What is Business Email Compromise?

June 12, 2020

Abnormal Security

Ken Liao

According to the FBI’s Internet Crime Complaint Center (IC3) reports, Business Email Compromise (BEC) represents the single greatest cause of financial loss from cybercrime, accounting for more than 50% of all financial losses.

While no one likes to talk about falling victim to a cyber attack, BEC is one of those attacks that we all try to sweep under the rug and hope no one notices. Ransomware? It’s extremely disruptive, often crippling business operations. Data breach? Depending on how many records are exposed, you likely have a legal requirement to disclose and inform. But a BEC incident? You were just tricked into sending money (or product) to a cybercriminal. It’s embarrassing. You just want it to quietly go away.

So what is BEC?

The BEC emails are well honed with their content and tailored focus. The following framework provides an overview of the variations of BEC.

The cybercriminal has spent time doing their homework, crafting a socially engineered, highly relevant message from a fabricated pretext familiar to the target. This could be an impersonation of a member of the company’s executive team, other co-worker or a legitimate vendor or business partner.

Attacks may arrive with a sense of urgency from an executive in a position of power. Or in other cases, the attackers may opt for a low and slow approach such as the example detailed in this Invoice Fraud Attack Case Study.

What makes these emails unique and completely different from other types of email attacks: their lack of a payload or technical complexity. BEC attacks don’t need exploit kits, URLs hosting malware, or C&C communication techniques for success. Instead, they rely on human behavior and the reality that employees want to perform well, which creates the tendency for them to take quick action.

So, why has this become such a big problem?

BEC: One Shot to Stop

A traditional targeted email attack usually requires multiple phases to execute successfully. And of course, every enterprise organization has invested in a cocktail of security controls to protect against all stages of an attack chain—from delivery to data exfiltration attempts.

However, BEC attacks generally do not contain attachments. Well, they might. The attachment could be an invoice, or a purchase order. But what you won’t see is a malicious payload. And without a payload, the technical controls beyond the initial delivery are rendered useless against BEC scams.

What this means: we ultimately have one shot to stop a BEC attack. If the attack isn’t detected and stopped at delivery, companies are at the mercy of human behavior and how the employee chooses to react after reading the email. So many organizations have given up on stopping these attacks and have turned to security awareness training and hoping their end users can identify these attacks. But that’s clearly not working: Verizon’s 2020 Data Breach Investigations Report highlights how Phishing Click Rates Decline While Socially-Engineered Attacks Grow.

However, advances in API-integrated cloud-native architectures and data science techniques have enabled Abnormal Security to identify and stop these pernicious attacks. If these attacks are a problem for your organization, click here to learn more about how we can help.

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

Like our article? Share our content