Protecting Against Business Email Compromise

June 12, 2020

Short for business email compromise, BEC is a significant threat to enterprise organizations. This guide will give you a brief overview of the attack and explain why it's a significant issue for enterprises and small businesses alike.

What is Business Email Compromise?

This form of email attack uses impersonation to steal money from unsuspecting victims and employs conversational techniques designed to build trust between the attacker and target.

According to the 2020 FBI Internet Crime Complaint Center (IC3) report, BEC represents the single greatest cause of financial loss from cybercrime, accounting for more than 44% of all reported financial losses.

BEC attacks are increasingly successful in evading detection from traditional security solutions, including secure email gateways (SEGs), that were designed to stop malware, ransomware, and emails with traditional indicators of compromise. But because BEC attacks intentionally begin as text-only messages and do not include links or attachments, they pass by traditional systems and into inboxes, where attackers can begin conversations with their target.

How Does Business Email Compromise Work?

BEC is not a monolithic type of attack and utilizes a variety of techniques and characteristics. There are a variety of ways that a BEC attack can occur. Typical characteristics include the following.

Business Entity: The attacker may impersonate a number of people within or outside of the organization, including:

  • Well-Known Executive or VIP
  • Internal Employee or Manager
  • External Vendor or Partner

Impersonation Tactic: The attack may include a number of impersonation types including:

  • Legitimate Compromised Account
  • Domain Spoofing
  • Domain Impersonation
  • Display Name Impersonation

Attack Goal: The attack may have a singular or multiple goals. Most attacks are attempting to accomplish one of the following goals.

  • Billing Account Update: This attack will attempt to update banking details for a recurring payment or outstanding invoice.
  • Invoice Fraud: The attacker will impersonate an internal entity to request payment be immediately sent to a vendor, or will pose as a vendor to request payment from the victim.
  • RFQ Fraud: This attack is an attempt to get the target to send goods to the attacker without first paying for them. The attacker will then resell these free goods for profit.
  • W-2 Fraud: The attacker attempts to divert payroll transactions to an account owned by them.
  • Payroll Diversion: This is typically a fraudulent request to change direct deposit information and steal employee wages.
  • Gift Card Scheme: The attacker requests the purchase of gift cards and asks the victim to send images of the information.

Email Characteristics: Most BEC emails will have the following characteristics:

  • Conversational
  • Urgent
  • Text Only
  • Limited Links and Attachments
  • Malicious Reply-To Addresses

Why are BEC Attacks Successful?

Due to the familiarity between the impersonated person and the target, these socially engineered techniques provide a sense of trust between the attacker and the target, which may not exist with an unknown name or brand. Attackers can take advantage of that trust to encourage the victim to send money or valuable data.

Making matters worse, these impersonated accounts are either trusted by the SEGs or originate from never-seen-before domains, bypassing threat intelligence indicators that might keep them out of the target's inbox. Let's dive a little deeper into some key characteristics.

BEC is Highly Targeted

BEC scams are often highly targeted, meaning the attacker has carefully selected their target based on perceived access to financial information or susceptibility to respond to a request. This is in contrast to a spam attack that is sent to numerous recipients with little precision, or a malware attack that needs to be opened just once inside of an organization’s infrastructure to spread.

However, there are instances where BEC attacks are not highly targeted, where the attacker scrapes email addresses from LinkedIn or other sources and mails attacks to multiple people or group addresses at the same time.

BEC is Text-Only

A hallmark of a business email compromise attack is the initial email contains a text-only message. The intent of using a text-only message in the first send is to start a conversation and elicit a response from their target, as well as to bypass traditional email security solutions, like secure email gateways (SEGs), that are trained to block malicious attachments and links.

That said, in some cases, the attacker may choose to include a link that redirects multiple times or a safe attachment that doesn't contain malware in order to add authenticity to the scam.

BEC Invokes a Sense of Urgency

BEC attacks often display a strong sense of urgency. The urgent tone stems from the attacker's need to steal money or information in the shortest amount of time, before being caught by the targeted organization. It is common for the attacker to aggressively follow up on their requests until they are acted upon by the target, often sending multiple emails within the span of a few hours.

BEC Attacks Contain Malicious Reply-to Addresses

When the attacker compromises a domain in order to create a conversation with the target, it’s common for the attacker to ensure that the conversation is diverted away from the actual email address. In this case, the attacker adds a reply-to address that points to an email inbox they have control of, commonly a lookalike domain.

