Business Email Compromise Attack Protection

Business Email Compromise Attack Protection

What is Business Email Compromise (BEC)?

Business email compromise (BEC) is a significant security threat to enterprise organizations. This form of email attack uses impersonations to steal money from unsuspecting employees and employs conversational techniques designed to build trust between the attacker and target.

According to the 2020 FBI’s Internet Crime Complaint Center (IC3) report, BEC represents the single greatest cause of financial loss from cybercrime, accounting for more than 45% of all reported financial losses.

BEC attacks are increasingly successful in evading detection from traditional security solutions, such as Secure Email Gateways (SEGs), that are designed to stop malware or known bad links. BEC attacks intentionally begin as text-only messages and do not include malware or bad links, attempting instead to start a conversation by eliciting a response from their target.

How does BEC work?

BEC is not a monolithic-type of attack and utilizes a variety of techniques and characteristics. 

Spectrum of BEC Attacks

Business EntityImpersonation TacticAttack GoalEmail CharacteristicsWhat BEC is NOT
-Vendor / Partner
-Internal Employee
-Internal Executive
-Account Compromise (ATO)
-Domain Spoofing
-Domain Impersonation
-Display Name Impersonation (personal mail account)
-Billing Update
-Invoice Inquiry
-RFQs
-W2s
-Gift Card Fraud
-Conversational
-Urgent
-Text-only
-No Links
-Invoices or Safe Attachments
-Malicious Reply-To Addresses
-Always highly targeted – email addresses can be scraped from LinkedIn & attacks mailed to multiple people or group addresses
-Credential phishing scams
-Bitcoin extortion scams
-While technically it can involve stealing of confidential information, this rarely occurs relative to financial scams
-Spam

Compromises and Impersonations

Criminals have success sending BEC attacks as vendors, partners or internal employees or executives, and use compromised accounts, lookalike or spoofed domains to carry the attack out. 

Due to the familiarity between the impersonated business entity and the target, these socially engineered techniques create a sense of trust between the attacker and the target; which the attacker takes advantage of in the form of financial requests. (see above, Attack Goals)

Additionally, these impersonated accounts are either trusted by the SEGs or originate from never-seen-before domains, bypassing threat intelligence indicators that might keep them out of the target’s inbox.

Highly targeted

BEC scams are often highly targeted meaning the attacker has carefully selected their target based on perceived access to financial information or susceptibility to respond to a request. This is in contrast to a spam attack that is sent to numerous recipients with little precision, or a malware attack that needs to be opened just once inside of an organization’s infrastructure to spread.

However, there are instances where BEC attacks are not highly targeted, where the attacker scrapes email addresses from LinkedIn or other sources & mails attacks to multiple people or group addresses at the same time. 

Text-only messages

A hallmark of a BEC attack is the initial email contains a text-only message. The intent of using a text-only message in the first send is to start a conversation and elicit a response from their target, as well as to bypass traditional email security solutions, like Secure Email Gateways (SEGs), that are trained to block malicious attachments and links.

Sense of urgency

BEC attacks also display a strong sense of urgency. The urgent tone stems from the attackers need to steal money or information in the shortest amount of time before being caught by the targeted organization. It is common for the attacker to aggressively follow-up on their requests until they are acted upon by the target.

Malicious Reply-To Addresses

When the attacker compromises a domain in order to create a conversation with the target, it’s common for the attacker to ensure that the conversation is diverted away from the actual email address. In this case, the attacker adds a reply-to address that points to an email inbox they have control of, commonly a lookalike domain.

Example: Text-based vendor email compromise attack initiating billing account update fraud.

Examples of BEC Attack Goals

Here are examples of the types of BEC fraud carried out in attacks:

  • Payroll Fraud – Fraudulent request to change to direct deposit information to steal employee wages.
  • Internal Invoice Payment Fraud – Impersonates an internal entity to request payment for a fake charge.
  • External Invoice Payment Fraud – Poses as a vendor, partner, or other external entity to request payment for a fake charge.
  • Billing Account Update Fraud – Attempt to update payment details of a recurring payment or an outstanding invoice. 
  • Gift Card Fraud – Impersonating a VIP or non-VIP to request the purchase of gift cards.
  • RFQs (Request for Quote) – Attempt to get the target to send goods to the attacker without paying for it. Attacker will then resell these goods.
  • W2s – Attempt to divert payroll transactions to the attacker’s bank account.

Financial impact of BEC attacks

According to the 2020 FBI’s IC3 report, over $26 billion dollars has been lost to BEC crime. Based on statistical research performed by Abnormal Security, these attacks pose a unique and dangerous financial threat to businesses:

  • The average potential cost of vendor email compromise (VEC) attacks is $183,000 depending on the goal of the attack.
  • Billing account update fraud is the costliest form of VEC attack — close to $300,000 on average per attack.
  • The average potential cost of invoice fraud is $120,000, with a maximum of $466,000 identified and prevented.
  • Payment fraud attacks average $105,000 per attack with a maximum observed of $753,000.
  • RFQ scams (request for proposal), which tend to be seen as less sophisticated than other VEC attack types, can be quite expensive. The average seen by Abnormal Security is $242,000 with a maximum of $500,000.

Abnormal Security’s approach to stopping BEC

By uniquely leveraging behavioral data science to profile and baseline good behavior to detect anomalies and stop attacks, Abnormal Security delivers a breakthrough approach via a cloud-native email security platform that can be deployed instantly through a 1-click API integration. Abnormal Security can be used to extend and complement existing SEG solutions.

Our behavioral data science approach is based on three pillars of technology: identity modeling, behavioral and relationship graphs, and deep content analysis. With these pillars, we’re able to profile the known good of an organization and then use it to detect and stop abnormal behavior to stop a broad range of attacks. For example: 

  • Identify fraudulent financial requests from a compromised vendor
  • Detect compromised internal email accounts and shut them down
  • Automatically block emails with targeted links used to phish credentials from employees

Additionally, Abnormal Security is the only solution with VendorBase, which provides continuous reputation and risk scoring for an organization’s partner ecosystem and automatically identifies when a vendor has been compromised, enabling organizations to substantially improve their security posture.

How can you protect your organization from BEC attacks?

Request a demo and receive a customized email threat report for your enterprise in one week. It includes a 45-day historic analysis, identifies and summarizes key issues, analytics & trends across individuals, and departments.


Related content