Business Email Compromise – A $43 Billion Problem
The Impact of BEC
Business email compromise (BEC)—also known as email account compromise (EAC)— takes advantage of the fact that so many of us use email to conduct business—both personal and professional, and is a common threat type in the investment banking space. In a BEC scam, criminals send an email message that appears to come from a known, trusted source making a legitimate request.
Business email compromise scams were the costliest cybercrimes in 2021 and they continue to grow and evolve, targeting small local businesses to larger corporations, as well as personal transactions. The FBI witnessed a 65% increase in losses suffered between July 2019 and December 2021 for these types of scams. Additionally, the losses are large and trending up; domestic and international losses related to BEC amounted to $43 billion from June 2016-December 2021, and in 2021 the financial losses from BEC were 64 times worse than Ransomware.1
So, why is BEC becoming such a large and looming threat? According to the FBI’s Internet Crime Report, BEC is difficult to detect as it doesn’t use malware or malicious URLs that can be analyzed with standard cyber defenses. It relies on impersonation and social engineering techniques (phishing is often a pre-cursor to a BEC attack) to trick people into interacting with the attacker. These types of scams are popular because they are: (1) simple to execute; (2) don’t require advanced coding skills or complex malware; and (3) are hard to detect with software protections.
Types of BEC
According to the FBI, there are five major types of BEC:
- CEO Fraud: Attackers position themselves as the CEO or executive of a company and typically email an individual within the finance department, requesting funds to be transferred to an account controlled by the attacker. Cybercriminals can combine their knowledge of an executive’s communication style with details gathered from social media and other public sources of information to create targeted, realistic BEC attacks.
- Account Compromise: An employee’s email account is hacked and modified payment information is sent to vendors, redirecting payments to bank accounts owned by the attacker.
- False Invoice Scheme: The attackers commonly target foreign suppliers and the scammer acts as if they are the supplier and requests fund transfers to fraudulent accounts.
- Attorney Impersonation: The attacker impersonates a lawyer or legal representative. Lower-level employees are commonly targeted through these types of attacks where one wouldn’t have the knowledge to question the validity of the request.
- Data Theft: This type of BEC typically targets HR employees to obtain personal or sensitive information about individuals within the company such as CEOs and executives. This data can then be leveraged for future attacks such as CEO fraud.
Examples of How Criminals Carry Out BEC Scams
A bad actor might leverage some of these tactics to carry out BEC:
- Spoofing an email address
- Slight variations on legitimate addresses (john.kelly@examplecompany.com vs. john.kelley@examplecompany.com), or forgery to fool victims into thinking fake accounts are authentic.
- Sending spear-phishing emails (Spear phishing is an email or electronic communications scam targeted towards a specific individual, organization or business)
- These messages look like they’re from a trusted sender but are designed to trick victims into revealing confidential information. This information lets criminals access company accounts, calendars and data to carry out BEC schemes.
- Using malware
- Malicious software can infiltrate company networks and gain access to legitimate email threads about billing and invoices. This information may be used for example, to send messages or time requests so accountants or financial officers don’t question payment requests.
- Malware also lets criminals gain undetected access to a victim’s data, including passwords and financial account information.
Best Practices to Help Mitigate BEC Fraud
While BEC scams are hard to detect, here are some examples of best practices/tips that might help avert an incident:
- Educate and train employees to understand the signs of BEC and how to report it. The primary defense against many types of cyberattacks is employee training and education.
- Don’t react hastily because there’s a sense of urgency in an email; rushing to action is one of the hallmarks of business email compromise incidents.
- Avoid supplying login credentials or Personally Identifiable Information (PII) of any sort via email. Be aware that many emails requesting your personal information may seem to be legitimate, but they aren’t.
- Verify the email address you are using to respond to an email, especially when using a mobile or handheld device, by ensuring the sender's address appears to match who it is coming from.
- If a request comes from a company you have never done business with before, independently confirm that this is a real supplier/vendor (find a phone number for it on a known/valid website; don’t use the number from the email).
- Employ strict procedures around wiring money, and consider…
- Requiring a second form of verification before wiring funds
- Confirming wire instructions verbally; make a phone call to the vendor or requestor (from a phone number already on file) to validate the legitimacy of the request
- Establishing limits on the accounts and users (daily or transactional)
- Being prudent about who is entitled to execute money movements; periodically review user roles and entitlements within your company, paying special attention to ACH and wires
- Always have a “maker” and “checker” in the payment process and ensure there is a segregation of duties. Risk is significantly higher when the same user can create and send their own payments.
In Summary
Technological controls, like firewalls and antivirus software, cannot defend against BEC scams. Of course, these are good basic controls to help prevent cyberattacks. However, you can limit the damage of BEC attacks by following some of the above tips and training employees how to spot BEC red flags (e.g., high level executives asking for unusual information, urgent requests, requests that bypass normal approval channels, and requests that ask individuals not communicate with others).
If you believe you/your company may have been a victim of a BEC crime, contact your financial institution and your local FBI office.
1 FBI 2021 Internet Crime Report/Internet Crime Complaint Center
This material is not, and should not be, construed as or deemed to be, advice on legal, tax, financial, investment, accounting, regulatory, technology, security, or other matters (collectively, “Advice”). You should always consult your own financial, legal, tax, accounting, technology, security, or similar advisors before changing your business practices or entering into any agreement for our products or services. Your organization is responsible for securing your systems, networks, and data, for determining how to best protect itself against information security threats, and for selecting the best practices that are most appropriate to its needs. MUB assumes no responsibility or liability whatsoever to any person in respect of such matters. No statements made in the meeting presenting this material, or in this or other materials, should be construed as Advice or as pertaining to specific factual situations.”
MUFG Americas
1251 Avenue of the Americas
New York, NY, 10020-1104, United States