Business Email Compromise (BEC): Examples, Process, and Defensive Measures

Q: How to Recognize a BEC Email?

Here are common elements a BEC email can include: - Time sensitivity—actors launching a BEC attack strive to get the target to act quickly before they realize they are being scammed. To achieve this goal, the actor uses words like ‘quick,’ ‘urgent,’ ‘important,’ ‘soon,’ and ‘reminder.’ These words usually appear in the subject line but can also appear inside the email. - Authoritative sender—BEC attacks require the actor to impersonate someone authoritative, such as the CEO or CFO. - Thorough impersonation—BEC emails can impersonate legitimate senders using various tactics, such as imitating the person’s writing style or spoofing their email address. - Justifying the request—threat actors might try to make an unusual request seem legitimate by providing some reason for making the request. This tactic can convince the target to act quickly before realizing it’s a scam. - Specific instructions—threat actors launching BEC attacks usually provide clear instructions. For example, they might specify the amount of money to send and the location to make the request seem more legitimate. This information might be included in the initial email or a follow-up email after the target replies. - Requests not to contact the sender—threat actors try to prevent their target from reaching out to the impersonated person using another communication channel. The goal is to ensure the target does not realize that the email is fake. Threat actors do this by instructing the victim not to contact the sender or attempt to confirm the request with others.

What Is Business Email Compromise (BEC)?

Business email compromise (BEC) is a phishing scam involving a corporate email account, in which a threat actor attempts to manipulate a target into wiring funds or revealing sensitive information. Typically, the threat actor impersonates or compromises an email account belonging to an executive, like a company’s CEO.

A BEC attack relies on social engineering and spear phishing techniques, typically targeting individuals authorized to conduct purchasing, handle sensitive company information, or have other fiduciary responsibilities.

This is part of an extensive series of guides about hacking.

In this article

Real-World Examples of Business Email Compromise Attacks

Facebook and Google

Between 2013 and 2015, a BEC scam successfully tricked Google and Facebook into transferring money to the scammer’s bank account. In 2019, Evaldas Rimasauskas, the man behind the attack, was sentenced to 5 years in prison. However, the tech giants lost around $121 million during this period.

Rimasauskas and his associates set up a fake company called Quanta Computer, using the same name as a legitimate hardware supplier. They presented Google and Facebook with legitimate-looking invoices, which the companies paid to bank accounts controlled by Rimasauskas. They also created fake lawyers’ letters and contracts to ensure their bank accepted these transfers.

State of North Rhine-Westphalia

North Rhine-Westphalia, a western German state, was targeted by threat actors during the COVID-19 pandemic. During this time, healthcare institutions worldwide faced unprecedented pressure, fraud became more common, and North Rhine-Westphalia fell prey to an intricate BEC campaign that collected $14.7 million.

The threat actors cloned the website of a real supplier of protective equipment from Spain. They compromised the supplier’s email and used it to contact officials from the German health authority, who purchased what they assumed was equipment from a real company, wiring the money to the specified accounts.

Once the actors received the money, they quickly moved it from Europe to Nigeria and escaped immediate consequences. Fortunately, the Interpol and German authorities intervened, and the money was eventually refunded to the health authority.

Toyota

In 2019, the Japanese Toyota Boshoku Corporation was targeted by a BEC attack that stole $37 million. The actors tricked an employee into transferring the sum from the company’s European subsidiary. Because of the company’s massive size, the actors could request this sum without seeming conspicuous. It was the third attack Toyota experienced that year.

Obinwanne Okeke

In February 2021, Obinwanne Okeke, previously a celebrated entrepreneur, was sentenced to 10 years in prison due to his involvement in a BEC scheme that resulted in $11 million in losses to his victims. Okeke used phishing emails to obtain the credentials of various business executives, using this information for BEC attacks.

These BEC attacks were one part of other cybercrimes and frauds. Okeke created fraudulent web pages to continue manipulating his victims, transferring the stolen money directly into overseas accounts. As a result, local law enforcement was not able to aid in recovering these funds.

