Protecting Against Business Email Compromise

June 12, 2020

Short for business email compromise, BEC is a significant threat to enterprise organizations. This guide will give you a brief overview of the attack and explain why it's a significant issue for enterprises and small businesses alike.

What is Business Email Compromise?

This form of email attack uses impersonation to steal money from unsuspecting victims and employs conversational techniques designed to build trust between the attacker and target.

According to the 2020 FBI Internet Crime Complaint Center (IC3) report, BEC represents the single greatest cause of financial loss from cybercrime, accounting for more than 44% of all reported financial losses.

BEC attacks are increasingly successful in evading detection from traditional security solutions, including secure email gateways (SEGs), that were designed to stop malware, ransomware, and emails with traditional indicators of compromise. But because BEC attacks intentionally begin as text-only messages and do not include links or attachments, they pass by traditional systems and into inboxes, where attackers can begin conversations with their target.

How Does Business Email Compromise Work?

BEC is not a monolithic type of attack and utilizes a variety of techniques and characteristics. There are a variety of ways that a BEC attack can occur. Typical characteristics include the following.

Business Entity: The attacker may impersonate a number of people within or outside of the organization, including:

  • Well-Known Executive or VIP
  • Internal Employee or Manager
  • External Vendor or Partner

Impersonation Tactic: The attack may include a number of impersonation types including:

  • Legitimate Compromised Account
  • Domain Spoofing
  • Domain Impersonation
  • Display Name Impersonation

Attack Goal: The attack may have a singular or multiple goals. Most attacks are attempting to accomplish one of the following goals.

  • Billing Account Update: This attack will attempt to update banking details for a recurring payment or outstanding invoice.
  • Invoice Fraud: The attacker will impersonate an internal entity to request payment be immediately sent to a vendor, or will pose as a vendor to request payment from the victim.
  • RFQ Fraud: This attack is an attempt to get the target to send goods to the attacker without first paying for them. The attacker will then resell these free goods for profit.
  • W-2 Fraud: The attacker attempts to divert payroll transactions to an account owned by them.
  • Payroll Diversion: This is typically a fraudulent request to change direct deposit information and steal employee wages.
  • Gift Card Scheme: The attacker requests the purchase of gift cards and asks the victim to send images of the information.

Email Characteristics: Most BEC emails will have the following characteristics:

  • Conversational
  • Urgent
  • Text Only
  • Limited Links and Attachments
  • Malicious Reply-To Addresses

Why are BEC Attacks Successful?

Due to the familiarity between the impersonated person and the target, these socially engineered techniques provide a sense of trust between the attacker and the target, which may not exist with an unknown name or brand. Attackers can take advantage of that trust to encourage the victim to send money or valuable data.

Making matters worse, these impersonated accounts are either trusted by the SEGs or originate from never-seen-before domains, bypassing threat intelligence indicators that might keep them out of the target's inbox. Let's dive a little deeper into some key characteristics.

BEC is Highly Targeted

BEC scams are often highly targeted, meaning the attacker has carefully selected their target based on perceived access to financial information or susceptibility to respond to a request. This is in contrast to a spam attack that is sent to numerous recipients with little precision, or a malware attack that needs to be opened just once inside of an organization’s infrastructure to spread.

However, there are instances where BEC attacks are not highly targeted, where the attacker scrapes email addresses from LinkedIn or other sources and mails attacks to multiple people or group addresses at the same time.

BEC is Text-Only

A hallmark of a business email compromise attack is the initial email contains a text-only message. The intent of using a text-only message in the first send is to start a conversation and elicit a response from their target, as well as to bypass traditional email security solutions, like secure email gateways (SEGs), that are trained to block malicious attachments and links.

That said, in some cases, the attacker may choose to include a link that redirects multiple times or a safe attachment that doesn't contain malware in order to add authenticity to the scam.

BEC Invokes a Sense of Urgency

BEC attacks often display a strong sense of urgency. The urgent tone stems from the attacker's need to steal money or information in the shortest amount of time, before being caught by the targeted organization. It is common for the attacker to aggressively follow up on their requests until they are acted upon by the target, often sending multiple emails within the span of a few hours.

BEC Attacks Contain Malicious Reply-to Addresses

When the attacker compromises a domain in order to create a conversation with the target, it’s common for the attacker to ensure that the conversation is diverted away from the actual email address. In this case, the attacker adds a reply-to address that points to an email inbox they have control of, commonly a lookalike domain.

