Business Email Compromise (BEC)

BEC scams deceive people into believing they're interacting with a trusted sender—no malware or malicious links required.

What Is Business Email Compromise?

Text

Business Email Compromise continues to deceive people into believing they are interacting with a trusted sender. Unfortunately, by gaining trust, the cybercriminal can transfer funds to their accounts, gain access to sensitive data, or other ill-intentioned actions with great success.

BEC attacks are cunning and when combined with human error, are so successful the FBI labeled them “one of the most financially damaging online crimes.” Traditional email security practices of focusing on content and infrastructure analysis will not work because threat actors' tactics are constantly evolving within business and individual user environments, so it’s not enough to keep up with the latest malicious tactics—you need to stay one step ahead.

What Are the Stages of a BEC Attack?

Business Email Compromise comes in many forms. These are sham security alerts, last-minute payment requests, bogus past-due statements, fraudulent wiring instructions, and more. BEC and phishing scams continue to be the primary attack vectors into organizations—and according to the FBI's Internet Crime Complaint Center (IC3) report in 2023, nearly $3 billion in losses were a direct result of successful BEC scams.

 

STAGE 1: Preparation

Build Target List

Cybercriminals start by building a target list, often using business contact databases, mining LinkedIn profiles, and even scouring the target's website to identify key individuals and relationships.

How Fortra Defends Against Business Email Compromise

Monitors for Email Authenticity

Focusing on content and infrastructure analysis doesn’t work against BEC, since no malicious payloads are used and they can be launched via reputable email services.

This is why Fortra's Cloud Email Protection platform carefully inspects each incoming email and spots the anomalous BEC behaviors, preventing attacks from reaching the inbox.

Image
Man receiving multiple emails with check marks or x marks floating around iphone
Image
Two people shaking hands

Automates Partner & Supplier Fraud Prevention

Cybercriminals often pose as a trusted supplier or partner to conduct invoice fraud, real estate scams, or other commoattacks.

Fortra's Cloud Email Protection leverages a collection of machine learning models to evaluate relationships and behavioral patterns between individuals, brands, vendors, and domains using hundreds of characteristics to detect malicious emails.

Prevent BEC Attacks with Advanced Features

Advanced Email Authentication

Agari DMARC Protection enables administrators to prevent hackers from hijacking domains for email spoofing, executive impersonation, and spear phishing attacks. 

Without DMARC, organizations are risking years’ worth of hard work by their email administrators and SOC teams.

Real-Time Threat Detection

Fortra's Cloud Email Protection leverages advanced data science algorithms to analyze email header data and more in real time and detect anomalies that may indicate an attack.

These include machine learning models and neural networks to find and mitigate attacks that slip past traditional email defenses.

Automatic Incident Response

Fortra's Email Security solutions can automatically respond to attacks by quarantining suspicious emails, blocking malicious domains and IP addresses, and alerting administrators of the incident.

Collaboration and Intelligence

Fortra's platform detects threats and prevents the latest tactics, including display name deception, spoofing, and lookalike domains, by baiting cybercriminals into giving up unique insights to ensure that our customers are protected from future attacks.

The biggest benefit we got from deploying Fortra's solution was visibility. We got visibility into the attack space and into how inconsistent some of our enterprise controls were applied.

Bill Burns, Chief Trust Officer, Informatica

FAQs

BEC is a form of phishing that leverages social engineering methods to masquerade as executives or others to deceive people into believing they’re interacting with a trusted sender.

The primary goal of those cybercriminals using the BEC vector is to gain trust and manipulate the user into sending money to their accounts, gaining access to sensitive data, or performing other ill-intended actions. Unlike suspicious emails and malicious links, BEC attacks are more sophisticated, and therefore better at tricking recipients into believing the communication is from a trusted source or individual.

BEC targets can be Fortune 500 companies, charities, or even government. Here are two costly BEC examples:

  1. The finance director of Puerto Rico’s Industrial Development Company was tricked into transferring more than $2.6 million when he received an account impersonation email appearing to be from the Puerto Rico Employment Retirement System. The email stated that there had been an update to the payment methods. Fortunately, the funds were recovered with the help of the FBI. 
  2. Another example involves CEO fraud in which cybercriminals impersonated executives at food companies convincing suppliers to ship thousands of dollars of powdered milk to the criminals. This prompted US federal agencies to warn organizations to take the proper precautions to “protect their brand and reputation.” 

Organizations need to go beyond traditional email security measures to detect, block, and prevent email impersonations. You need a solution that can prevent threats from reaching employee inboxes by scoring every message flowing into and within the organization to defend against low-volume, highly targeted identity deception-based attacks, such as spear phishing. Fortra's Cloud Email Protection does this by:

  • Leveraging advanced data science, including ML models, neural networks, and more 
  • Using global inbox intelligence to collect and analyze intel on threats happening not only in your organization, but from a host of global enterprises comprised of millions of users
  • Proactively monitoring for lookalike domain registrations created with the intent to prey on user inboxes

Yes, in the working environment that we conduct business in today threat actors and attackers don’t prioritize one type of business or industry over another – becoming a target of a cyberattack is a looming threat for enterprise-level organizations to small businesses and consumers alike. 

That is why email protection serves as a requisite for email communications within an organization's network by inspecting incoming emails for advanced threats, such as malicious links, phishing attempts and more, and by monitoring outbound email traffic. With more pervasive cyberattacks at every turn and business intersection, it’s imperative to protect your organization’s infrastructure – whether it be on-premise, cloud-based, or hybrid environment – from being infiltrated.

As revealed in the FBI’s 2023 IC3 report, there were $3B total losses as a direct result from BEC which is 50x the $60M total losses from Ransomware attacks for the same period. It also reported the median transaction amount of a BEC attack to be around $50,000.

And in Verizon's recently published 2024 Data Breach Investigations Report (DBIR), it was reported that over the past two years the majority of incidents that ended with an outcome of BEC accounted for approximately one-fourth of financially motivated attacks.

Organizations that ultimately fall victim to a BEC attack should immediately contact their financial institution to request a recall of funds, if it's not too late—and report the incident to the FBI's IC3 department.