Treasure Island

Recent data from the FBI’s Internet Crime Complaint Center (IC3) shows that BEC rates have risen in the past several years. As a result, even law enforcement agencies struggle to handle all of the BEC incidents reported by companies.

In June 2021, a charity located at Treasure Island, San Francisco, fell prey to a month-long BEC attack that stole $625,000. The attack occurred when threat actors infiltrated the organization’s bookkeeper’s email system.

The threat actors found and manipulated a real invoice used by one of Treasure Island’s partner organizations. They used it to trick staff at Treasure Island into transferring a loan intended for the partner organization into the actor’s bank account. Unfortunately, the nonprofit did not have cybercrime insurance, and the US Attorney’s Office in San Francisco reportedly declined to investigate this incident.

Learn about preventing BEC attacks in our detailed whitepaper.

Tal Zamir
CTO, Perception Point

Tal Zamir is a 20-year software industry leader with a track record of solving urgent business challenges by reimagining how technology works.

TIPS FROM THE EXPERT

ML-based BEC/VEC protection: Protection against Business/Vendor Email Compromise is a critical capability given the popularity of this attack vector. Choose a solution that can dynamically detect business partners and vendors, and prevent social engineering/fraud emails from getting through.
Payment and information request verification protocol: Establish a company-wide protocol for verifying email requests involving financial transactions or sensitive information.
Include BEC threats in threat hunting efforts: Security teams should actively look for signs of BEC and similar advanced threats, analyzing network traffic, audit logs, and other anomalies.
Conduct simulated BEC attack drills: Provide security awareness training and conduct regular simulated BEC attacks within your organization. This helps employees recognize the signs of a BEC scam and educates them on how to respond.
Legal and financial process alignment: Ensure legal and financial processes include checks and balances that can detect and prevent BEC attacks. For example, requiring dual signatures for large transactions.

How to Recognize a BEC Email

BEC emails typically contain several lines of text and no links, images, or attachments. The threat actor attempts to manipulate the target to take a specific action, such as transferring funds to an account or granting access to protected systems or data, using very few lines.

Here are common elements a BEC email can include:

Time sensitivity—actors launching a BEC attack strive to get the target to act quickly before they realize they are being scammed. To achieve this goal, the actor uses words like ‘quick,’ ‘urgent,’ ‘important,’ ‘soon,’ and ‘reminder.’ These words usually appear in the subject line but can also appear inside the email.
Authoritative sender—BEC attacks require the actor to impersonate someone authoritative, such as the CEO or CFO.
Thorough impersonation—BEC emails can impersonate legitimate senders using various tactics, such as imitating the person’s writing style or spoofing their email address.
Justifying the request—threat actors might try to make an unusual request seem legitimate by providing some reason for making the request. This tactic can convince the target to act quickly before realizing it’s a scam.
Specific instructions—threat actors launching BEC attacks usually provide clear instructions. For example, they might specify the amount of money to send and the location to make the request seem more legitimate. This information might be included in the initial email or a follow-up email after the target replies.
Requests not to contact the sender—threat actors try to prevent their target from reaching out to the impersonated person using another communication channel. The goal is to ensure the target does not realize that the email is fake. Threat actors do this by instructing the victim not to contact the sender or attempt to confirm the request with others.

Attack Anatomy: How BEC Attacks Work

Stage 1: Picking the Right Target

During the first phase of a BEC attack, the threat actor chooses a target, trying to determine the chances of obtaining money by impersonating an executive and convincing the company’s staff to wire money. Threat actors typically target executives like CEOs, accounts payable staff, and lawyers to increase the chances of a successful BE attack.

Threat actors perform reconnaissance over days or weeks to choose the right target for the attack. They study and analyze the company they target through various techniques, such as tracking an individual’s Internet footprint.

An Internet footprint includes various information, such as personal information on social media sites, the employee’s general Internet presence, geological location, and other sensitive data about their activities. A larger footprint makes it easier for threat actors to impersonate the employee and launch a successful BEC attack.

