What is Business Email Compromise (BEC)?

Think of Business Email Compromise (BEC) as the supervillian of spear phishing. In this con, a scammer impersonates someone with authority or power (e.g., a CEO, Director of Finance, vendor representative, company attorney, etc.) and uses social engineering to convince a subordinate to transfer money or share private credentials. Because the scammer often impersonates the company CEO, this type of scam is sometimes referred to as CEO Fraud or Man-In-The-Middle compromise.

BEC has been around for years, but has recently seen exponential growth. According to Symantec, “from January to March 2018, the average daily BEC email volume was 85,816, while from January to March 2019, the average daily volume was 128,700—a 50% increase.(1) Since BEC scams mainly rely on quiet lurking and individual messages, without telltale phishing indicators like links and attachments, they often sail past email filters and reach employee inboxes easily. Thus, an organization’s only protection is an employee’s attention to detail and confidence in calling out a scam.

Examples of BEC

BEC scams most often follow one of five main attack scenarios. All of them are designed to trick mid- or lower-level employees into thinking they are helping someone of authority.  The five most common BEC scams are:

Business Exec/CEO Fraud: This is the most recognized form of BEC, where the thief impersonates an organization’s CEO or CFO and directs the victim to wire funds to a fraudulent bank account. Back stories vary but the email almost always creates an urgent reason for the payment and may say the CEO has limited availability to take care of it. It is usually carried out either by spoofing the CEO’s email address or by hacking into and using the CEO’s email account.

Data and W2 Theft: The thief impersonates a CEO, HR leader or accountant and requests copies of employee W2s or other sensitive employee data. These scams have successfully obtained W2s and redirected direct deposit funds to fraudulent accounts.

Supply Chain/Supplier Swindle: The thief impersonates a trusted vendor and requests that the accounting department change their account number for payment wires or redirect funds for a pending business deal. Another possibility is a thief impersonating a company representative and sending out real or bogus invoices to trusted vendors, requesting payment to a fraudulent account.

Law Firms/Attorney Impersonation: The thief impersonates an attorney and directs a law firm client to transfer funds for bill payment to a fraudulent account. Another possibility is when a thief impersonates a law firm client and requests an account change for the deposit of a litigation reward. Most recently, large crime syndicates have successfully used this scam to claim substantial payments towards fraudulent mergers and acquisitions – which, by their nature, often require secrecy until publicly announced.

Real Estate: The thief impersonates an attorney, mortgage broker, bank representative or someone else who is authorized to collect payment and directs the purchaser to wire a down payment or other funds to a fraudulent account.

How BEC Scams Work

The stories concocted by scammers run the gamut, as they are crafted specifically to convince the intended victims. However, they all rely on a few general stages and similar tactics.

1. Basic Phishing 

Many business email compromise scams begin with a mass phishing email. Hackers may target a particular company or they may just wait and see who falls for the scam. Either way, the goal is to gain access to internal communications, usually by inserting malware into a corporate network or capturing login credentials and infiltrating someone’s account.

2. Spear Phishing

At some point, the hacker will begin to interact directly with the organization’s employees. These interactions are well-researched and carefully crafted, incorporating many details that have been gathered from public sources or unauthorized monitoring. This targeted, or spear, phishing is at the heart of the BEC scam.

In the past, these messages often discouraged any back and forth conversation, but that is changing. Hackers will now encourage lengthier interactions, designed to build rapport and credibility.

3. Email Spoofing or Compromise

The two most common means of impersonating a VIP are:

  1. Spoofing the VIP’s email address

  2. Hijacking a VIP’s email account

Email spoofing is when the thief falsifies the header information in a message to make it appear that the message was sent by a legitimate source. In an email, it is fairly easy to falsify the To, From and Reply To fields in most email systems. Caller ID phone numbers and text message sender names and numbers can also be spoofed if the message comes via phone or text message. Spoofing allows a thief to increase the credibility of their spear phishing messages.

In Email Account Compromise, or EAC, the thief has the victim’s account credentials and hijacks the account to send messages directly from the compromised account.  Thieves can cover their tracks very effectively by deleting messages from the Sent Mail folder, implementing a message forwarding system and monitoring the account carefully.

4. Social Engineering

All BEC scams rely on psychological manipulation. They exploit the respect for authority and power that is part of human society. Scam messages often include a sense of urgency or emotional appeals. Impersonating someone with such authority guarantees a subordinate will pay attention and rush to do his boss’ bidding.

