Business email compromise: types, identification and mitigation measures

The prevalence of email attacks on organizational emails has multiplied manifold in the past year. Threat actors come up with increasingly innovative techniques to make their way into organizations by first getting into email accounts and then taking over the entire system. Even though newer threats keep coming up, some of the existing threats are still very efficient in making email recipients trust them.

Among the threats that give hackers effective results is business email compromise, known as BEC. Almost 10% of data breaches stem from BEC attacks, leading to a whopping $100,000 increase in the cost of a BEC attack from 2022 to 2023 alone. This has made BEC one of the most common attacks for organizations to stay vigilant about.

In this article, we'll delve deep into all you need to know about BEC. We'll explain what a BEC attack is, the workings and stages of a BEC attack, the types of BEC attacks, common characteristics, and how to protect your organization's emails by mitigating these attacks.

What is business email compromise (BEC)?

Business email compromise is a specific type of phishing scam in which cybercriminals impersonate an authority or a company that the recipient organization trusts. They nudge the recipient to reveal sensitive information, data, or perform money transfers.

In this type of cyberattack, the hackers conduct thorough research and background checks on the organization or the employee they're targeting. This helps them make sure that they've crafted their attack convincingly enough to deceive the email recipients.

To achieve this, hackers impersonate high-ranking professionals within the organization or someone the recipient interacts with on a regular basis. A hacker may hijack an existing legitimate account or use a new account that impersonates the identity of someone familiar with the organization. Sometimes, hackers might even hijack an ongoing conversation, in which case the email recipient barely has any reason to doubt the email sender.

Hackers have gotten creative with BEC attacks over the years. Because these emails are carefully targeted and don't have any malware, suspicious attachments, or questionable links, they easily avoid detection by both legacy email providers and traditional email security systems. Once they make their way into mailboxes, it's easy for hackers to convince the email recipient to perform the required action. This makes BEC attacks one of the most damaging and expensive forms of cyberattacks for organizations across the globe.

How does BEC work?

Hackers built BEC attacks with specific targets in mind. In other words, they're a form of spear phishing attacks. So hackers tend to do extensive research on their targets and use various methods to enter users' mailboxes. Some of them could be through domain impersonation, brand impersonation, or account takeovers.

Stages of a BEC attack

Any BEC attack takes place in four stages. They include research, preparation, execution, and action.

 1. Research 

In the first phase, hackers conduct thorough research to decide who they should target. They typically pick organizations that are financially sound, and they'll perform high-value transactions on a regular basis to ensure that their attack goes unnoticed, at least for a short time.

Once they pick an organization to target, hackers comb through the internet to find any public information available about the company and its employees. They find vendors to whom the company frequently makes payments, their invoice dates, and payment dues. They also find information about the communication patterns between high-level employees in the organization who can request payments or data and mid-level employees who usually fulfill these requests. Targets may include HR or the finance team.

With knowledge about communication and payment patterns of the organization, hackers can craft convincing emails to nudge employees to perform the desired action.

This gives them the ammunition to proceed to the next stage, which is preparing the accounts, domains, and sender identities needed for the attack.

 2. Preparation 

In the preparation phase, hackers work on getting access to the email accounts from which they'll be sending the attack email. This could either be a hacked email address of a high-ranking authority in the target organization, or it could be a spoofed address impersonating someone in the organization.

If they're using a hacked email address, they'll infiltrate the company's network and defenses in advance to gain access to the account. In most cases, rather than denying access to the account owner, they silently access the account in parallel so as not to arouse any suspicion. Hackers even have the unique ability to insert themselves in an ongoing conversation, adding to the legitimacy of the request they're about to make.

If the hackers decide to use an impersonated email address for the attack, they'll use techniques such as domain spoofing and user name spoofing. They'll purchase look-alike domains of the target organization and use them to create the attack email. They'll also create convincing usernames and email addresses that easily pass through the security filters of legacy email providers.

3. Execution 

In the third stage, hackers carry out the attack. This is the execution stage. Based on their learnings from the previous two stages, hackers either used the hacked or impersonated email accounts to send a cleverly crafted email to the employee they're targeting.

The email will contain the usual salutations and language similar to what the person they're impersonating usually uses. Under this pretext, the hackers either request critical business information, confidential data, or money transfers. To ensure that the recipient doesn't have enough time to validate the authenticity of the email, hackers create a sense of urgency through the email, nudging them to take immediate action. They mention time-sensitive implications, such as huge fines, partnership terminations, or deal losses if the requested action is not performed immediately.

