Business Email Compromise (BEC)

by Andrew Werking 0 Comments

The FBI has identified business email compromise, or BEC, as one of the most ubiquitous forms of cybercrime in use today. When it comes to the numbers, BEC attacks increased 136% between December 2016 and May 20181; and since 2013 when record keeping began, the FBI has identified that bad actors leveraged BEC to target businesses and organizations, large and small, as well as individuals in every U.S. state and more than 100 countries.2

To break it down, BEC is an exploit in which bad actors gain unauthorized access to an individual’s corporate email account, and subsequently leverage that access to impersonate the target’s identity in an attempt to defraud the enterprise (or its employees, clients, or business associates) out of money or gain access to intellectual property. In less sophisticated attacks, bad actors simply use an email address very similar to the target’s real corporate email address.

BEC attacks against the enterprise most commonly take the form of a wire transfer request, attempting to trick employees into sending money to the cybercriminal. And the numbers show it works – big time. The FBI’s Internet Crime Complaint Center’s (IC3) 2017 Internet Crime Report ranks BEC #1 in total victim losses, accounting for nearly half of the total losses recorded for the top 10 Internet crimes.3 In the reporting period from October 2013 through May 2018, the FBI reports a total of over 78,000 BEC incidents resulting in more than $12.5B in losses.4

It’s no wonder, then, that at Agio we’re seeing a significant uptick in BEC attempts targeting our clients. In nearly all reported instances, the BEC attacks targeting our clients started with spear phishing emails targeting senior executives, financial executives, executive assistants, and others likely involved in the wire transfer process. While reported attacks varied in nature and complexity, many involved targeted emails containing tailored content likely obtained from the intended victim’s social media presence.

While the majority of BEC attempts reported to Agio involve attempts to get the firm to execute a fraudulent wire transfer, we have identified recent instances of a shift in targets and tactics. In some instances, the BEC target has shifted from the firm to a third party. In these instances, the bad actors leveraged access to compromised firm email accounts to monitor email traffic and inserted fraudulent wire transfer instructions into an existing email thread between the firm and its investors.

Other common types of BEC include:

  • Invoice scam: A compromised corporate email account is used to request a change to payee information, thereby diverting accounts payable funds to a bad actor.
  • CEO fraud: A bad actor impersonates an executive in an attempt to get another employee to transfer funds or send sensitive data.
  • Real estate fraud: Commonly targeting individuals rather than corporate users, bad actors leverage compromised real estate or banking email accounts to issue fraudulent wire transfer instructions to consumers.

In order to protect your organization, and yourself, from becoming the victim of a BEC attack, we recommend the following:

  • Never trust an email request for a wire transfer.  Always verify in person or by calling the requestor directly on a trusted number.
  • Use two-factor authentication (2FA) on email accounts:  This second form of identity verification prevents attackers from accessing your email account by brute-forcing (guessing) your password, reusing your password retrieved from another breach, or otherwise cracking your password.
  • Use a password manager and use a unique and robust password for all of your accounts:  A reputable password manager like LastPass allows you to store your passwords in a single encrypted vault, accessible from anywhere via multiple devices, and allows you to create unique, lengthy, highly-complex, and virtually unbreakable passwords for all of your accounts.  You log in once to the vault each morning, and it handles the rest.
  • Be aware of publicly-available information about you on social media sites, your corporate website, and other sources:  It can, and is, being used against you by bad actors to craft spear phishing and other targeted social engineering attacks.
  • Use strong endpoint protection and keep it up to date.
  • Use an email protection service to identify potentially malicious emails.
  • Look out for signs of email account compromise: large numbers of returned email messages, the creation of forwarding or deletion rules, or reports/inquiries about emails you know you didn’t send, are all indicators of account compromise.
  • Think before you click: look out for unusual requests, suspicious links, unsolicited attachments, and other common phishing indicators.
  • Educate your users on all of the above.

If you have any questions, contact us.  Our cybersecurity teams are industry-specific, deeply in-tune with the cyber threat landscape, and passionate about cybersecurity.  We’d love to help.


1 https://www.ic3.gov/media/2018/180712.aspx

2 https://www.fbi.gov/news/stories/business-e-mail-compromise-on-the-rise

3 https://pdf.ic3.gov/2017_IC3Report.pdf

4 https://www.ic3.gov/media/2018/180712.aspx