Business Email Compromise (BEC) Explained: Definition, Prevention & Protection

In an era rife with data breaches and cybersecurity incidents, business email compromise (BEC) scams can be some of the most financially damaging cybercrimes. FBI data revealed that BEC incidents accounted for $51 billion in losses between 2013 – 2022.

Although these breaches are becoming more frequent, businesses should not lose sight of their seriousness or the importance of a robust cybersecurity strategy.

What Is Business Email Compromise (BEC)?

Business email compromise is a form of cybersecurity attack that has been gaining in popularity due to its effectiveness. These cybercrimes involve deceiving people or organizations into transferring money or sharing sensitive information via email. BEC scams are a type of phishing attack that can be financially damaging and affect organizations of all sizes and sectors.

BEC attacks often involve impersonating other users, such as a CFO, and spoofing email addresses by changing a single letter, symbol or number, while giving instructions to wire money to the perpetrator's account. The targeted user is misled into interacting with what appears to be a legitimate contact, either through a similar-looking domain or a familiar display name.

BEC vs. Email Account Compromise (EAC)

While the terms "business email compromise" and "email account compromise" (EAC) are sometimes used interchangeably, these two types of cyberattacks are slightly different. BEC is carried out by a scammer impersonating someone, typically using a deceptive email address or name of an employee.

However, EAC attackers typically gain access to a company email account by stealing credentials. The perpetrator then sends emails to specific contacts to persuade them to send funds or provide information that can later be exploited.

A cybercriminal may use both forms of attacks, BEC and EAC, to carry out a single scam. 

Real-World Example: How Does a BEC Attack Work?

BEC attacks are meticulously planned and executed, often targeting specific individuals within an organization who have access to sensitive information or financial resources. Here's an example of how this form of cyber scam could work: 

Sending Phishing Emails

One common example of a BEC attack involves a company's billing manager. The attack begins with the billing manager receiving a phishing email from what appears to be a trusted source. The email contains a link to a fraudulent website designed to look like a legitimate login page. Unaware of the deception, the billing manager enters their password on the fake site, inadvertently giving the cybercriminal access to their email account.

Using EAC To Contact Clients

With control of the billing manager's legitimate email account, the attacker can send emails to the company's clients. These emails instruct clients to wire money to a "new account," which is the cybercriminal's overseas account. The emails are crafted to look authentic, often using the company's branding and language to avoid raising suspicion. Clients, believing the request to be legitimate, follow the instructions and transfer funds to the criminal's account.

Receiving Stolen Funds

This fraudulent activity can continue for a while before the billing manager, or the clients realize something is amiss. By the time the deception is uncovered, the money transferred to the fake account is typically irretrievably lost. The financial impact on the company can be significant, and the damage to its reputation can be long-lasting.

BEC attacks are effective because they exploit the trust and familiarity inherent in business communications. By impersonating a trusted colleague or using a similar-looking email address, attackers can deceive their targets into taking actions they would not normally consider. This highlights the importance of robust cybersecurity measures, employee training and vigilant monitoring to detect and prevent such attacks.

Subscribe and stay on top of it all.

Join our mailing list and be the first to receive alerts, newsletters and webinar invitations by email.

Subscribe

Common Types of BEC Scams

The precise scenario a scammer might use in a BEC attack may vary, but the most common variations include the following:

1. Fake Invoices: One of the most common forms of business email compromise involves a cybercriminal sending a bogus invoice to an employee who is authorized to make payments on behalf of the business. The scammer persuades the employee to send payment to the vendor’s account, typically an overseas bank account owned by the perpetrator.
2. CEO/CFO Fraud: The attacker pretends to be a senior executive at the company and emails accounts payable personnel — typically targeting entry-level employees — asking them to share sensitive financial information, purchase gift cards or send funds to a specific bank account.
3. Attorney Impersonation: Similar to the CEO fraud scam, a cybercriminal impersonates the business’s attorney and requests payment for services rendered. Typically, the scammer will try to create a sense of urgency in an effort to prevent the employee from looking too closely at the request.
4. Data Theft: A scammer may also target an organization’s HR department to gather personal information about employees and executives to help carry out later attacks. Including sensitive data can make a cybercriminal’s email seem more official. 

Counting the Cost: The Impact of Business Email Compromise

According to the FBI’s Internet Crime Complaint Center (IC3) there was a 17% increase in identified BEC losses globally from December 2021 to December 2022. Cybercriminals succeed by making their messages appear as though they are from a "trusted source," which often causes recipients to lower their guard when dealing with these communications.

The financial impact of BEC attacks can be devastating for organizations of all sizes. The funds lost in these scams are often irretrievable, especially when transferred to overseas accounts. Additionally, the indirect costs, such as the time and resources spent on recovery and the potential loss of business due to damaged trust, can further compound the financial burden.

Moreover, the psychological impact on employees who fall victim to these frauds can be significant. They may feel a sense of guilt or responsibility for the breach, which can affect their morale and productivity. This underscores the importance of regular training and awareness programs to help employees recognize and respond to potential BEC threats.

The cost of falling prey to BEC is multifaceted, encompassing direct financial losses, indirect costs and psychological impacts. Organizations must remain vigilant and proactive in their cybersecurity efforts to mitigate these risks and protect their assets and reputation.

How To Protect Against BECs

There are measures companies can take to prevent BEC scams and being part of the next wave of statistics. While there are many technical and monitoring controls that can be put in place at the system level, such as email scanning and spoofing detection, companies should focus on training employees to detect fraudulent emails. Organizations can implement simple tips to avoid cyber threats, including:

• Avoid clicking on unsolicited messages (emails, texts, IMs, etc.) asking you to update or verify your account information.
• Always double-check email addresses, website URLs and spelling in any communications. Scammers often use slight differences to trick you into believing you are communicating with a trusted person.
• Never open an email attachment from someone you do not know and be cautious of attachments that are forwarded to you.
• Set up multi-factor authentication (MFA) on all accounts that allow it and never disable it for ease-of-use issues. Cybercriminals are counting on you to do that.
• Verify payment and purchase requests in person or by calling the person to ensure their legitimacy.
• Be especially suspicious of any requestor asking you to act quickly.

If an email seems suspicious, or if you believe you may have accidentally fallen for a similar scam, alert your information technology (IT) or security team immediately.

The best way to avoid falling victim to cyber threats is to always be vigilant and never let your guard down. If a message seems suspicious, it should be treated with caution. Companies should ensure that they regularly train their employees and keep them updated on the latest cybersecurity events.

How Cherry Bekaert Can Help

Cherry Bekaert’s Virtual Chief Information Officer (VCISO) services can assist with monitoring and training to ensure the company has the proper knowledge and controls. Our Information Assurance and Cybersecurity practice can also review existing IT policies and procedures or perform phishing tests to simulate a BEC to test how users will respond. This will help to ensure the company has the foundation to sufficiently safeguard itself during turbulent times.

To discuss how Cherry Bekaert can help protect your company against increasingly sophisticated cyber threats, please contact our Cybersecurity and IT Security team today or reach out to your Cherry Bekaert advisor.

Connect with Us

Related Insights

• Article: How to Craft a Proactive Generative AI Strategy To Manage Cybersecurity Risks
• Article: Revolutionize ERP with Artificial Intelligence
• Article: Artificial Intelligence Is Changing How Companies Operate
• Article: How to Succeed at AI Strategy and Implementation: The 5 Questions Every Company Needs Answered