This is the only stage in which the organization can stop the email from entering its mailboxes. If the hackers are clever enough to bypass the security filters set up by the company, the only way to stop the attack lies with the email recipient. If the recipient receives sufficient training, they'll have the knowledge to detect whether the email is legitimate, and can take further action based on its authenticity. Sometimes, to counteract this, hackers pick recipients who are fairly new to the company with the idea that they might not be familiar with the workings or training given in the organization.

4. Action 

The fourth and final stage is where the hacker takes action. If the email recipient falls prey to the BEC attack and performs the requested action, the attack is a success. Then, the hacker proceeds to use what they have for their personal gains.

If the hackers request a money transfer, they'll disperse the funds to different bank accounts to ensure that it can't be traced back to a specific account owner. If they've received confidential information about the organization, they'll sell it on the dark web or to interested competitor companies. If they've received account credentials as a result of their BEC attack, they'll use the credentials to log into employee accounts, change the passwords, and lock the owner out of the attack. They demand a ransom out of this and threaten the owners with data deletion or corruption if the ransom amount is not paid.

With this final stage, the hackers make the money they need and leave no trace behind. It's difficult for us to detect the source or perpetrator of the attack.

What makes BEC emails hard to detect?

BEC attacks have been on the rise over the past few years. It's one of the highest-volume attacks among response-based email threats. The reason for this wide adoption of BEC attacks by hackers is because when the emails are cleverly crafted, they're difficult to detect by email security filters and land in the users' mailboxes. In this section, we'll discuss some of the reasons that make BEC emails hard to detect.

Low volume

BEC emails are different from other categories of unwanted emails that persist in the cyber threat landscape. For example, spam emails are bulk, unwarranted emails that can be detected easily. If there's an unusual increase in email traffic, security filters trigger and take measures to prevent malicious emails from landing in mailboxes. But, because BEC emails aim to build trust and rapport with the email recipient, hackers send just one or two emails to get a response from the recipient. The low volume of email makes sure that it's not flagged as an immediate threat by email providers.

Highly targeted

BEC emails are sent with specific targets in mind. Hackers research the targeted individual and the organization extensively before they carry out the attack. As part of their research, they also study communication patterns, vendors the company works with, payment due dates, and other such information to make the attack look authentic and gain trust. Because of the targeted nature of these attacks, anomalies escape detection by security filters, and they pass through easily. Even after reaching the mailbox, recipients tend to fall prey to these attacks because the requests mimic legitimate requests.

Lack of threat indicators

A BEC attack is complete only when the email recipient responds to the request. So, to pass through security filters, hackers will send emails without any viruses, scripts, or other such malware. This is another reason why these emails enter users' mailboxes.

Legitimate source

In an attempt to place the BEC email in mailboxes, hackers deploy legitimate domains and email addresses. This could either be an impersonated domain or an account takeover from a previous hack. If the email is from a hacked account, the email address and other details are legitimate, which gives the recipient no reason to doubt the email.

Instead, if the email is sent from an impersonated domain or email account, they avoid detection by security filters because all authentication checks—such as SPF, DKIM, and DMARC—pass. While hackers have to make the extra effort, they'll ensure that the basics are taken care of because the payoff is worth it. After landing in the users' mailboxes, the recipient may not be able to identify the email. This is one of the major concerns that makes BEC emails hard to detect.

Types of BEC attacks

Hackers can build BEC attacks in different ways. Based on how hackers choose to create the attack, the people they attack, and the account from which the attack email is sent, these attacks are broadly classified into five types.

VIP impersonation/CEO fraud

One of the most common and first-known types of BEC attacks is in the form of CEO fraud or VIP impersonation. In this type of BEC, hackers impersonate the organization's CEO or other C-suite members whose requests are most likely to be carried out without question.

The account that the hacker uses for this attack could be a look-alike email address or the hacked account of the impersonated individual. Most commonly, hackers use the CEO or the VIP's name to get the target to transfer huge sums of money by mentioning urgent business deal closures or vendor payments that are overdue. To ensure that this request isn't traced back to the hacker, they'll claim that they can't communicate further owing to important client or partner meetings.

