What is Business Email Compromise (BEC)? The Rising Costs of BEC Attacks

Business email compromise (BEC) is a type of spear phishing attack that aims to persuade victims into performing malicious actions, such as sending money or sensitive information, by impersonating legitimate business partners, vendors, and employee email accounts.

Business email compromise attacks have existed since the early days of email and continue to grow in frequency, complexity, and severity. BEC remains one of the most dangerous types of cyberattack, second only to investment fraud in terms of direct financial losses.

But what exactly is business email compromise, and how does BEC differ from other types of phishing attacks or email scams?

In this blog post, we’ll define BEC, explain how BEC attacks work, and discuss what organizations can do to protect themselves from this growing threat.

• What is a BEC attack?
• BEC vs. email account compromise (EAC)
• How business email compromise works + real-world examples
  • Healthcare
  • Legal
  • Manufacturing
  • Philanthropy
  • Real estate
• How to detect BEC scams
• Best practices for preventing BEC attacks
• Do BEC scams always use business email accounts?
• Why endpoint management is a key component of an effective cybersecurity strategy

What is a BEC attack?

Business email compromise is a form of social engineering attack that uses psychological tactics, such as authority, urgency, or reciprocity, to manipulate recipients into complying with requests.

BEC attacks can use many techniques to compromise or spoof legitimate email accounts, allowing attackers to request money, information, and even gift cards from victims. These email requests often have a sense of urgency, are confidential, or are time-sensitive, aiming to persuade recipients to act quickly without verifying the sender’s authenticity or the transaction.

You can classify BEC attacks into different types based on the email account used, request made, and targeted victim. Some common categories of BEC attacks include:

• CEO fraud: The attacker impersonates the CEO or a high-ranking executive and requests a large or unusual fund transfer to a fraudulent bank account
• Vendor fraud: The attacker impersonates a trusted vendor or supplier and requests that the payment details or invoice be changed to send to a new bank account
• Employee fraud: The attacker impersonates an employee and requests a payroll change, reimbursement, or personal loan from the HR or finance department
• Data theft: The attacker requests sensitive data and information, such as tax records, bank statements, or employee credentials, from the organization or its contacts

[Read also: What is data loss prevention? And why you need it]

BEC vs. email account compromise (EAC)

However, not all types of email scams involve lookalike domains or spoofing to impersonate someone.

With email account compromise attacks, the email used is 100% legitimate because it’s a hacked account. For an EAC attack, the attacker gains unauthorized access and takes over a legitimate email account to perpetrate whatever actions or motives they may have.

EAC is often thought of as a more general and opportunistic type of attack compared to BEC, as the goals of an EAC attack can vary. However, unlike EAC, all BEC attacks involve persuading and manipulating victims to perform actions that benefit the attackers.

Think of it this way: BEC attacks are a type of EAC attack, but not all EAC attacks are BEC scams. EAC attacks can steal data or financial information, send spam or malware, or use compromised accounts to launch further attacks on other accounts or networks. While these actions are malicious, they are not considered BEC attacks because the attacker does not seek to convince email recipients to perform harmful requests. However, suppose an attacker gains unauthorized access to an email account and uses it to send fake invoices or to request email recipients perform malicious actions. In that case, the attacker is conducting both an EAC and BEC attack.

EAC attacks can also enable BEC attacks by allowing attackers to monitor email activity on the compromised account, gather more intel about contacts and transactions, and otherwise improve their ability to send more believable BEC emails.

How business email compromise works + real-world examples

BEC attacks are not random or opportunistic. They are carefully planned and executed by sophisticated cybercriminals who conduct extensive research to successfully impersonate their targets, including studying social media, company websites, and press releases to gather details about the organization, its employees, business partners, and financial transactions.

They then use this information to craft convincing and personalized emails that match a legitimate sender’s tone, style, and format. They also study business and employee activities to inject themselves into conversations at critical moments. For example, if they learn about a merger, they might use that knowledge to represent themselves as part of the deal and convince people to send them money.

