Phishing attacks have become increasingly more complex and sophisticated in recent years. Business email compromise is a specific type of high level social engineering and spear phishing attack aimed at staff members or a well-known external vendor who hold a position of power such as accounting or high level management.
The objective of this type of attack is to trick unsuspecting victims into sending money to attackers during a seemingly legitimate, authorized business transaction. Since BEC attacks are so highly targeted and strategic, they are one of the most damaging and expensive – resulting in billions of lost dollars each year.
How Does Business Email Compromise Work?
Cyber criminals execute BEC attacks in a number of ways.
- Compromised email: In this scenario, a bad actor gains access to a legitimate email account and sends the request for funds from the actual account.
- Domain spoofing: When an email account doesn’t include email address verification, this allows attackers to change the display name and sender of an email address so the email appears to come from someone within the company or from an outside vendor. If a reply is sent to the spoofed email address, it is routed directly to the attacker.
- Lookalike domains: A lookalike domain is as just as it sounds – an email domain that appears similar to the legitimate domain. For example, business.com vs buslness.com
Types of Business Email Compromise Attacks
The FBI has defined 5 primary types of BEC scams:
- CEO Fraud: Capitalizing on the hierarchy within a company, CEO fraud occurs when the attacker poses as a CEO and prompts the recipient to take some type of monetary action such as closing a business deal, making the next payment installment or another otherwise legitimate reason to send funds to an outside vendor or partner.
- False Invoice Scam: This attack is difficult to detect because the attacker poses as one of the organization’s actual suppliers using an otherwise identical template, but with the bank details switched to an account set up by the bad actors.
- Attorney Impersonation: In this often time-sensitive and confidential request, attackers prey on the fact that low-level employees are likely to comply with a request for funds when they don’t have a way to validate the request, preventing independent verification.
- Account Compromise: In this attack, bad actors gain access to an account and request invoice payments from customers after changing payment details to a bank account within their control.
- Data theft: Rather than a financial objective, a data theft attack targets finance or HR employees with a goal of stealing sensitive information about an organization’s employees.
How Do You Prevent BEC Attacks?
- Multi-factor authentication: One of the best ways to guard against business email compromise attacks is by enabling multi-factor authentication (MFA) on all your devices and accounts. Find instructions on how to enable MFA through Microsoft’s Authenticator app here.
- Dual authorization: Establish guidelines within your organization to require two levels of approval before payments are authorized.
- Security Awareness Training: Security awareness training is a great way to educate employees within a company. Through a series of simulated tests, company personnel learn to identify subtle grammar mistakes, unusual greetings, and other common red flags that might indicate a phishing email.
- Stay Alert: A sudden increase in company-wide LinkedIn profile views from a foreign company might be an indication of upcoming attacks on your network. This activity is then accompanied by a series of attacks against the business network.
- Keep Sensitive Data Private: A good rule of thumb is to avoid posting sensitive information publicly online such as your birth date, location, travel plans, and more.