Invoice scams

Invoice scams are among the most expensive type of BEC attacks. In this type of attack, hackers impersonate a vendor to whom the company makes payments frequently. They generate fake invoices and nudge the email recipient to process the invoice. Once the invoice is paid, the hackers route the money to a bank account they control.

In these attacks, the email sender creates a sense of urgency, which causes the recipient to refrain from verifying the nature of the request through other means. To make the request appear authentic, the hacker imitates the brand, the style, and language that's usually used by the vendor. The hackers only change the account number where the payment should be deposited. They'll even research the payment cycles so that they can trigger these emails closer to that date and get the recipient to perform the action they want.

Attorney impersonation

In the attorney impersonation type of BEC email, hackers target new or beginner-level employees in an organization under the pretext of being from the company's legal team or other legal counsel. These requests are often successful because new employees wouldn't know the company's processes yet or how to validate the request that's posed to them. Plus, most of the organization's employees are likely to maintain confidentiality of legal requests because they're mostly sensitive in nature.

In this attack, hackers ask employees to share sensitive information about the company's processes, contracts, or designs. They may even demand that the employee pay for fines that were imposed due to non-compliance.

Account compromise

Account compromise, or account takeover, refers to a type of BEC attack in which the hacker has gained unauthorized access to an employee's account within the organization. This makes it simple for the hacker to inject themselves into ongoing conversations and gain knowledge about the account owner's communication patterns. This access is a priceless weapon for hackers because the account is legitimate and there's no reason to suspect emails sent from such accounts.

Hackers can use this information either to extract money from other departments in the company or request sensitive data. They target high-profile employees for account takeovers because the probability of having their request answered is high.

Data theft

While most hackers send BEC emails with the intent to extract money, another common type of BEC attack is one where hackers are looking to extract sensitive information about the organization. Information is so valuable to hackers because they can make money selling this on the dark web or to the company's competitors, or even use the information as part of a larger hack. This can include information such as company contracts, designs, and other sensitive intellectual property. Sometimes, it can even be the personally identifiable information (PII) of the company's employees or their clients.

This poses multiple problems for the company because a data leak doesn't bring losses to the company, but they may have to face legal consequences.

How to spot BEC emails

BEC emails usually have certain distinguishing characteristics. Knowing how to spot these characteristics and verify their legitimacy can lead email recipients to be more aware and report them accordingly. Let's take a look at some of the common characteristics in this section.

Urgency in the email content

Hackers who send BEC emails usually have a short timeframe to operate before the attack is detected. To get their target to perform the desired action as soon as they open the email, hackers will create a sense of urgency in the content of the email. To get this point across, hackers use terms such as urgent, important, quick, immediate, or soon in the email's subject line.

They'll draft the email content to create a sense of alarm if the request isn't fulfilled in the mentioned timeframe. To ensure that the recipient progresses, they'll mention huge fines, urgent meetings, loss of partnerships, or customer deals. So even when you come across such emails, take a moment to recheck the details before proceeding with the request.

Discrepancies in the email address

When hackers impersonate an email address to trick recipients, they'll use look-alike domains of the original domain name. This technique is known as spoofing. For example, to impersonate an email from amazon.com, the hacker might use the domain annazon.com to fool recipients.

Hackers will also craft the display name of the email address to make sure that it imitates that of the individual they're impersonating. In these cases, it helps to check whether the displayed username matches the email address and the domain from which the email is sent. To take extra caution, recipients can also verify if the return path address matches with the sender address by viewing the email headers.

Unreachable email sender

Mostly, when someone receives an unusual or urgent request, they tend to verify the request through other means, such as phone calls or instant messages, with the email sender. Because this will reveal the intent and identity of the email sender, hackers sending BEC emails mandate that the recipient doesn't call the sender back. They'll attribute their inability to answer calls due to client meetings, travel plans, or not having sufficient connectivity because they're out of country.

Recipients should exercise caution and verify the request if anything seems out of character for the email sender the hackers are impersonating.

Suspicious email attachments

BEC emails are designed to pass through email security filters undetected. Hackers will send them without any malicious content or attachments. But to gain a sense of trust with the email recipient, threat actors include attachments that mimic the invoices or requests that the organization usually receives from its vendors. Sometimes, these attachments could also be imitations of contracts or documents that fall within the context of the company to add more authenticity.

It's always best to verify invoices, payment requests, or other such attachments sent with emails by checking for authorized signatures, company seals, and similar signs that could prove authenticity.

