime attempts.
Legal and Insurance Cover
Unfortunately, no measure is 100% guaranteed to prevent cyber fraud. So, ensuring that you have adequate cyber security insurance and legal measures in place to mitigate the aftermath of a potential BEC attack can be a saving grace for an organisation. Organisations that complete Cyber Essentials will get £15,000 in business cyber insurance as recognition of the security measures and training they have in place.
Combatting Business Email Compromise
As outlined, Business Email Compromise is a subtle yet highly dangerous form of cybercrime that exploits human behaviour and organisational processes. Awareness and proactive measures are key to defending against this threat.
By understanding what BEC is and how it operates, businesses can better arm themselves against one of the most financially damaging cyber threats.
Discover more about Akita’s cyber security services that help mitigate the risk of business email compromise:
View More