BEC attackers typically target users with access to financial accounts or sensitive information, such as CFOs, finance departments, and human resources. However, they may also target users who are new to the organization, unfamiliar with internal policies and procedures, or in high-stress roles.

While some may think only well-known, global enterprises need to worry about BEC scams, businesses of all sizes and across all industries may find themselves the target of a business email compromise attack, including:

Healthcare

The healthcare industry is also especially susceptible to this type of attack because it involves a widespread, diverse network of people and organizations, such as hospitals, clinics, pharmacies, laboratories, insurance companies, and government agencies. Attackers may impersonate doctors, nurses, administrators, or other healthcare professionals to send fraudulent emails to ask for money transfers for medical bills, patient payments, equipment purchases, or donations. They may also ask for sensitive information, such as personal or financial data, health records, or test results. Victims may not question the authenticity of the emails because they trust the sender and want to help or comply with the request. Additionally, since the healthcare industry is often under pressure and understaffed, this can make it harder for employees to detect and prevent BEC attacks.

BEC scams in healthcare example

In 2022, The U.S. Department of Justice announced charges against ten defendants in connection with multiple business email compromise, money laundering, and wire fraud schemes targeting Medicare, state Medicaid programs, private health insurers, and numerous other victims, which resulted in more than $11.1 million in total losses. These attacks involved using spoofed email addresses resembling those associated with actual hospitals, bank account takeovers, and similar fraudulent methods to deceive victims into believing they were making legitimate payments intended for hospitals to provide medical services. Instead, the attackers diverted money from victims’ bank accounts into accounts they controlled.

Legal

The legal industry is particularly vulnerable to this type of attack because it often involves high-value transactions, time-sensitive cases, and confidential and privileged information that attackers can easily research using online sources, including the names and contact details of lawyers and clients, as well as the specifics of the legal matters they’re involved in. BEC attackers may pretend to be lawyers or law firms and send fraudulent emails to clients or other parties involved in legal issues. The attackers usually leverage the trust and authority lawyers have with their clients and exploit their need for urgent and confidential communication to request money transfers for settlements, fees, or taxes. In addition to financial losses, attorney impersonation can have severe consequences for both the lawyers and clients, such as reputational damages, legal liabilities, or ethical violations.

Legal BEC scam example

Holland & Knight, a law firm representing an education company in a $130 million acquisition deal, received emails from hackers using breached email accounts for two of the company’s major shareholders. The hackers asked the law firm to change the payment account for their shares to a different bank and provided fake documents and information to support their request. The law firm didn’t verify the emails or the documents and wired $3.1 million. While the hackers used a legitimate email address and the names of the shareholders, they also created a sense of urgency and necessity to persuade the law firm to comply — a calling card of BEC attacks.

Ransomware attacks generate more headlines and are behind a higher share of incident response cases, but BEC incidents are nevertheless effective and much easier to execute — making them more of an everyday threat to organizations large and small.

Manufacturing

Businesses in the manufacturing sector are also prone to this type of attack since manufacturing typically involves large and frequent payments, multiple partners, and complex operations. Attackers may send emails to ask for payments for goods or services and change bank details, payment methods, or shipping information by impersonating suppliers, vendors, contractors, or customers. The attackers may also use pressure, urgency, or threats to convince the businesses to comply and provide fake or altered invoices, purchase orders, contracts, or receipts to support their requests. Since recipients trust the sender and want to maintain their business relationship, they may not check the validity or accuracy of the emails or documents.

BEC attack example against a manufacturing company

In April 2022, a manufacturing company received an email requesting a change of payment information from someone it believed worked at a business partner. The email came from what appeared to be the business partner’s legitimate email address and explained that it could not accept payment into its regular account due to a “fiscal year update” and, instead, asked the manufacturing company to wire $2,462,000 into a different, fraudulent account. Upon realizing the employee’s email account for the business partner was fake, the manufacturing company reported the fraud and successfully froze its bank account, preventing the funds from being sent to the attacker. The United States Secret Service also successfully tracked down and apprehended the attacker using the fraudulent bank account information.