The Financial Impact of BEC Attacks

According to the 2020 FBI’s IC3 report, over $26 billion has been lost to business email compromise crime over the past few years. Based on statistical research performed by Abnormal Security, these attacks pose a unique and dangerous financial threat to businesses, including the following:

  • The average potential cost of a vendor email compromise attack is $183,000, depending on the goal of the attack.
  • Billing account update fraud is the costliest form of BEC attack, with close to $300,000 on average per attack.
  • The average potential cost of invoice fraud is $120,000, with a maximum of $466,000 identified and prevented.
  • Payment fraud attacks average $105,000 per attack with a maximum observed of $753,000.
  • RFQ scams, which tend to be seen as less sophisticated than other VEC attack types, can be quite expensive. The average seen by Abnormal Security is $242,000 with a maximum of $500,000.

An Abnormal Approach to Stopping Business Email Compromise

By uniquely leveraging behavioral data science to profile and baseline good behavior to detect anomalies and stop attacks, Abnormal Security delivers a breakthrough approach via a cloud-native email security platform that can be deployed instantly through a one-click API integration. Abnormal Security can be used to extend and complement existing SEG solutions.

Our behavioral data science approach is based on three pillars of technology: identity modeling, behavioral and relationship graphs, and deep content analysis. With these pillars, we’re able to profile the known good of an organization and then use it to detect and stop abnormal behavior to stop a broad range of attacks. For example, Abnormal Security successfully stops:

  • Fraudulent financial requests from compromised vendors
  • Compromised internal email accounts with full remediation
  • Credential phishing emails with targeted links used to gain access to systems

Additionally, Abnormal Security is the only solution with VendorBase, which provides continuous reputation and risk scoring for an organization's partner ecosystem and automatically identifies when a vendor has been compromised. This enables organizations to substantially improve their security posture and prevents compromised vendors from taking advantage of unsuspecting employees.

To learn more about how Abnormal can improve your security, request a demo of the platform today.

Blog yellow calendar
Financial institutions are common targets for attackers because of the amount of money in their control. Access to a user’s sensitive information would allow an attacker to commit identity theft, as well as steal any money associated with the account. Many of...
Read More
Blog stairs circle
Cyber threats are constantly evolving. Cybersecurity teams are most effective when they deploy defenses that protect against the threats that pose the greatest risk at any given time. Socially-engineered attacks—one of the most financially damaging threats...
Read More

Related Posts

B 10 15 21
With Detection 360, submission to threat containment just got 94% faster, making it incredibly easy for customers to submit false positives or missed attacks, and get real-time updates from Abnormal on investigation, conclusion, and remediation.
Read More
Extortion blog cover
Unfortunately, physically threatening extortion attempts sent via email continue to impact companies and public institutions when received—disrupting business, intimidating employees, and occasioning costly responses from public safety.
Read More
Blog engineering cybersecurity careers
Cybersecurity Careers Awareness Week is a great opportunity to explore key careers in information security, particularly as there are an estimated 3.1 million unfilled cybersecurity jobs. This disparity means that cybercriminals are taking advantage of the situation, sending more targeted attacks and seeing greater success each year.
Read More
Blog hiring cybersecurity leaders
As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.
Read More
Cover automated ato
With an increase in threat actor attention toward compromising accounts, Abnormal is focused on protecting our customers from this potentially high-profile threat. We are pleased to announce that our new Automated Account Takeover (ATO) Remediation functionality is available.
Read More
Email spoofing cover
Email spoofing is a common form of phishing attack designed to make the recipient believe that the message originates from a trusted source. A spoofed email is more than just a nuisance—it’s a malicious communication that poses a significant security threat.
Read More
Cover cybersecurity month kickoff
It’s time to turn the page on the calendar, and we are finally in October—the one month of the year when the spooky becomes reality. October is a unique juncture in the year as most companies are making the mad dash to year-end...
Read More
Ices announcement cover
Abnormal ICES offers all-in-one email security, delivering a precise approach to combat the full spectrum of email-borne threats. Powered by behavioral AI technology and deeply integrated with Microsoft 365...
Read More
Account takeover cover
Account takeovers are one of the biggest threats facing organizations of all sizes. They happen when cybercriminals gain legitimate login credentials and then use those credentials to send more attacks, acting like the person...
Read More
Blog podcast green cover
Many companies aspire to be customer-centric, but few find a way to operationalize customer-centricity into their team’s culture. As a 3x SaaS startup founder, most recently at Orum, and a veteran of Facebook and Palantir, Ayush Sood...
Read More
Blog attack atlassian cover
Credential phishing links are most commonly sent by email, and they typically lead to a website that is designed to look like common applications—most notably Microsoft Office 365, Google, Amazon, or other well-known...
Read More
Blog podcast purple cover
Working at hyper-growth startups usually means that unreasonable expectations will be thrust on individuals and teams. Demanding timelines, goals, and expectations can lead to high pressure, stress, accountability, and ultimately, extraordinary growth and achievements.
Read More