Threat actors use this information to create and send extremely realistic fraudulent messages that include real information. The threat actor uses detailed specifications, personalization, and time sensitivity to make the malicious email seem more authentic.

Stage 2: Setting Up the Attack

BEC attacks attempt to send as believable and legitimate-looking messages as possible. Threat actors prepare for this attack by performing various activities, like spoofing email addresses, impersonating trusted vendors, creating lookalike domains, or taking over a legitimate email account belonging to the target’s colleague or manager.

Stage 3: Executing the Attack

Threat actors can execute a BEC attack in various ways, including:

Direct interaction—the actor manipulates the target by engaging with them. For example, sending an email to trick the target into clicking on a malicious URL or engaging with the sender.
Indirect interaction—BEC attacks do not always require direct interaction. For example, the target might open a document containing an infected file that opens a remote access tunnel (RAT), or download files from servers controlled by the actor.
Both parties interact—some attacks require the actor and the target to interact to create a long thread until achieving a final result, typically proceeding with a fraudulent monetary transaction.
Impersonation—BEC attacks might impersonate the target’s friends, coworkers, family members, or C-level executives. This attack often involves exploiting business processes the actor is familiar with through direct requests or using legitimate-looking documents.
Malicious software (malware)—threat actors can use commonly available software, like free or open source software, infecting them with malicious content. When actors use malware or ransomware, the target typically needs to take additional steps, such as paying a ransom to recover data or recovering systems from an encrypted state.

Stage 4: Dispersing Payments

Once the target wires the money, the threat actor quickly collects and spreads it across several accounts to reduce traceability and retrieval chances.

It is critical to respond rapidly to BEC attacks. Organizations that are slow to identify this attack are unlikely to recover the money.

Learn more about BEC attacks, here.

Types of Business Email Compromise (BEC) Scams

The FBI identifies the following five types of BEC attacks:

False invoice scam—the threat actor impersonates a vendor requesting payment for services rendered. This attack typically impersonates the target’s real supplier, using a realistic template with different bank account information.
CEO fraud—CEO fraud attacks exploit the power dynamics within the targeted company. The threat actor sends an email impersonating the CEO. The email instructs the recipient to take a specific action, such as sending sensitive information to a presumed partner or wiring money to supposedly close a deal.
Account compromise—this attack uses a compromised company email account to request invoice payments from the company’s customers, changing the payment details to transfer the money to the threat actor.
Attorney impersonation—low-level employees are likely to comply with requests from a legal representative or lawyer, as they do not know how to validate this request. This method can make the request seem confidential and time-sensitive, preventing independent verification.
Data theft—BEC attacks do not always target money. Some attacks attempt to steal data by targeting finance and HR staff to access sensitive information about the company’s employees. Threat actors can sell this information on the dark web or use it to plan and execute future attacks.

Basic BEC Protection Techniques

Here are commonly used BEC protection tools:

DomainKeys identified mail (DKIM)

This technology employs keys to prevent email spoofing by appending a signature to an outgoing email. Once the inbound server receives this email, the process checks the signature against the domain’s public key. If they match, the process allows the email to go through, and if there is no match, it blocks the mail.

Sender policy framework (SPF)

SPF technology checks an email that comes into a mail server against the approved email senders for this sender’s domain. The email is approved if there is a match between the approved mail exchanger and the actual one. If there is no authenticated match, the email is dropped to ensure it cannot reach employee inboxes.

Domain-based message authentication, reporting, and conformance (DMARC)

DMARC extends DKIM and SPF, enabling a domain owner to publish the domain’s requirements for email authentication. For example, it allows the domain owner to specify whether the domain uses SPF, DKIM, or both. It also defines what to do with an email when it fails authentication.

Although these techniques can significantly reduce the risk of spoofed emails entering employee inboxes, they are considered basic techniques for BEC protection nowaadays; Attackers are ever-evolving and the usage in advanced techniques is required in order to protect not only by validating the sender’s authenticity but also analyze the email content to determine possible malicious intent.

