Protect Your Business from Business Email Compromise

Business email compromise (BEC) is a common type of scam that uses fraudulent emails to trick employees into sending money or sharing access to sensitive information. Each year, BEC costs companies more than $2 billion — and these scams are only becoming more prevalent across nearly every industry.

Easy access to artificial intelligence (AI), combined with the rise in remote work, resulted in BEC losses increasing by 9% year over year in 2023. As BEC attacks and other cyber threats grow more sophisticated, businesses can help protect themselves and their customers by raising awareness, planning and employee training.

Understanding Business Email Compromise

BEC, also known as email account compromise (EAC), is a type of phishing attack that uses email fraud to steal money or sensitive information. These schemes target organizations and their employees, often tricking them into willingly sending money or providing access to valuable data.

Fraudsters may use several tactics to carry out BEC attacks, including:

• Email and website spoofing: Impersonating an organization or its executives using falsified information or credentials.
• Social engineering: Using deceptive techniques and manipulation to trick a person into doing something, such as transferring money or revealing information.
• Data gathering: Using publicly available information to appear more legitimate. For example, scammers can scrape the internet for information about companies or individuals on websites or social media profiles.
• False sense of urgency: Creating a false sense of urgency to pressure employees into taking immediate action.

Types of Business Email Compromise

Though business email compromise can take many forms, the five most common types of BEC are CEO fraud, account compromise, false invoice schemers, data theft and attorney impersonation.

• CEO fraud: CEO fraud occurs when a scammer impersonates a company’s top-ranking officer, typically to request a transfer of money.
• Account compromise: Fraudsters can sometimes gain access to employee emails and will use the compromised account to request payments from vendors the company has worked with.
• False invoice scheme: In a false invoice scheme, scammers pretend they are legitimate vendors or suppliers. They’ll then send fake invoices to the company in the hopes the company sends money to the fraudulent accounts.
• Attorney impersonation: Scammers may use false credentials to impersonate an attorney and request payments or sensitive information. These attacks often target lower-level employees.
• Data theft: While many scammers try and steal money, some cybercriminals target information that they can sell or use to plan future attacks.

Real-World Instances of Business Email Compromise

1. French Film Company Pathé Loses $22 Million in CEO Fraud Scam

A successful BEC attack which used CEO fraud to scam a company cost a French film production company roughly $22 million. Fraudsters impersonated the CEO of Pathé’s offices in France, writing to the company’s Dutch CEO to discuss an acquisition. The criminals then impersonated other senior executives to confirm several wire transfers — and millions of dollars — to the scammers’ accounts.

The key takeaways from this unfortunate incident are that companies need to create more awareness around business email compromise, use email security tools and implement verification procedures to prevent wire fraud.

2. Account Compromise Costs Government of Puerto Rico More Than $4 Million

From December 2019 through January 2020, two of Puerto Rico’s state-owned enterprises sent millions of dollars to fraudulent accounts in an apparent BEC attack. The scammers gained access to an email account belonging to an employee of the Puerto Rico Employment Retirement System, then used the worker’s email to instruct a redirection of payments to a different, fraudulent account.

Organizations can learn a lot from this attack, including the importance of verifying any fund transfers or change requests, staying alert to any suspicious or unusual behavior and securing email accounts with strong passwords, multi-factor authentication and ongoing employee training.

How to Protect Your Business from BEC

1.Promote Employee Training and Awareness

Employee training and awareness is one of the best ways to protect your business from BEC attacks and other scams. Organizations should host regular training sessions and educate employees about current scams and tactics, how to recognize suspicious behavior and how to report scams.

Many companies use simulated phishing emails as part of their ongoing training. These emails may come from a sender with an unfamiliar email address and can include links, attachments and urgent requests. Employees should be able to recognize these emails by identifying unknown senders, looking for poor grammar or spelling and any unusual requests or prompts to follow a link or download an attachment.

2. Use Strong Email Security Measures

On an organizational level, companies should always implement strong email security measures, such as multi-factor authentication, email filtering and spam detection. Companies should also make sure they regularly update and patch email systems to resolve bugs and vulnerabilities, in addition to using Domain-Based Message Authentication Reporting & Conformance (DMARC) to prevent fraudulent emails.

3. Leverage Artificial Intelligence and Machine Learning

Though scammers use AI and machine learning (ML) for social engineering attacks, these tools can also be used to detect and stop phishing attacks and email account compromise. AI and ML algorithms can analyze email patterns and even writing style to identify anomalies and provide real-time alerts and automated responses to potential threats.

4. Implement Verification Procedures

Every organization should have standard verification procedures in place, including a dual-approval process for financial transactions or changing vendor payment details. These procedures can not only help prevent fraud but also reduce the likelihood of unintentional errors by having a second individual review the transaction or change.

5. Monitor for Threats and Create an Incident Response Plan

Organizations should always monitor for threats and ready themselves for a rapid response. Setting up alerts for suspicious activities can help stop scammers in their tracks, and regularly reviewing email logs can help cybersecurity teams gather valuable data and detect potential threats. Creating an incident response plan and training employees in case of an emergency can allow companies to quickly isolate the threat to prevent further damage, notify affected parties, establish safe communication channels and quickly restore regular operations.

6. Use Secure Email Gateways

Secure email gateways (SEGs) are the first line of defense for an organization, offering comprehensive protection by scanning both incoming and outgoing emails for threats. SEGs work behind the scenes to filter emails and block malicious content — such as phishing attacks and malware — and can track and log data for monitoring, analysis and compliance.

Conclusion

Business email compromise can pose a threat to any organization, making protection and prevention of these phishing attacks a top priority for any business. Though no one is ever fully immune to these scams, companies that take a proactive approach to prevention can help ward off these attacks.

Some of the keys to stopping business email compromise include awareness and employee training, implementing email security measures and verifying all financial transactions. If your business is the target of a BEC attack, responding quickly and sticking to your incident response plan can help reduce the fallout. You should also notify your financial institutions immediately and report the incident online by visiting the FBI’s Internet Crime Complaint Center (IC3).