Since 2014, businesses have lost over $50 billion to business email compromise (BEC) attacks. While phishing and ransomware get most of the attention, the FBI has called BEC one of the most financially damaging online crimes.
BEC is responsible for almost three-quarters of financial cybercrimes. Yet, it requires no hacking or special software – just the ability to fool the email recipient.
What is BEC, and what can you do to stop such attacks? Let’s take a closer look.
How BEC attacks work
A typical phishing or ransomware attack involves installing dangerous secret software on a computer or stealing login and password details. BEC is much simpler. It doesn’t require clicking on dangerous links or using attack software. It just needs to fool the recipient.
- A person receives an email with an invoice from a supplier they know.
- It all looks legitimate, so they make the payment.
- However, the invoice is fake, and the bank account details are different. They have actually sent the money to criminals.
- On closer inspection of the email, they notice that the email’s address looks similar to the supplier’s but is actually different.
The above example is the most basic type of BEC attack. There are various types:
- Domain spoofing: the attack described above, using a domain that looks almost like a trusted domain (called spoofing). For example, instead of vodacom.com, they might use v0dacom, vodacomm, or voda-com.
- Spoofed display names: the email display name looks legitimate, such as a known person or company, but the actual email address is from somewhere else.
- Email hijack: the criminals hijack someone’s legitimate account and use it to send out fake emails.
- C-suite fraud: the attack impersonates a high-ranking executive like a CEO, COO, or CFO, tricking an employee into transferring money or sharing sensitive information. This attack can use official-looking emails, personal emails, or messaging services like WhatsApp or SMS.
- HR/payroll attacks: criminals target people in HR or payroll to send confidential employee information or change banking details on payroll records.
- Vendor Email Compromise: impersonating suppliers to extract fake payments or divert legitimate ones by changing bank details on authentic invoices.
All these attacks use social engineering, meaning they pretend to be someone in order to fool the recipient. Criminals study their target to identify vulnerable areas, such as personal information or business hierarchies, and then manipulate them. Increasingly, criminals are using AI to create victim profiles and write emails that look very authentic.
How to spot and stop BEC attacks
BEC mimics trusted sources and doesn’t need special software or dangerous web links, making it difficult for security software to spot these attacks. There are some technology safeguards you can use. But the best protection comes from people and processes.
Here are tips to detect BEC attacks:
- Be suspicious of requests to change bank details or provide personal information, regardless of who is requesting it. Contact the supposed sender on a separate channel to confirm. For example, if a supplier sends an invoice that looks suspicious, call the supplier on the phone to verify.
- Beware of urgent, threatening, or secretive wording such as “urgent”, “immediate”, “ASAP”, “important”, “required immediately”, or phrases like “Please don’t share”. Criminals create a sense of crisis or missed opportunities to encourage acting without properly considering the request.
- Implement protection processes. If bank details change, require secondary approval of a payment. Keep verified numbers for important contacts, such as executives or vendors, on file. Require verifying PO numbers, invoice amounts, and banking details against system records.
- Implement dual authorisations for payments, especially large ones.
- Train staff, such as accountants, account managers, HR managers, and payroll administrators, to know about BEC attacks.
- Activate multi-factor authentication (MFA) on email accounts and banking services.
- Implement email-scanning software that looks for BEC patterns such as spoof domains or AI-generated content, and use email security protocols.
Above all, be vigilant. If anything seems odd or rushed, consider it a red flag. It’s better to annoy people by checking than to make an expensive mistake. A supplier pressuring you to pay now, an executive shouting at you in messages to make a transfer, an invoice with new banking details – these are moments to step back and make some checks.
Delayed payments are almost never catastrophic. Yet, sending thousands or millions to criminals? That’s a disaster. But with a little vigilance, you can stop BEC attacks.
