The holidays are over, and you know what that means? Your inboxes are full of emails.
But some of those emails might contain malicious links or files disguised to appear from trusted colleagues or even the C-suite within your organization. Can you tell the difference between a business email compromise (BEC) attack and a legitimate email from your CEO?
In this blog, we’ll dive into what a BEC is, the different types of BEC attacks, and how MSPs can spot them effectively before they reach their employees’ or clients’ inboxes.
What is Business Email Compromise (BEC)?
A business email compromise (BEC) is a type of social engineering attack where scammers look to defraud targeted employees. What makes a BEC unique is that the messaging and tone appear to come from legit senders, typically from the CEO or other high-ranking executives.
What makes these emails even more effective is their sense of urgency, designed to pressure employees into taking immediate action. For example, a common BEC might contain a message from the CFO asking for a wire transfer to “pay a vendor invoice.” Without proper employee training, such as routine phishing simulations, an unsuspecting employee might comply without verifying the request or sender details. BEC attacks accounted for 14% of all impersonation attack activity in corporate inboxes
The open rates for these emails are alarmingly high. A study found that 28% of BEC emails are opened by employees with 15% of those emails receiving a reply.
BEC attacks have cost organizations over $50B in losses within the past decade.
AI Making BEC Attacks Harder to Detect
Scammers have begun leveraging Generative AI in their emails with striking accuracy and high success rates.
BEC attacks skyrocketed 20% YoY in Q2 2024 thanks to the advancements in AI-based technology. Scammers can now mimic the precise tone and writing style of C-level executives quite convincingly.
The finance department in particular remains a prime target for BEC attacks as they have the authority to approve wire transfers, pay invoices, and handle sensitive financial information. AI-generated BEC emails use familiar language that a CFO or controller might mistake for a legitimate payment request.
BEC emails can bypass traditional security filters as they are personalized to the recipient and appear to come from a trusted source within the organization. Attackers also leverage obfuscation techniques such as URL spoofing, HTML tag manipulation, payload encryption, and embedding links within images to evade email security filters.
Types of BEC Attacks
Here are 5 types of BEC attacks:
CEO Fraud: Attackers impersonate the role of a C-level executive, generally the CEO, asking for an urgent transfer of funds or sensitive information. Attackers spend a great deal of effort researching the company, even the CEO’s writing style and typical communication patterns on social media platforms and PR/media sites. This helps them craft targeted emails using the CEO’s tone, terminology, and phrasing.
Account Compromise: Attackers gain unauthorized access to a legitimate employee’s email account, typically through phishing, and leverage the information to send fraudulent requests, such as payment approvals to colleagues or partners.
Attorney Impersonation: There is almost nothing quite as intimidating as receiving a legal letter from an attorney in your inbox. One common form of BEC involves scammers posing as lawyers, requesting immediate payment for services, and sending attachments that appear to be official documents the recipient might recognize.
Data Theft: Data is pure gold to an attacker. They can resell stolen information, such as passwords, accounts, credentials, and financial data, on the dark web for quick profit returns.
Scammers may also use the stolen information later on for identity theft or to launch more targeted spear phishing campaigns.
False Invoice Scam: Attackers leverage compromised email accounts of legitimate vendors or suppliers to send fake invoices for services. To the untrained eye, these types of BEC emails are increasingly difficult to detect, especially for a busy financial controller who is managing a large number of unpaid invoices with balances due to a variety of vendors. The billing details will go to a fraudster’s bank account and may go unnoticed until the vendor actually reports the missed payment or threatens legal action.
4 Ways to Spot a BEC
Here are a few red flags to be aware of the next time you log into your corporate inbox:
- Suspicious Email Header: Look for inconsistencies in the email header, such as unusual “Reply-To” or “From” addresses or email routing anomalies. BEC emails often contain disguised headers to hide their malicious offerings. Always verify the legitimacy of the sender. Check for DKIM, SPF, and DMARC authentication to ensure that the addresses come from trusted domains.
- Poor Grammar & Typos: BEC emails often contain misspellings, grammatical errors, and excessive punctuation, such as multiple exclamation marks (!!!) at the end of a sentence, designed to create a sense of urgency and prompt an employee to take immediate action. Poor grammar is a classic sign of a phishing attempt. Take the time to go over the email thoroughly.
- Email Context: Pay close attention to the body of the email itself. Any message asking you to “re-confirm” your personal details is a huge red flag. These keywords are usually accompanied by requests for processing a wire transfer or other financial transaction, such as an “unpaid supplier invoice” or “overdue balance.” Needless to say, you should never enter any sensitive financial details or PII without approval.
- Timing: Scammers try to catch people off guard, and the best time to do so is during a holiday such as Thanksgiving or Christmas, when phishing attempts peak. Scammers also time BEC emails for Fridays, when employees are more relaxed heading into the weekend and less likely to report suspicious emails.
Avoid responding to “urgent” emails received on a Friday without verifying the sender. If the email appears to be from the CEO or another executive, confirm its legitimacy through a direct message on Slack or a quick phone call. That extra step can help prevent a massive breach.
And as always, whenever in doubt, just don’t open the email.
Prevent BEC Attacks and Bolster Email Security with Guardz
Guardz’s unified cybersecurity platform leverages advanced machine learning and AI to monitor email activity, detect suspicious patterns through detailed email header analysis, and automatically enforce DMARC policies.
With Guardz’s auto-remediation tool, malicious emails are intercepted and either deleted or marked as safe before they can reach your employees’ or clients’ inboxes.
Take a proactive approach to email security and BEC prevention with Guardz.
- Share On:
Written by
Jordan is a Cybersecurity Content Creator and community builder. He has written for many cybersecurity companies and knows more stats about a data breach than IBM.