Business Email Compromise

Business Email Compromise (BEC) is a form of email phishing that targets businesses in order to steal money.

Carried out by transnational criminal organisations employing lawyers, linguists, hackers and social media engineers, BEC attacks can take a variety of forms. In most cases, cybercriminals target employees with access to a company’s financial data and try to trick them into transferring money to accounts that appear reliable, but in fact the money ends up in the crooks’ bank accounts. The emails appear to come from the company’s CEO or other senior manager and urge the recipient not to tell anyone about the transaction.

Extremely targeted, the threat begins with intensive research to find the right person within the company, identify their supervisors and then determine the ideal time to send the email, usually when the “impersonated sender” is out of the office to increase the chances of success.

Because this type of threat relies on social engineering rather than malicious software, fraudulent emails often evade email security solutions that only look for malicious content or behaviour.

Most attacks are a variant of one of the following 5 examples of Business Email Compromise:

  • False invoice

In this type of scam, the cybercriminal takes control of the email account of the employee responsible for paying invoices and transferring funds. The attacker uses this account to ask another employee to pay an invoice or transfer funds to the fraudster’s bank account.

  • President scam

The cybercriminal hijacks the email account of a company president or senior executive to convince other users to share sensitive information or transfer money.

  • Account compromise

This is one of the most common Business Email Compromise attacks. After gaining access to the system, the attacker examines employee contact lists to identify the company’s suppliers and partners. The attacker then sends a message to these contacts asking them to send a payment to an account controlled by the cybercriminal.

  • Fake lawyers

Sometimes cybercriminals go as far as posing as the organisation’s lawyer to contact employees or the CEO and ask for money. Experienced hackers tend to use this tactic on Friday afternoons or just before holidays, when employees are rushing to finish their files and are less attentive.

  • Data theft

Cybercriminals often steal the email address of one or more HR employees. This allows them to send requests for personal information about employees, partners and investors. Later, they use this data to compromise a larger cyber attack on the company.