User Awareness and Training

Security training and awareness campaigns can help improve an organization’s defense against BEC attacks. Regular training facilitates better awareness, helping employees recognize, report, and respond to phishing attacks and malicious emails. Otherwise, unaware employees might trust all emails they receive and fall prey to malicious emails.

Protect against BEC attacks with Perception Point

Perception Point’s Advanced Threat Detection is powered by a multi-layered platform that identifies and intercepts any content-borne cyberattack, leveraging patented dynamic and static technologies that rapidly scan all files, URLs, and free text.

Perception Point’s Anti-BEC layer detects emails that do not necessarily include malicious files/URLs and provides protection of stakeholders and third-party assets.

The Anti-BEC layer uses various technologies for identifying spoofing and validating authenticity of the sender, analyzing language and tone, and analyzing and monitoring communication patterns to detect suspicious behavior. The layer implements advanced behavioral analysis algorithms, using data science and AI/ML.

Among the technologies that are used in this layer are VIP lists and name spoofing, domain spoofing protection, SPF, DKIM, DMARC checks, Domain look-a-like identification, lexical analysis, scoring mechanisms analyzing different vectors, automatic vendor learning, and more.

What Is Business Email Compromise (BEC)?

How to Recognize a BEC Email?

Here are common elements a BEC email can include:
– Time sensitivity—actors launching a BEC attack strive to get the target to act quickly before they realize they are being scammed. To achieve this goal, the actor uses words like ‘quick,’ ‘urgent,’ ‘important,’ ‘soon,’ and ‘reminder.’ These words usually appear in the subject line but can also appear inside the email.
– Authoritative sender—BEC attacks require the actor to impersonate someone authoritative, such as the CEO or CFO.
– Thorough impersonation—BEC emails can impersonate legitimate senders using various tactics, such as imitating the person’s writing style or spoofing their email address.
– Justifying the request—threat actors might try to make an unusual request seem legitimate by providing some reason for making the request. This tactic can convince the target to act quickly before realizing it’s a scam.
– Specific instructions—threat actors launching BEC attacks usually provide clear instructions. For example, they might specify the amount of money to send and the location to make the request seem more legitimate. This information might be included in the initial email or a follow-up email after the target replies.
– Requests not to contact the sender—threat actors try to prevent their target from reaching out to the impersonated person using another communication channel. The goal is to ensure the target does not realize that the email is fake. Threat actors do this by instructing the victim not to contact the sender or attempt to confirm the request with others.

How do BEC Attacks Work?

Stage 1: Picking the Right Target
Stage 2: Setting Up the Attack
Stage 3: Executing the Attack
Stage 4: Dispersing Payments

What are Types of Business Email Compromise (BEC) Scams?

The FBI identifies the following five types of BEC attacks:
– False invoice scam—the threat actor impersonates a vendor requesting payment for services rendered. This attack typically impersonates the target’s real supplier, using a realistic template with different bank account information.
– CEO fraud—CEO fraud attacks exploit the power dynamics within the targeted company. The threat actor sends an email impersonating the CEO. The email instructs the recipient to take a specific action, such as sending sensitive information to a presumed partner or wiring money to supposedly close a deal.
– Account compromise—this attack uses a compromised company email account to request invoice payments from the company’s customers, changing the payment details to transfer the money to the threat actor.
– Attorney impersonation—low-level employees are likely to comply with requests from a legal representative or lawyer, as they do not know how to validate this request. This method can make the request seem confidential and time-sensitive, preventing independent verification.
– Data theft—BEC attacks do not always target money. Some attacks attempt to steal data by targeting finance and HR staff to access sensitive information about the company’s employees. Threat actors can sell this information on the dark web or use it to plan and execute future attacks.

What are Some Basic BEC Protection Techniques?

– DomainKeys identified mail (DKIM)
– Sender policy framework (SPF)
– Domain-based message authentication, reporting, and conformance (DMARC)
– User Awareness and Training

See Our Additional Guides on Key Hacking Topics

Together with our content partners, we have authored in-depth guides on several other topics that can also be useful as you explore the world of hacking.