What to Do After Receiving a Business Email Compromise Attack

Year after year, business email compromise (BEC) remains one of the most financially devastating cybercrimes. According to the latest FBI Internet Crime Report, BEC attacks were responsible for $2.7 billion in total losses in 2022. And the average amount lost per incident was just over $125,600—a 300% increase since 2015.

In these targeted and personalized attacks, threat actors impersonate an executive, colleague, or vendor, gain the target’s trust, and then convince them to pay fake invoices, send a wire transfer, or provide access to sensitive data.

Knowing what to do after receiving a business email compromise attack is essential for preventing costly consequences. Read on to discover why these attacks are successful and learn steps employees should take if a BEC attack lands in their inbox.

The average employee receives upwards of 120 work emails every day. And while it’s been shown to support increased productivity, the shift to remote work over the past three years has also blurred the line between an employee’s personal and professional life. Add in the fact that multitasking is the expectation in most organizations, and the result is employees constantly shifting between not just different work assignments but between work and personal tasks as well as work and personal devices.

All of these factors combined create abundant opportunities for threat actors to slip into inboxes undetected.

Additionally, BEC attacks are not launched haphazardly. Unlike spam and basic phishing campaigns in which attackers send out millions of emails without much consideration for individualization, business email compromise is successful because it relies on the exact opposite approach.

Threat actors are deliberate with their target selection and they do their research, leveraging information on social media networks, press releases, and industry publications to determine the best angle of attack. They also utilize legitimate sales and marketing tools to personalize communications and apply social engineering tactics to exploit our natural tendency to be helpful and assume positive intent.

Finally, attackers generally impersonate individuals with whom the target either has an established partnership or is someone in a position of authority, allowing them to capitalize on the implicit trust of the relationship.

In addition to utilizing impersonation and social engineering, two other hallmarks of business email compromise attacks are a conversational tone and limited use of attachments or links. These attributes enable threat actors to bypass legacy email security solutions and convince employees to engage.

For example, in the attack below, the actor impersonated an organization's CEO and emailed an employee a request to process a wire transfer.

The initial email was short, got straight to the point, and included the text “Sent from my iPhone” to make it appear as if the CEO was writing from his mobile device. The attacker also spoofed the CEO’s email address and used a reply-to address that was hosted on a different domain but had a username that matched the CEO’s in their real email address.

Had the recipient responded to this initial message, the attacker would have sent a follow-up email that included the details of the payment request.

As with the first email, the second message was short and direct and contained the same “Sent from my iPhone” signature. The attacker also included the wiring instructions within the body of the email as opposed to sending it as an attachment to improve deliverability.

Because the sender’s email address had been spoofed to impersonate the company’s CEO, there’s a high likelihood that the recipient would instinctively comply since the message appears to come from a person of authority. In addition, because the username of the reply-to email address matches the expected username of the impersonated CEO’s actual email address, an employee may not recognize the difference and trust that the message was sent from an authentic source.

Had the targeted employee fulfilled the attacker’s request, the company would have seen a direct financial loss of more than $34,000.

Every organization, regardless of size or industry, can (and statistically will) be targeted by BEC attacks. This is why it’s essential for each of your employees to know what to do after receiving a business email compromise attack.

Below are the three steps employees should be taught to take if they receive a suspicious email that they’re worried might be a BEC attack.

1. Stop

Do not process the request that you received. Even if everything appears legitimate at first, remember that modern threat actors have become extremely adept at crafting convincing emails. Additionally, even if a message has the expected sender address (i.e., it contains no misspellings or character substitutions), you should still verify the request via an alternate method as the account may have been compromised.

2. Call and Confirm

Consider the email a crime scene—i.e., don’t engage with it further. This means don’t click on any links in the body, reply to the message, or call any phone number listed in the email. Instead, reach out to the “sender” using known-good contact information. Verify that the real vendor, colleague, or executive did, in fact, send you the message and confirm the details of the request.

3. Report

If the request is fraudulent, immediately report the message in accordance with your company’s security policy. Do not just delete the email. Opting to simply delete the email without reporting it can be almost as damaging as engaging since it eliminates the opportunity for the security team to warn other employees about the attack and allows the attacker to move on to another target in the organization.

Educating employees on signs of a possible business email compromise attack and having robust verification processes in place can certainly help reduce your organization’s risk.

However, when you consider that the median open rate for business email compromise attacks is nearly 28%, one thing becomes clear: the most effective way to prevent business email compromise is to invest in a behavioral AI-based email security solution that blocks BEC attacks before they can even reach employee inboxes.

For more insight into BEC attacks, download our white paper, CISO Guide to Business Email Compromise.

Or, to see for yourself how Abnormal’s fundamentally different approach to email security protects your organization from business email compromise, schedule a demo today.