What is business email compromise?
Business email compromise attacks are impersonation scams. Hackers create emails impersonating a senior executive of the company or one of its business partners to steal money. Sometimes, it involves the compromise of a legitimate business email account, but more often, it’s accomplished through social engineering.
For example, a hacker may convincingly masquerade as a CEO in an email. They’ll tell an accounting employee to wire money to a supplier. However, it’s actually to a bank account controlled by the hacker. In another type of BEC attack, hackers intercept emails from suppliers, then substitute their own account numbers for the supplier’s.
How does business email compromise work?
Business email compromise is an exploit through which attackers obtain access to a business email account. Their main goal is to use that account and pretend to be its owner. This is usually done to defraud the company, its employees, customers, and/or partners. The attacker sends an email that is designed to trick the recipient into sending them money or other resources or to divulge confidential information.
Business email compromise examples
BEC attacks take many forms, limited only by the creativity and resourcefulness of criminals. A few of the most common BEC attacks include:
Spoofed emails to HR professionals asking that an employee’s direct deposit information be changed to an account controlled by a criminal.
Requests for forms of personally identifiable information such as:
- an employee’s social security number
- employee ID
- place or date of birth
- credit card account number or passport number
This information that can subsequently be used to impersonate the individuals, access their resources or establish credit accounts in their names.
6 most common types of business email compromise
The first and most familiar form of BEC is known as CEO fraud. A business leader’s email is hacked or spoofed, and fraudulent emails are sent in his or her name. The emails will instruct subordinates to immediately wire payments to fraudulent locations.
Accustomed to following instructions from senior business leaders without question, subordinates often do so without independently confirming the legitimacy of the transaction. While called CEO Fraud, these BEC attacks have often been made in the name of a senior financial executive, such as a CFO.
Since then, BEC has morphed into multiple variants, including these six:
CEO Fraud
CEO fraud is a spear phishing email attack. It’s when an attacker pretends to be a company’s CEO in order to trick employees into transferring money to a bank account owned by the attacker. This method can also be used in order to trick employees into divulging company or personal information to the attacker.
CFO Fraud
Similar to CEO fraud, CFO fraud is made up of the same type of attack. In this instance, the bad actor pretends to be the company’s CFO. This usually broadens the type of financial transaction the attacker can ask for. It may also increase the plausibility of the financial request since it appears to be coming from the CFO.
Personal email compromise (PEC)
These attacks are similar to CEO fraud but spoof an executive’s personal email account. They can be even more convincing, since recipients may have received private emails from the executive before and may assume the account is legitimate.
Spoofed lawyer or real estate email accounts
In these attacks, a criminal impersonates one party to a sizable financial transaction. They then spoof that party’s email address. The transactions often involve real estate, but sometimes relate to other commercial transactions. The messages often include transaction details gleaned through social engineering or a computer intrusion. The criminal may instruct the recipient to change previously anticipated payment information. For instance, updating a wire transfer destination or account number.
Requests for W-2 information
Instead of asking for cash, the cybercriminal (posing as a senior employee) asks an HR professional for an employee’s W-2 data. Given this data, the criminal may attempt to file fraudulent income tax returns in the victim’s name and appropriate the victim’s refunds. They may also use the victim’s Social Security number and other data to pursue other fraudulent activities that might not be uncovered until the victim’s credit is ruined.
Gift card fraud
In this variant of CEO fraud, a criminal may impersonate an executive and ask an assistant to purchase multiple gift cards that will be used as employee rewards. In the interests of rewarding employees as quickly as possible, the phony “executive” will request the serial numbers for the gift cards. They will then use those serial numbers to make fraudulent purchases.
How to protect against business email compromise?
Align people, processes and technology to prevent costly BEC fraud
According to the FBI, Business Email Compromise (BEC) is the costliest of internet crimes. It accounts for 44% of the $4.1 billion in US losses reported in 2020. It gets worse: half of security executives surveyed by Mimecast say BEC attacks using impersonation fraud rose in 2020. With BEC, attackers generate high ROI from low-tech attacks containing no payload other than social-engineered text. Cybercriminals now use sophisticated intelligence to divert legitimate payroll or vendor payments. By the time these attacks are discovered, the money is long gone.
To outsmart BEC attackers, combine better human awareness with more sophisticated machine learning, threat detection and integration. Mimecast’s comprehensive business email compromise solutions can help.