Philanthropy

The philanthropic sector is another prime target for BEC scams since it involves generous and compassionate people who may not know the risks or signs of BEC email fraud. Attackers may pose as representatives of legitimate or fake charities, foundations, or non-governmental organizations and send emails with emotional appeals to potential donors but provide fake or compromised bank accounts, wire transfer services, or online payment platforms to receive the funds. Since these organizations are often affected by global or local crises, this inherently creates a sense of urgency and need for donations. Additionally, donors may not verify the authenticity or legitimacy of the charity or the email since they want to support a good cause and trust the sender.

Example of BEC targeting philanthropy organizations

Hackers dummied up and sent a legitimate-looking invoice during the 2020 holidays to One Treasure Island, a San Francisco nonprofit that benefits people experiencing homelessness. They convinced someone at the nonprofit to send $650,000. While the organization recovered $37,000 from a frozen account, it lost the rest due to the invoice scheme.

Real estate

Since real estate typically relies heavily on email and involves large and frequent transactions, changing parties, and urgent communication, attackers may impersonate real estate agents, brokers, attorneys, title companies, or escrow agents to send fraudulent emails to those involved in real estate deals.

The attackers may request money transfers for closing costs, deposits, fees, and taxes or ask for sensitive information, such as property details or documents. The victims may not notice any red flags or discrepancies since the real estate industry is often dynamic and fast-paced and because they trust the sender and want to finalize the deal.

As Tyler Adams, co-founder and CEO of the Texas-based SaaS platform CertifID, told Dark Reading, all it takes is a simple search to discover every house for sale, real estate agents, and names of the supporting title and escrow companies. With additional investigation, attackers can find the email addresses of the parties dealing with the transactions and then pose as those parties to steal money.

Real estate BEC attack example

In March 2023, a resident of Stamford, Connecticut, was in the process of buying a home when they got an email from their real estate agent telling them to wire $426,000 to a certain account. Unfortunately, the email was fake. A cybercriminal had copied the real estate agent’s email address and tricked the buyer into wiring money to a fraudulent account. The victim found out they had been scammed when they called their agent to check on the transaction. After reporting the crime to the police and the FBI, the homeowner was able to get back $425,000 of the stolen money.

These are just some examples of sectors affected by BEC scams, but any industry that relies on email communication and transactions can be a potential target. Attackers constantly adapt their techniques and strategies to exploit vulnerabilities and weaknesses successfully. This is why it’s crucial for all businesses and organizations to be aware of the risks and become more vigilant against BEC scams. It also emphasizes the importance of implementing effective and comprehensive measures to prevent, detect, and respond to them.

How to detect BEC scams

BEC scams are hard to spot but not impossible. Some common indicators to help you identify a potential BEC scam include whether the email is:

• Unexpected, urgent, or confidential, and requires you to take an immediate action, such as making a payment, changing a bank account, or sending sensitive information
• From a senior executive, vendor, or partner, but the tone, style, or format is different from their usual communication
• From a slightly different email address, domain name, or display name when compared to the legitimate one, such as using a different spelling
• A deviation from the standard or established business practices or policies, such as using a different payment method, currency, or verification process
• A request that involves a third party, such as a lawyer, consultant, or mediator, who claims to be involved in the transaction or situation

Best practices for preventing BEC attacks

BEC attacks are not only a technical problem but also a human problem. The best way to avoid BEC scams is to combine technical and human solutions that enhance email security and awareness for organizations and employees.

For employees

• Be careful with what information you share online or on social media.
• Don’t click on anything in an unsolicited email or text message. If a company says you have a problem, go to their website to investigate.
• Carefully examine email addresses and URLs to see if anything looks unusual. An additional number on an email or a URL with words that do not match the company’s name or mission can be a sign that something is wrong.
• Verify the identity and authenticity of the sender or a request before taking any action. Use a method other than email, ideally in person (since phone calls can also be problematic).
• Follow internal policies and procedures for approving and processing transactions, and don’t ignore or bypass these policies for any reason.