Authoritative email sender

To make sure the email recipient proceeds to do the action requested, hackers usually pick high-ranking authorities in the organization to impersonate. Owing to the position and authority of these people, mid-level employees in the organization receive requests from the hackers and carry out the tasks without much follow-up. If this is part of their organization's process, the hackers' jobs become much easier because there's no further communication about the request they're making.

Every organization must streamline and implement processes around payments, invoice processing, documents, or contract sharing to ensure that policies aren't violated.

Unfamiliar account numbers

An organization's payments to its vendors tend to be consistent. So payment requests, bill amounts, and account numbers will be the same over different billing cycles. If the email recipients notice any discrepancies from the usual patterns, they need to be wary and verify that the request is legitimate. If the email contains a link, verify if the link redirection is the same as the hyperlink in the email. This helps with spotting fraudulent payment requests or look-alike websites.

How can you protect your organization from BEC attacks?

Hackers targeting your organization for BEC attacks is inevitable, but there are several measures you can take to protect yourself from this threat. By following certain best practices, streamlining processes, and adopting advanced security technologies, you can protect your organization from BEC emails.

Streamline internal processes

Because hackers rely on a lack of communication and processes for vendor payments and data sharing, the first step for identifying such requests is ensuring that there's a process to validate and carry out the request. For any finance-related queries, make sure that there are multiple levels of approval for members of the finance team. Validate each request for data that comes in with the person requesting it, even if it's a high-profile employee.

Establishing such processes will bring organizations one step closer to staying ahead of BEC attacks.

Implement email authentication protocols

The simplest way to spot email threats is ensuring that the emails pass all authentication checks right at the reception level. Ensure that you've configured SPF, DKIM, and DMARC authentication checks for your organization members. Train your company's employees to check if an incoming email has passed all of the authentication checks from the email's headers. If they spot that some protocol is not validated, users can proceed with caution and take the necessary further action.

Indicate external emails

Most organization communication happens within the company. Apart from this, there are select regular entities that the company's employees regularly interact with. You can set up processes to flag emails these outside entities send. With this warning in place, your employees will take the precaution to verify if the sending domain or email address is, in fact, one that they're familiar with. This simple step could go a long way in detecting domain spoofing or brand impersonation attacks.

Enhance security for VIP accounts

While it's important to have security controls in place for all of your organization's accounts, it helps to have additional security measures for high-profile employees, such as CEOs, CFOs, and other VIP accounts. With advanced security measures, it won't be easy for hackers to pass through the defenses you've set up. You can also add display name spoofing protection for these accounts. This will prevent your employees from falling prey to emails impersonating these high-profile employees.

Create a process for reporting threats

Your security measures don't stop at the detection stage. You need an efficient process for reporting the threats that employees have detected. One simple way is for employees to report spam emails using the option provided in the email provider.

Advanced threats, such as phishing or spoofing, must be reported to the organization's security officer as soon as possible. The nature and origin of the threat should be analyzed, and the email security configuration should be tweaked accordingly to ensure that similar emails are detected and blocked efficiently.

Conduct employee trainings

You should convey these processes about your security controls and email security measures to your employees through security training. It's good practice to conduct these trainings right as soon as an employee joins the company. Hackers tend to target beginners who might not have a proper understanding of the administrative and security practices the company follows.

During these trainings, supervisors should test employees' understanding of the various threats using threat email simulations. Based on the result of such tests, the security officer can decide to conduct additional training if required.

Deploy an email security solution

You can achieve most of these security controls and processes by deploying an email security solution that complements the security your email provider offers. Such email security solutions detect and capture advanced threats that legacy email providers tend to miss. These solutions act as an additional layer that filters out BEC attacks and other novel threats that hackers use to cause disruption to your business.

Protecting from BEC attacks with Zoho eProtect

Zoho eProtect is one such cloud-based email security solution that provides an additional layer of security for email accounts. It offers advanced threat detection mechanisms by scanning emails at the content level to verify the email's intent. With such controls in place, any phishing or spoofing attempts will be detected and denied entry into users' mailboxes. Features such as cousin domain spoofing prevention and display name spoofing protection will detect and thwart any BEC attempts to spoof domains or VIP display names.

eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users. Learn more about eProtect's email security features and take the step to enhance your organization's email security and archiving.