What is Business Email Compromise (BEC)?
Business email compromise (BEC) is a significant security threat to enterprise organizations. This form of email attack uses impersonations to steal money from unsuspecting employees and employs conversational techniques designed to build trust between the attacker and target.
According to the 2020 FBI’s Internet Crime Complaint Center (IC3) report, BEC represents the single greatest cause of financial loss from cybercrime, accounting for more than 45% of all reported financial losses.
BEC attacks are increasingly successful in evading detection from traditional security solutions, such as Secure Email Gateways (SEGs), that are designed to stop malware or known bad links. BEC attacks intentionally begin as text-only messages and do not include malware or bad links, attempting instead to start a conversation by eliciting a response from their target.
How does BEC work?
BEC is not a monolithic-type of attack and utilizes a variety of techniques and characteristics.
Spectrum of BEC Attacks
|Business Entity||Impersonation Tactic||Attack Goal||Email Characteristics||What BEC is NOT|
|-Vendor / Partner|
|-Account Compromise (ATO)|
-Display Name Impersonation (personal mail account)
-Gift Card Fraud
-Invoices or Safe Attachments
-Malicious Reply-To Addresses
|-Always highly targeted – email addresses can be scraped from LinkedIn & attacks mailed to multiple people or group addresses|
-Credential phishing scams
-Bitcoin extortion scams
-While technically it can involve stealing of confidential information, this rarely occurs relative to financial scams
Compromises and Impersonations
Criminals have success sending BEC attacks as vendors, partners or internal employees or executives, and use compromised accounts, lookalike or spoofed domains to carry the attack out.
Due to the familiarity between the impersonated business entity and the target, these socially engineered techniques create a sense of trust between the attacker and the target; which the attacker takes advantage of in the form of financial requests. (see above, Attack Goals)
Additionally, these impersonated accounts are either trusted by the SEGs or originate from never-seen-before domains, bypassing threat intelligence indicators that might keep them out of the target’s inbox.
BEC scams are often highly targeted meaning the attacker has carefully selected their target based on perceived access to financial information or susceptibility to respond to a request. This is in contrast to a spam attack that is sent to numerous recipients with little precision, or a malware attack that needs to be opened just once inside of an organization’s infrastructure to spread.
However, there are instances where BEC attacks are not highly targeted, where the attacker scrapes email addresses from LinkedIn or other sources & mails attacks to multiple people or group addresses at the same time.
A hallmark of a BEC attack is the initial email contains a text-only message. The intent of using a text-only message in the first send is to start a conversation and elicit a response from their target, as well as to bypass traditional email security solutions, like Secure Email Gateways (SEGs), that are trained to block malicious attachments and links.
Sense of urgency
BEC attacks also display a strong sense of urgency. The urgent tone stems from the attackers need to steal money or information in the shortest amount of time before being caught by the targeted organization. It is common for the attacker to aggressively follow-up on their requests until they are acted upon by the target.
Malicious Reply-To Addresses
When the attacker compromises a domain in order to create a conversation with the target, it’s common for the attacker to ensure that the conversation is diverted away from the actual email address. In this case, the attacker adds a reply-to address that points to an email inbox they have control of, commonly a lookalike domain.
Example: Text-based vendor email compromise attack initiating billing account update fraud.
Examples of BEC Attack Goals
Here are examples of the types of BEC fraud carried out in attacks:
Financial impact of BEC attacks
According to the 2020 FBI’s IC3 report, over $26 billion dollars has been lost to BEC crime. Based on statistical research performed by Abnormal Security, these attacks pose a unique and dangerous financial threat to businesses:
Abnormal Security’s approach to stopping BEC
By uniquely leveraging behavioral data science to profile and baseline good behavior to detect anomalies and stop attacks, Abnormal Security delivers a breakthrough approach via a cloud-native email security platform that can be deployed instantly through a 1-click API integration. Abnormal Security can be used to extend and complement existing SEG solutions.
Our behavioral data science approach is based on three pillars of technology: identity modeling, behavioral and relationship graphs, and deep content analysis. With these pillars, we’re able to profile the known good of an organization and then use it to detect and stop abnormal behavior to stop a broad range of attacks. For example:
Additionally, Abnormal Security is the only solution with VendorBase, which provides continuous reputation and risk scoring for an organization’s partner ecosystem and automatically identifies when a vendor has been compromised, enabling organizations to substantially improve their security posture.
How can you protect your organization from BEC attacks?
Request a demo and receive a customized email threat report for your enterprise in one week. It includes a 45-day historic analysis, identifies and summarizes key issues, analytics & trends across individuals, and departments.
Abnormal is the email security company that stands for trust.
© 2021 Abnormal Security Corporation.
All rights reserved.