For organizations

• Create a culture of open communication that encourages questions and allows employees, vendors, and partners to seek clarification when in doubt.
• Follow cyber hygiene best practices, including regularly updating IT systems to avoid preventable vulnerabilities and continuously evaluating your existing email security measures for ways to improve filtering known spam, phishing, and spoofing emails, such as implementing more robust email authentication protocols like Domain-based Message Authentication, Reporting and Conformance (DMARC) to verify if emails are from legitimate senders.
• Embrace zero-trust security approaches, such as enabling multi-factor authentication (MFA) to enforce a zero-trust security model, which assumes every person or machine trying to access a network is suspicious until proven otherwise.

With these increased tactics of funds going directly to cryptocurrency platforms and third-party payment processors or through a custodial account held at a financial institution, it emphasizes the importance of leveraging two-factor or multi-factor authentication as an additional security layer.”

• Monitor and update domain name system (DNS) reports regularly and register domain names that are variations of your business name to protect against spoofing.
• Invest in security awareness training to educate employees on recognizing and reporting BEC scams and best practices for better email security, such as identifying, flagging, and quarantining suspicious emails.

Do BEC scams always use business email accounts?

The FBI has warned that scammers are extending their BEC attacks beyond traditional platforms. Whereas social engineering has typically relied on some combination of telephone and email exchanges, the technique has now expanded to include virtual meeting platforms as people have shifted to working remotely.

Imagine this scenario: Thieves compromise a senior leader’s email address and then use that to ask employees to attend a virtual call. In the meeting, the scammer inserts a still picture of the CEO with no audio or deepfake audio and claims their audio or video is not working. The scammer then tells employees to initiate wire transfers to fraudulent bank accounts.

BEC scams pose a serious and costly threat to businesses and organizations across various sectors. However, with the advances in automated technologies like artificial intelligence (AI) and machine learning, hackers are continually improving and accelerating their efforts.

[Read also: The ultimate guide to AI in cybersecurity]

Why endpoint management is a key component of an effective cybersecurity strategy

BEC attacks are not going away anytime soon. To combat these and other growing cyber threats effectively, organizations must ensure their security solutions support a proactive approach and a holistic strategy to better prevent, detect, and respond to malicious actors who try to compromise email accounts and systems.

This is why endpoint management is essential to all modern security strategies. It provides the insights that organizations need to improve their security posture and bolster overall resilience. By achieving total visibility and control of the entire IT environment, organizations can ensure there are no blind spots that could lead to unmanaged and unprotected assets, which could allow hackers to gain unauthorized access.

Tanium provides real-time visibility and control like no other solution on the market today for managing endpoint devices for performance, proactively addressing vulnerabilities, and quickly remediating threats using a single platform.

---

Learn how Tanium can help you protect sensitive data from unauthorized access or exfiltration using Tanium Reveal, which enables you to discover, monitor, and manage data across all your endpoints. Tanium also supports zero-trust architecture, which assumes no user or device is trustworthy by default and requires continuous verification and authorization. By integrating with Microsoft Entra ID and other Identity and Access Management (IAM) providers, Tanium provides real-time endpoint data to inform and enhance your access policies and reduce the risk and impact of BEC scams and other cyberattacks.

Our latest innovations in autonomous endpoint management (AEM) also aim to help IT teams make more informed and effective decisions, reduce the workload of manual tasks, and ultimately improve security and operational posture to levels not previously achievable.

We understand there isn’t a one-size-fits-all solution to security automation and endpoint management. Rather than take control and decision-making away from practitioners, our model for autonomous endpoint management leaves customers in charge. Tanium’s autonomous future will let organizations set corporate policies, define governance rules, and decide the level of autonomy they’re comfortable with by offering high-fidelity control and governance for all suggestions and automation.

Using real-time data and insights from the Tanium Converged Endpoint Management (XEM) platform to suggest and automate actions based on AI insights, peer success rates, and customer risk thresholds, our vision for AEM will provide IT operations and security teams with more control over their endpoint management policies, not less.

Schedule a free, personalized demo today to see what Tanium can do for your security strategy and automation needs.