Bad actors within cyberspace are a fact of life in the digital age. Cybercrimes have become as ubiquitous as any other type of crime. If anything, cyber criminals have developed an extensive repertoire over the years that range in sophistication. One standard type of attack that never seems to go out of style is "phishing." According to phishing.org, this word entered the public lexicon sometime in the mid 90's, presumably based on the term "phreaks," an early internet designation for people who "hacked" into telephone systems to make free calls. Phishing is when cyber criminals send emails designed to trick unsuspecting victims into revealing sensitive data or click a malicious link within. An updated version is smishing, which is the same type of attack sent via a text to a mobile phone. A significant portion of these efforts are targeted toward businesses to fool employees into giving up sensitive company data or even sending money. Phishing attacks are called Business Email Compromise or BEC for short. There are differences that make this type of phishing threat unique. 

The first and main difference is the messaging. Most phishing attempts use a very general pretext that can apply to a variety of random individuals in an email. For example, there is a common variant to a phishing attempt via text message (short message service phishing a.k.a. "smishing") that you may have seen making rounds recently.  These text messages warn of additional fees being applied to the recipient for non-payment of highway tolls. Considering most people use tollways at some point and many official tollway organizations invoice for these services by sending electronic messages as a reminder of an ongoing balance, phishing and smishing attempts can be mistaken as genuine to many people. The message also includes a link within the text, either to view balance or to proceed with payment. Once a victim clicks the link, they will be taken to a malicious site to enter banking information and/or payment. You can probably guess what the goal of the attacker is here. 

Business Email Compromise attempts are different in that they are not targeting the consumer, but a group or individual within a specific organization. These messages typically appear to come from an already known, legitimate source. This is done via spoof of a legitimate email account, "spearfishing" via tailored made messages directed at specific employees, or even malware that can infiltrate email threads containing sensitive information. 

The strength behind BEC attacks lies in their sophistication. These bad actors often impersonate individuals of influence either within or related to the organization. BEC attacks have damaging financial implications. Losing large sums of money can be catastrophic to a small business. 

Types of Business Email Compromise

CEO fraud: A scammer impersonates the CEO of an organization, often sending requests for large sums of money. This type of BEC involves an intimate knowledge of the company's personnel, vendors, communication style, and workflow. The attacker can then convincingly impersonate employees and trick them into sending money to a bad actor. Snapchat was a victim of this. In 2016, a hacker posing as Snapchat CEO Evan Spiegel emailed requested payroll information which was later released to the general public.

Compromised Accounts: Instead of impersonating someone, attackers gain access to legitimate email accounts via stolen passwords. These individuals lie in wait, carefully researching without being detected. With increasing speed, these criminals can devise ways to exfiltrate (steal) data and money. It’s alarmingly fast that these attackers can not only compromise but impersonate or steal important data. What used to take days now can take hours.

Attorney Fraud: Sometimes attackers pretend to be lawyers working on a case consequential to the company. They often use fake legal documents to give themselves an air of legitimacy and add further pressure to the employee they are trying to fool. 

These are just a few scenarios that cyber criminals commonly use to create BEC attacks. What is most alarming is the speed and success that these attackers now can execute their crimes. AI can be used for great things, however, criminals often use AI to find and create their attacks. Cyber criminals also don’t care about the size or type of your organization. They just want to steal the data to make money.

Who Do BEC Attackers Target?

BEC scammers target will typically target anywhere money is perceived to reside or where there is sensitive data - which they can sell or hold for ransom. These include businesses large and small, government agencies, nonprofits, schools and universities. 

Within these organizations, certain roles are more at risk of being targeted. Key targets include employees in finance such as accounts payable staff, executives such as CEOs and CFOs, HR employees due to their access to sensitive information, IT personnel who have extensive system permissions, and newer employees who may not be familiar with the legitimacy of organization emails. Targets are chosen strategically based on the attackers’ goals. It's prudent for employees to be aware of what a cyber-attack may look like. Organizations should embrace Security Awareness Training and tools that will help their employees learn and not fall prey to these attacks.

Consequences of Business Email Compromise 

The consequences of falling victim to business email compromise can be debilitating for any size business and outright irreparable for a small business. Organizations must cover the costs of business interruptions, cyber services for Incident Response and data recovery, improving security, and even client loss after a data breach. They can also be held liable with governmental regulatory fines and legal ramifications including getting into lawsuits because of the data breach or loss of providing a service to their clients.

For smaller businesses, any of these consequences can mean "out-of-business" signs.

Defense Against Business Email Compromise

Fortunately, there are ways for organizations to protect themselves. Common best practices include:

• Secure Email Gateways act as spam filters and provide warning of suspicious messages and potential business email compromise attempts.
• Multi-Factor Authentication (MFA) adds multiple layers of security and is truly a non-negotiable for any organization, large or small.
• Domain-Based Message Authentication, reporting & conformance (DMARC) is an email security protocol that verifies email senders via DNS (Domain Name System). Emails are identified and authenticated to prevent spoofing.
• Security Awareness Training tools, services and practices provide employees with information to recognize BEC and cyber criminal activity.

Other common ways to guard against business email compromise include constant monitoring, vulnerability scans and end point detection to name a few. If you want to learn more don’t hesitate to contact SCS. We are always willing to help.

Make sure to follow us on LinkedIn for cybersecurity content and helpful information! 

Citation

Business email compromise. (2024, November 1). Federal Bureau of Investigation. https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise

Dmarc.org – Domain message authentication reporting & conformance. (n.d.). https://dmarc.org/

King, H. (2016, February 29). Snapchat employee fell for phishing scam. CNNMoney. https://money.cnn.com/2016/02/29/technology/snapchat-phishing-scam/index.html

KnowBe. (n.d.). Phishing | History of phishing. https://www.phishing.org/history-of-phishing

National Cyber Security Centre. (n.d.). Phishing attacks: defending your organisation. NCSC.GOV.UK. https://www.ncsc.gov.uk/guidance/phishing

What is Business Email Compromise (BEC)? | Microsoft Security. (n.d.). https://www.microsoft.com/en-us/security/business/security-101/what-is-business-email-compromise-bec

What is DMARC? How does DMARC work? | Fortinet. (n.d.). Fortinet. https://www.fortinet.com/resources/cyberglossary/dmarc