What Is Business Email Compromise (BEC)?
BEC is currently the most expensive type of cybercrime. These socially engineered attacks evade traditional email security systems. Learn how and why BEC works, and how to stop it.
Short for business email compromise, BEC is a significant threat to enterprise organizations. This guide will give you a brief overview of the attack and explain why it's a significant issue for enterprises and small businesses alike.
What is Business Email Compromise?
This form of email attack uses impersonation to steal money from unsuspecting victims and employs conversational techniques designed to build trust between the attacker and target.
According to the 2020 FBI Internet Crime Complaint Center (IC3) report, BEC represents the single greatest cause of financial loss from cybercrime, accounting for more than 44% of all reported financial losses.
BEC attacks are increasingly successful in evading detection from traditional security solutions, including secure email gateways (SEGs), that were designed to stop malware, ransomware, and emails with traditional indicators of compromise. But because BEC attacks intentionally begin as text-only messages and do not include links or attachments, they pass by traditional systems and into inboxes, where attackers can begin conversations with their target.
How Does Business Email Compromise Work?
BEC is not a monolithic type of attack and utilizes a variety of techniques and characteristics. There are a variety of ways that a BEC attack can occur. Typical characteristics include the following.
Business Entity: The attacker may impersonate a number of people within or outside of the organization, including:
- Well-Known Executive or VIP
- Internal Employee or Manager
- External Vendor or Partner
Impersonation Tactic: The attack may include a number of impersonation types including:
- Legitimate Compromised Account
- Domain Spoofing
- Domain Impersonation
- Display Name Impersonation
Attack Goal: The attack may have a singular or multiple goals. Most attacks are attempting to accomplish one of the following goals.
- Billing Account Update: This attack will attempt to update banking details for a recurring payment or outstanding invoice.
- Invoice Fraud: The attacker will impersonate an internal entity to request payment be immediately sent to a vendor, or will pose as a vendor to request payment from the victim.
- RFQ Fraud: This attack is an attempt to get the target to send goods to the attacker without first paying for them. The attacker will then resell these free goods for profit.
- W-2 Fraud: The attacker attempts to divert payroll transactions to an account owned by them.
- Payroll Diversion: This is typically a fraudulent request to change direct deposit information and steal employee wages.
- Gift Card Scheme: The attacker requests the purchase of gift cards and asks the victim to send images of the information.
Email Characteristics: Most BEC emails will have the following characteristics:
- Text Only
- Limited Links and Attachments
- Malicious Reply-To Addresses
Why are BEC Attacks Successful?
Due to the familiarity between the impersonated person and the target, these socially engineered techniques provide a sense of trust between the attacker and the target, which may not exist with an unknown name or brand. Attackers can take advantage of that trust to encourage the victim to send money or valuable data.
Making matters worse, these impersonated accounts are either trusted by the SEGs or originate from never-seen-before domains, bypassing threat intelligence indicators that might keep them out of the target's inbox. Let's dive a little deeper into some key characteristics.
BEC is Highly Targeted
BEC scams are often highly targeted, meaning the attacker has carefully selected their target based on perceived access to financial information or susceptibility to respond to a request. This is in contrast to a spam attack that is sent to numerous recipients with little precision, or a malware attack that needs to be opened just once inside of an organization’s infrastructure to spread.
However, there are instances where BEC attacks are not highly targeted, where the attacker scrapes email addresses from LinkedIn or other sources and mails attacks to multiple people or group addresses at the same time.
BEC is Text-Only
A hallmark of a business email compromise attack is the initial email contains a text-only message. The intent of using a text-only message in the first send is to start a conversation and elicit a response from their target, as well as to bypass traditional email security solutions, like secure email gateways (SEGs), that are trained to block malicious attachments and links.
That said, in some cases, the attacker may choose to include a link that redirects multiple times or a safe attachment that doesn't contain malware in order to add authenticity to the scam.
BEC Invokes a Sense of Urgency
BEC attacks often display a strong sense of urgency. The urgent tone stems from the attacker's need to steal money or information in the shortest amount of time, before being caught by the targeted organization. It is common for the attacker to aggressively follow up on their requests until they are acted upon by the target, often sending multiple emails within the span of a few hours.
BEC Attacks Contain Malicious Reply-to Addresses
When the attacker compromises a domain in order to create a conversation with the target, it’s common for the attacker to ensure that the conversation is diverted away from the actual email address. In this case, the attacker adds a reply-to address that points to an email inbox they have control of, commonly a lookalike domain.
The Financial Impact of BEC Attacks
According to the 2020 FBI’s IC3 report, over $26 billion has been lost to business email compromise crime over the past few years. Based on statistical research performed by Abnormal Security, these attacks pose a unique and dangerous financial threat to businesses, including the following:
- The average potential cost of a vendor email compromise attack is $183,000, depending on the goal of the attack.
- Billing account update fraud is the costliest form of BEC attack, with close to $300,000 on average per attack.
- The average potential cost of invoice fraud is $120,000, with a maximum of $466,000 identified and prevented.
- Payment fraud attacks average $105,000 per attack with a maximum observed of $753,000.
- RFQ scams, which tend to be seen as less sophisticated than other VEC attack types, can be quite expensive. The average seen by Abnormal Security is $242,000 with a maximum of $500,000.
An Abnormal Approach to Stopping Business Email Compromise
By uniquely leveraging behavioral data science to profile and baseline good behavior to detect anomalies and stop attacks, Abnormal Security delivers a breakthrough approach via a cloud-native email security platform that can be deployed instantly through a one-click API integration. Abnormal Security can be used to extend and complement existing SEG solutions.
Our behavioral data science approach is based on three pillars of technology: identity modeling, behavioral and relationship graphs, and deep content analysis. With these pillars, we’re able to profile the known good of an organization and then use it to detect and stop abnormal behavior to stop a broad range of attacks. For example, Abnormal Security successfully stops:
- Fraudulent financial requests from compromised vendors
- Compromised internal email accounts with full remediation
- Credential phishing emails with targeted links used to gain access to systems
Additionally, Abnormal Security is the only solution with VendorBase, which provides continuous reputation and risk scoring for an organization's partner ecosystem and automatically identifies when a vendor has been compromised. This enables organizations to substantially improve their security posture and prevents compromised vendors from taking advantage of unsuspecting employees.
To learn more about how Abnormal can improve your security, request a demo of the platform today.