Planning the attack, the hacker often knows names, positions, usual reporting lines, and business responsibilities. The research component of the scam is critical to learning details that boost their credibility and make the attack believable. Sometimes attackers come across details that allow them to take advantage of a unique situation, like finding out someone has resigned or is being terminated, or is leaving on a longer vacation. Acting specifically on this information or situation can give the attacker an advantage, allowing more time to conduct a scam with a limited likelihood of being found out.

5. High Value Targets

In years past, CEO Fraud mainly targeted large businesses by impersonating company executives. However, that is changing. There are now many stories of small businesses, non-profits, governments, schools, churches and individuals who have been conned out of millions of dollars.

In any organization, some employees are at higher risk of being targeted due to their various responsibilities and common tasks. Techniques used to exploit them also vary depending on the use they may provide to the hacker. The table below outlines the departments and employees who should always be on guard.

 

Departments

Risks

Finance: Payment authority is a critical consideration when a scammer chooses a victim. These employees are the most likely to receive BEC scam messages. Think about who in your organization is authorized for accounts payable or accounts receivable. Scammers especially like to use international vendors as cover, so consider your payment processes around these types of invoices.

Likely roles to impersonate: 

CFO
Trusted vendor/supplier
Accounts payable

Likely attack targets:

  • Accounts payable
  • Accounts receivable
  • Anyone who can make or approve wire transfers
  • Temporary workers in the department
  • Analysts or forecasters who provide input for decision-making

Human Resources: If a scammer wants sensitive employee information like bank account or social security numbers, HR employees are a likely target. Those who handle recruiting, on-boarding or benefits all regularly open files from strangers and have access to employee personal information ⏤ high value considerations for a thief.

Likely roles to impersonate: 

CHRO
Director of HR

Likely attack targets:

HR employees in recruiting, onboarding, benefits management

Executives: C-suite executives bring the most risk when falling for a BEC scam. They are considered high-value targets because they have ultimate authority over most transactions, as well as insider information on the company and its business plans.

Capturing their credentials gives hackers the keys to all corners of an organization. CEOs and Managing Directors/Directors are the most impersonated employees because they are the least likely to be questioned about a request that is unusual or falls outside the normal chain of command.

Likely roles to impersonate: 

All executives – c-suite, managing directors, directors, board members

Likely attack targets:

  • Employees who are 2 to 3 levels below the Executive level are the most harvested targets for BCE scams.
  • Executives are sometimes targeted for closely held information or approval of fraudulent requests.

Administrative Assistants: AAs for executives often have access to sensitive company data, their boss’ personal schedule, and access to personal and professional accounts. Eavesdropping software installed on an AA’s system is often as good as having access to an executive’s direct account.

Likely roles to impersonate: 

All executives – c-suite, managing directors, directors, board members

Likely attack targets:

  • Executive assistants
  • Interns
  • Temporary workers in the department

IT: As the managers of authentication controls and company data systems, IT staff are also popular phishing targets. Their stolen credentials can be used to infiltrate networks and spy on organizations. In addition, they have the ability to change access credentials, and thus are a perfect target to trick into providing new user access to locked down systems.

Likely roles to impersonate: 

  • IT personnel who set up, change or trouble-shoot login information for end users
  • Network Administrators
  • System Administrators
  • Help desk employees

Likely attack targets:

  • Users with a high number of internal help desk tickets
  • New employees with less than 3 months with the organization who are not yet comfortable with the use of all company systems
  • Executive level employees who may not be as “tech savvy” and require support
  • IT personnel who set up, change or trouble-shoot login information for end users

Everyone Else: Since password reuse is so common, gaining access to any one employee’s login credentials can effectively open the doors to an organization. Once inside, the employee’s level of authority often no longer matters. Hackers are skilled at infiltrating systems and changing authority restrictions to give themselves access to whatever systems they want. Any type of phishing email is a potential way in and any employee who doesn’t remain on guard is a risk.

