BEC (business email compromise) scams are a type of phishing attack in which fraudsters trick people into handing over money or corporate data.
Unlike most phishing attacks, they are highly targeted. The scammer will take the time to compromise or replicate the email address of an organisation’s CEO or another high-level executive, and then email an employee with their request.
For example, if the attack was designed to steal money, the fraudster would email the chief financial officer or whoever else is responsible for financial transactions.
Meanwhile, if they were targeting sensitive data, they might contact the organisation’s head of HR.
Because BEC scams are so highly targeted, they tend to have a higher success rate than traditional phishing. According to GreatHorn’s 2021 Business Email Compromise Report, 35% of organisations said that BEC accounted for half of all security incidents they suffered.
Moreover, BEC scams are among the costliest types of scam. The Anti-Phishing Working Group, a non-profit that analyses phishing activity trends, found that the average wire transfer request in BEC scams was $106,000 (about £77,000) last year.
A single breach could therefore be hugely damaging for organisations, but these are not rare occurrences. You will almost certainly be targeted regularly, and as such, you need to know how to identify and protect against bogus emails.
How does BEC work?
A BEC scam begins with the attacker identifying a target – whether that’s a specific individual or an organisation – with the aim of compromising the email account of a high-level target.
If they don’t yet have a particular target in mind, the attacker will look at publicly available information about the company until they find someone appropriate. This could mean browsing the organisation’s website, press releases or even their even social media.
The goal is to identify the names and job titles of certain employees so that they can create a link between the person whose account they will attempt to compromise and the person who they will target with a bogus email.
Next, the attacker will try to gain access to the executive’s account, which they can do in one of two ways. The most common method is to capture their login details in a traditional phishing scam.
For example, they might send a bogus email claiming to be from Microsoft asking the recipient to log in to view an attachment.
The benefit of this technique from the scammer’s perspective is that it will give them access to the executive’s inbox. As such, they can read past messages and make their bogus email look more authentic.
It also enables them to use inbox rules to change the reply-to address, so that the executive won’t be alerted when the scam is conducted.
The other way to carry out the scam is to replicate the executive’s email address. With this technique, the attacker creates a new email account that looks similar to the executive’s.
They could either send their request using this address (as a typical phishing attack), or conduct a spoofing attack, in which the attack manipulates the way the email is delivered to make it appear as though it has come from the legitimate account.
What do BEC scams look like?
It can be hard to spot a BEC scam, because attackers go to great lengths to cover their tracks. Unlike traditional phishing, you won’t be able to rely on your ability to spot spelling and grammatical errors – and you may not even be able to spot a bogus email domain.
However, the context of the message can often be a major giveaway. Whether the attacker is targeting money or sensitive information, they will ask you to do something in an unusual manner.
The email will clearly state what that is, such as in this example:
BEC scams often use the pretext that the executive is in a meeting or otherwise indisposed, which is why they are emailing you rather than calling.
Next, they will ask you to provide something urgently. Depending on the scam, this might be sensitive data or money – whether it’s an invoice, a wire transfer or an advance fee request.
How to protect against business email compromise
Because BEC scams rarely contain malicious documents or links to blacklisted URLs, you cannot rely on spam filters to protect you.
Instead of targeting technical weaknesses, attackers instead exploit human weaknesses – whether that’s employees who are distracted, easily fooled or scared to question a request from their boss.
To prevent BEC scams, you therefore need to educate employees on their vulnerabilities and help them spot the signs of scam emails.
You can help them get started with our Phishing Staff Awareness Training Programme.
This online training course explains everything you need to know about scam emails, from the way attackers instigate their attacks to the steps you can take to defend yourself.
It uses examples like the one listed above to show how phishing works in real life, and the content is updated each month to ensure help you understand the latest trends.