Business Email Compromise

Business email compromise (BEC) can generally be defined as an attack that impersonates a trusted individual to trick an employee into making a financial transaction or sending sensitive information to an attacker. According to the FBI’s Internet Crime Complaint Center (IC3), BEC attacks have caused more than $43 billion in exposed financial losses since 2016, and $2.1 billion in direct losses in 2021 alone.‍ As a category, business email compromise accounts for 35% of all cybercrime losses.

Unlike other types of cyber attacks, most BEC attacks don’t involve malicious attachments or links. Instead, the content of the typical attack is simply benign text, which makes these emails more effective at bypassing traditional email defenses.

Historically, BEC attacks have focused on the impersonation of internal employees, primarily company executives. While these attacks are always financially-motivated, the ultimate goals of the attacks vary, which include the following:

• Payment or Invoice Fraud: These attacks usually impersonate a company executive and request that an employee send a payment to a supposed external third party.
• Payroll Diversion: These attacks generally target human resources employees and ask to change the direct deposit account for an employee to another account controlled by the attacker.
• Gift Card Request: These attacks can target any employee at a company—campaigns sometimes target dozens of employees at a time—and request the purchase of gift cards, commonly under the pretext of employee rewards or customer gifts.
• Aging Report Theft: These attacks typically impersonate a company executive and ask for an aging report, which contains outstanding payment and customer contact information. The attacker then uses the information in this report to email the company’s customers to request the outstanding balances be paid to alternate accounts.

More recently, a growing number of BEC attacks have impersonated external third parties rather than internal employees. The general term for this is financial supply chain compromise and consist of some of the following types of attacks:

• Vendor Email Compromise: These attacks start with the compromise of the mailbox of a high-value target at a vendor or supplier. The attacker then uses intelligence from the compromised mailbox to target the vendor’s customers and divert funds from a legitimate business transaction.
• Third-Party Reconnaissance Attack: These attacks typically depend on an attacker conducting open source research to identify relationships between vendors and customers. After collecting this information, the attacker will send an email to an organization, impersonating a vendor and inquiring about a potential outstanding payment or requesting that a vendor’s payment account details be updated.
• Blind Third-Party Impersonation Attack: In these attacks, an attacker has no knowledge about vendor-customer relationships or legitimate financial transactions, relying on pure social engineering tactics to solicit fraudulent payments. Once they gather the necessary information, they then use it to request unpaid invoices or update billing details, similar to other types of vendor fraud.

Unlike many other types of cyber attacks, BEC attacks do not contain malicious links or attachments in the emails, and often use a trusted domain like Gmail alongside display name deception techniques to add legitimacy. Most BEC attacks are purely text-based, relying on simple back-and-forth communication to be successful.

Even when a BEC attack includes an attachment or link, it will generally be a benign artifact that is used to add legitimacy to the attack—such as a link to the impersonated company website in the signature. This simplicity is what allows these attacks to bypass traditional email security solutions like secure email gateways that are trained to block malicious payloads and links.

To identify BEC attacks, email security solutions must look beyond traditional indicators of compromise to analyze language, intent, and context. A behavior approach that accounts for these subtle anomalies is necessary:

• What type of email requests do employees commonly send and receive?

• Who does this employee normally communicate with?

• Which department does the employee belong to?

• Where and when does this employee typically send emails?

• What is the tone of this message? Is it making an unusual request?

When an employee receives an email requesting invoice payment, for example, advanced email security can properly assess the context. Does this email come from a trusted partner? Is it being sent to the right people within the recipient organization? Is the request on a normal payment schedule? Does the invoice have any new account information? Any changes in standard email patterns will trigger suspicion.

Further, since many BEC attacks are sent from a compromised account in a company’s supply chain, monitoring external vendors is crucial. An email security solution that can equally assess and remediate external partners and internal accounts for potential compromises is necessary to effectively detect and prevent BEC.