Likely roles to impersonate: 

Contractors
Trusted vendors
Anyone who is senior to someone with access to information that an attacker might find useful in building a scam

Likely attack targets:

  • Contractors
  • Trusted vendors
  • Operations staff, such as maintenance or janitorial staff, who have open physical access to secured areas of the company
  • Anyone who is not technically savvy or ignores company cybersecurity policies
  • Those who use an insecure personal device for company business
  • Anyone with access to information that an attacker might find useful in building a scam

 

Most Used Subject Lines

One focus of research on BEC scams is subject headings. Multiple studies have determined that many messages reuse the same top keywords. The most popular can be divided into groups related to:

  1. Urgency (Urgent, Important, Attention, Attn, Important, Important Update)

  2. Payments (Transaction Request, Purchase, Payment, Payment status, Invoice Due, Direct Deposit, Payroll, Expenses, Outstanding Payment, Transaction, Notification of Payment Received)

  3. Building Rapport  (Are you available/at your desk?, Hello, Available?)

  4. Normal Business Procedure (Request, Follow up, Re:, Info, Quick Task) (1)(2)(3)(4)

The most recent report by the Agari Cyberintelligence Division also indicates that subject line personalization is growing.  In the past, most messages have used generic subject lines that do not arouse suspicion. However, in the first half of 2019, about 20% of BEC messages have included the subject’s name. This demonstrates the high level of surveillance – and likely use of commercial data warehouses – to gather information for BEC scams run by the most sophisticated criminal organizations.

How to Prevent BEC Scams

Organizations must consider BEC scams as a part of doing business, just like any other business problem. Business email compromise most often targets small and medium businesses (SMB) because they are less likely to have the secure policies and multiple screenings required to catch these types of scams. Best practices to improve your organization’s human firewall include:

  1. Know your end-users.

    • Every employee is now a potential target for social engineering, even if they don’t use email.

    • When considering who might be a target, consider their access and what it protects.

    • Enforce the Principle of Least Privilege (PoLP), only giving access when it is absolutely necessary for a person to complete their job.

    • Recognize that insider impersonation is also a risk. Screen insider actions as well as those outside your firewall.

  2. Implement secure internal workflow policies.

    • Require review/approval from at least 2 people for large monetary transfers.

    • Confirm requests for sensitive information or unusual requests with at least 2 channels (email, phone, in-person).

  3. Use technology to your advantage.

    • Require 2 Factor Authentication (2FA) on all systems that hold sensitive information.

    • Require the use of a Virtual Private Network (VPN) when accessing company systems from off-site locations.

    • Install strong anti-virus software.

    • Forward and retype the recipient’s email address rather than using Reply.

  4. Regularly train and update your staff of the current risks and emerging trends.

    • Call out risks specific to each type of job – because scams have evolved to target very specific roles.

    • Explain specific tactics from the most recent and successful scams because many seem inconceivable without evidence.

    • Emphasize researching and verifying the legitimacy of every request, notification, offer, person and message – online and in person.

    • Build a culture where questioning is the norm and confirming a request is a sign of taking responsibility, not insubordination.

Sometimes all it takes is one message to complete the scam. But for the most sophisticated scams, a perpetrator watches for weeks or months, using access to someone’s email account to surreptitiously gather reams of data and details, profiling the organization, narrowing down the potential targets and possibly even building relationships that appear legitimate. The risk and cost of this type of attack is something no organization can afford to ignore.

What Can You Do?

Learn more about organizational security and how GLS’s Anti-Phishing Simulation Tool can help.

PHISH TESTING AND SIMULATION TOOL


Employee awareness is critical to stop
spear phishing. As part of our Human Firewall 2.0 security awareness program, Global Learning Systems offers a wide array of courses that help employees recognize spear phishing tactics:

Avoiding Spear Phishing Threats – Module

Social Engineering in Social Networks – Video

Advanced Phishing/Ransomware Block

References:

1 Symantec Security Response Team. (2019, July 23). BEC Scams Remain a Billion-Dollar Enterprise, Targeting 6K Businesses Monthly. Symantec Blog. Retrieved from https://www.symantec.com/blogs/threat-intelligence/bec-scams-trends-and-themes-2019

2 Agari Cyberintelligence Division. (2019, Q2) Email Fraud and Identity Deception Trends. Retrieved from https://www.agari.com/email-fraud/ebooks/q2-2019-report.pdf

3 Clement, J. (2019, March 20). Leading BEC email keywords worldwide in 2018. Retrieved from https://www.statista.com/statistics/983167/top-bec-email-keywords-used-worldwide/

4 Barracuda Networks. (2019, March).  Spear Phishing: Top Threats and Trends. Retrieved from https://www.barracuda.com/spear-phishing-report

Resources: