Business email compromise definitionBusiness email compromise (BEC) defines targeted, email-based cyberattacks that seek to trick victims into exposing company information\/systems access, handing over money or to perform other acts that negatively impact the business. Better researched and crafted compared to standard, random phishing emails, BEC attacks often have specific targets, personalized, grammatically correct wording, and seemingly genuine but often time-critical instructions that enhance believability for recipients.\u201cDespite recent headlines being dominated by ransomware, it\u2019s important not to forget about the security threat still posed by BEC attacks,\u201d Jed Kafetz, head of pen testing at Redscan, tells CSO. \u201cThey remain a highly popular vector used by cybercriminals and are increasingly challenging to detect.\u201dBusiness email compromise statisticsAccording to the FBI\u2019s 2020 Internet Crime Report, 19,369 BEC complaints were made in 2020 resulting in losses of $1.8 billion. Though this represented a 19% decrease in BEC victims compared to the previous year, the total amount lost increased 5% year-over-year and the average loss per victim increased 29% year-over-year.What is the primary goal of business email compromise?As with all phishing attacks, the aim of BEC is to deceive people into thinking they have received a legitimate business-related email and convince them into doing something they believe is good or necessary for the company.How business email compromise worksWhen BEC first rose to prominence a few years ago, the \u2018gold standard\u2019 attack method focused on spoofing the email address of a C-level executive (often the CEO) and sending an urgent payment request to somebody the finance department for the wiring of funds to a trusted \u201csupplier\u2019s\u201d bank account. Though this would represent an unusual payment process outside of standard procedures, the combination of the seemingly genuine email address, personalized wording (e.g., first name) and a quick note along the lines of \u201cwhilst not our usual practice, due to an unforeseen error, this payment fell through the cracks and needs paying right away\u201d would, rather easily, create a scenario convincing enough to be processed. Of course, the account belongs to the fraudster, and by spending the time to research the C-level exec, their finance colleague and even the supplier, the attacker could potentially net a hefty sum of money. Once the payment goes through, the money is then notoriously difficult to track and recover, and normally ends up in the fraudster\u2019s pocket. Over time, BEC attacks have developed in line with trends to become more diverse and smarter as attackers have continued to go after and exploit specific business-related targets for malicious gain.How business email compromise is evolving\u201cEmployees working in finance departments still tend to be at the greatest risk of being targeted by BEC attacks, but attacks against IT, HR and sales teams are also increasingly common,\u201d says Kafetz. He notes that BEC attacks now often leverage cloud-based infrastructure and services to host landing pages designed to lure targets into disclosing password credentials. \u201cAttackers know that trusted services such as Sharepoint can prove troublesome to block, so they focus on ensuring emails and accompanying payloads are able to evade firewall policies,\u201d he says. \u201cOnce they\u2019ve been successful in compromising mailboxes, attackers act slowly and methodically to avoid arousing suspicion. To eavesdrop on their targets, they will often create email rules which automatically send copies of communications to a third-party inbox \u2013 information that is used to inspire fraudulent requests.\u201dThere has been notable advancement in how fraudsters go about collecting and using information in BEC attacks, Jack Chapman, vice president of threat intelligence at Egress, says. \u201cOpen-source intelligence is a gold mine for attackers looking to craft highly sophisticated BEC email campaigns. There\u2019s been a vast increase in the information that is available about individuals and organizations online, and attackers can easily gain access to this through social media platforms and company websites.\u201dWhat makes this trend even more concerning is how attackers are now combining this information with advanced automation tools, Chapman adds. \u201cThis powerful combination enables hackers to create automated email campaigns that utilize personal information and social engineering tactics to create devastating and highly sophisticated attacks on organizations and the individuals in them.\u201dThe COVID-19 pandemic and resulting shift to remote working has had notable impact on current BEC attack trends too, adds Brian Honan, founder of BH Consulting. \u201cWith lots of people working remotely, criminals are using personal email services to impersonate staff so that requests to payroll or accounts payable to change bank account details for salary or expense payments may not look suspicious,\u201d he says. \u201cThey are also using this method to try to impersonate small businesses that supply larger organizations. We have seen criminals use the pretext that the small company\u2019s email server can\u2019t be accessed remotely so they are using personal email addresses instead.\u201dIn fact, some criminals have become so intuitive to steal a quick buck that they are spoofing emails to ask unsuspecting colleagues to purchase gift cards and to send them the details to pass on to staff or clients as rewards or signs of thanks, which can\u2019t be passed on in person due to social distancing, Honan says. \u201cThey ask for physical cards to be purchased rather than virtual ones, as the virtual ones can be cancelled quicker. The victim is asked to send pictures of the front and back of the card with the CVV number exposed so the criminal can use them themselves.\u201dThe impact of business email compromiseThere is no upper limit to how much havoc a BEC attack can cause for an organization. However, its purpose may not be limited to merely stealing funds, warns Jason Soroko, CTO at Sectigo. \u201cOn occasion, criminals might deploy sophisticated BEC attacks to gain access to competitive secrets, which they then sell to the highest bidder. Even worse, they could be deploying BEC tactics to gain entry into the system and plant malware, which might bring the entire system down, costing the company severe losses both financially and in terms of customer confidence and even compliance impact,\u201d he says.Business email compromise preventionThe financial and reputational damage that BEC attacks have the potential to inflict should serve as clear incentives for organizations to have effective preventative and mitigation strategies in place. For Chapman, this requires a two-pronged approach that combines advanced technology with employee education.\u201cMany organizations still rely on legacy technology such as secure email gateways or newer tools that rely solely on social graphing technology, both of which are inadequate in the face of highly sophisticated campaigns,\u201d says Chapman. \u201cInstead, organizations need human layer security solutions that are built on zero-trust models and use linguistic analysis, as well as machine learning and social graphing, to prevent the most advanced attacks.\u201d He also recommends educating employees on the dangers of sharing data freely online, how to spot BEC attacks, and the latest tactics attackers are using.Kafetz advocates the use of multi-factor authentication (MFA), especially across the types of key accounts BEC attackers tend to target. \u201cMFA is relatively straightforward to implement and is an important control if user passwords are stolen,\u201d he says. \u201cAlso, while it may sound antiquated, having manual processes in place to verify payment requests is another important safeguard that few companies enforce consistently. Since it\u2019s not always immediately obvious to the recipient that a BEC communication is malicious, calling someone to confirm a payment or change in bank account details will immediately help to identify and shut down any attempted scam.\u201dEmail signing is another technique that can prove effective against BEC attacks, says Soroko, because it clearly shows where the email actually came from and ensures that the content of the email hasn\u2019t changed. \u201cThe technology behind email signing has come a long way in a short time and you need to learn how you can now utilize it in ways you couldn\u2019t in the past,\u201d he says, adding that training, while necessary, isn\u2019t enough by itself. \u201cThat\u2019s one of the reasons why a layer of security such as email signing is important, because it can be included in the training and become part of promoting safe behaviors.