The Financial Impact of BEC Attacks

According to the 2020 FBI’s IC3 report, over $26 billion has been lost to business email compromise crime over the past few years. Based on statistical research performed by Abnormal Security, these attacks pose a unique and dangerous financial threat to businesses, including the following:

  • The average potential cost of a vendor email compromise attack is $183,000, depending on the goal of the attack.
  • Billing account update fraud is the costliest form of BEC attack, with close to $300,000 on average per attack.
  • The average potential cost of invoice fraud is $120,000, with a maximum of $466,000 identified and prevented.
  • Payment fraud attacks average $105,000 per attack with a maximum observed of $753,000.
  • RFQ scams, which tend to be seen as less sophisticated than other VEC attack types, can be quite expensive. The average seen by Abnormal Security is $242,000 with a maximum of $500,000.

An Abnormal Approach to Stopping Business Email Compromise

By uniquely leveraging behavioral data science to profile and baseline good behavior to detect anomalies and stop attacks, Abnormal Security delivers a breakthrough approach via a cloud-native email security platform that can be deployed instantly through a one-click API integration. Abnormal Security can be used to extend and complement existing SEG solutions.

Our behavioral data science approach is based on three pillars of technology: identity modeling, behavioral and relationship graphs, and deep content analysis. With these pillars, we’re able to profile the known good of an organization and then use it to detect and stop abnormal behavior to stop a broad range of attacks. For example, Abnormal Security successfully stops:

  • Fraudulent financial requests from compromised vendors
  • Compromised internal email accounts with full remediation
  • Credential phishing emails with targeted links used to gain access to systems

Additionally, Abnormal Security is the only solution with VendorBase, which provides continuous reputation and risk scoring for an organization's partner ecosystem and automatically identifies when a vendor has been compromised. This enables organizations to substantially improve their security posture and prevents compromised vendors from taking advantage of unsuspecting employees.

To learn more about how Abnormal can improve your security, request a demo of the platform today.


Related Posts

Blog customer communications leads to product innovation
Learn how customers have influenced the latest round of product enhancements to better protect your organization from email-borne threats.
Read More
Blog attack detection efficacy cover
Abnormal’s relentless pursuit of innovation significantly improves the detection efficacy of hidden payloads in emails by an additional 5%.
Read More
Blog mnru cover
Estimating both the time and cost to complete a task has been a continual challenge for engineering teams as long as I’ve been working in industry. Coordinating the complex interactions and execution task sequencing across multiple tasks and people is a complex, ever-evolving challenge, and one that most teams struggle with daily.
Read More
Blog what do phishing emails cover
Phishing attacks are on the rise; the FBI reports that such attacks cost $54 billion in 2020, and phishing complaints increased by a whopping 110% from 2019 to 2020. If you're one of the many people targeted by a phishing email, you're not alone.
Read More
Blog holiday scams cover
We've arrived at that time of year—a time for reflection and celebration and spending time with family, and also that time of year where the cyber grinches hope to spoil the holiday fun.
Read More
Log4j email blog cover
Over the last few days, Abnormal has successfully blocked multiple attempts by attackers to deliver emails similar to these to our customers’ unsuspecting end users.
Read More
Blog securitry privacy cover
Customers place tremendous trust in Abnormal to protect them from the full spectrum of attacks when they provide us access to the email stored in Microsoft 365 or Google Workspace. To that end, we’re focused on protecting your data and building your trust.
Read More
Blog podcast role cto
Tim Tully, Partner at Menlo Ventures, grew up in Silicon Valley, where a love for coding was kindled in him. Tim is a technologist to the core, which innately led him to become an elite technical leader at companies like Splunk and Yahoo.
Read More
Blog canadian visa cover
Abnormal Security recently identified a scam aimed at the Canadian electronic travel authorization (eTA) program, which bears a striking resemblance to a long-standing fraud scheme described in our post from several weeks ago targeting TSA travel program applicants.
Read More
Automate abuse mailbox cover
Managing and monitoring an Abuse Mailbox can be a significant pain point for IT security teams, particularly large organizations with thousands of employees.
Read More
Blog calendar invite attack cover
Meeting invites are one of the most common types of emails sent today, so it should come as no surprise that attackers have found a way to manipulate them. Scores of recipients that utilize Abnormal Security recently received emails that contained a .ics attachment—an invitation file commonly used to populate online calendar applications with meeting and event information.
Read More
Blog saving memory python cover
At a hyper-growth startup, a solution from six months ago will unfortunately no longer scale. The business is growing rapidly, and this traffic to this service in particular was growing at an unprecedented rate. We hit a point where it needed re-architecting to support 10x the current scale.
Read More