Implement a complete, holistic strategy for reducing business email compromise (BEC) risk
Leverage Mimecast’s AI-based Brand Exploit Protect and DMARC Analyzer to monitor and respond to malicious brand impersonation attacks on the web and through email.
- Give employees the knowledge and training they need to resist BEC fraud.
- Support your team with technology that analyzes every email for BEC risk, in real time.
- Stop emails that rely on domain spoofing before they reach employees or partners.
Systematically analyze every inbound email for business email compromise (BEC) risk before it’s delivered
Most BEC attacks impersonate real people or organizations: executives, colleagues, partners, customers, lawyers. Inbound BEC fraud may originate from a compromised account or spoofed domains. They rely on lengthy intelligence gathering to make emails appear realistic. Even vigilant employees need technology to help prevent such attacks. Mimecast’s cloud-based Secure Email Gateway with Targeted Threat Protection safeguards them, no matter what cloud or on-premises email platform is used.
With Mimecast’s Impersonation Protect service, every inbound message is analyzed in real time. It scans for signs of risk, from sender spoofing to suspicious international characters or body content. Email administrators have granular control over how risky messages are handled. They also get centralized tools for managing, reporting, and uncovering attacks. Plus, using Mimecast’s unmatched library of off-the-shelf integrations and open APIs, threat intelligence can be shared instantly across your security stack. This empowers all security systems to respond more quickly and effectively.
Prevent business email compromise
The DMARC authentication standard has rapidly matured into a key element of a layered-defense strategy against BEC. DMARC can help protect employees against BEC phishing attacks that seem to originate within your organization but were actually crafted by distant criminals. It can also help protect business partners against fraudulent emails that look like they came from your organization. This way, criminals can’t divert payments.
With Mimecast’s 100% SaaS-based DMARC Analyzer, applying DMARC is finally practical. It’s a valuable complement to Mimecast Secure Email Gateway with Targeted Threat Protection. It empowers organizations to authenticate email more reliably, identify senders, and block delivery of unauthenticated messages from their domains. Many BEC attacks that rely on domain spoofing can now be halted before they arrive on employees’ devices or those of third-party partners.
Stop business email compromise with Mimecast
To prevent BEC attacks, security teams need to integrate multiple proven methods. A comprehensive BEC solution leverages threat feeds, email authentication protocols, and advanced AI-driven detection capabilities. To confidently identify anomalies and any suspicious email, Mimecast’s advanced email security includes authentication protocols, reputation checks, threat feeds, proprietary signatures, and AI to stop attacks at the point of detection. But with Mimecast, AI is more than just a last line of defense. Billions of signals across our platform strengthen our AI detection to continuously identify and block advanced BEC attacks, adapting to evolving threats.
Our protection doesn’t stop there. Mimecast’s unified detection capabilities protect against any type of email-based attack – not just BEC.
Advanced BEC (Business Email Compromise) use cases
Defend against BEC threats: Eliminate BEC threats by identifying anomalous activity and building a social graph of user interactions. Organizations can analyze risky phrases and semantic intent to determine an email’s purpose.
Comprehensive BEC protection:Defending against BEC threats cannot rely solely on AI to identify patterns and abnormalities. It requires an approach that combines AI with proven indicators from signatures and threat feeds. This ensures attacks are stopped at the point of detection rather than relying solely on AI as the last line of defense.
Understand what is blocked and why: Being able to easily triage a BEC detection is important. Every detection from Mimecast’s Advanced BEC Protection lists not only the policy that triggered the detection but also the risky characteristics that led to the verdict. As a result, administrators spend less time determining the cause.
Policy modelling made simple: Constantly tuning BEC policies is unsustainable. Through the historical analysis of messages, identify the impact of a policy change and determine the potential messages caught via each level of sensitivity.
Business Email Compromise FAQs
What is a business compromise email?
Business email compromise is when an attacker obtains access to an email account to send and receive emails fraudulently. They’re pretending to be the email account’s owner.
What is the difference between phishing and BEC?
A phishing attack can come from any source. It does not rely on there being a connection between the sender and recipient of the email. In BEC, the attacker is pretending to be someone the recipient either knows well or works with at the same company. BEC exploits the trust people have in their company and the security of its email systems.
Why is business email compromise such a problem?
The main factor that sets business email compromise apart from other attacks is the trust that employees put into their email systems. It banks on how easily that trust can be exploited by attackers who have taken over a business email account. That trust can lead to more potent attacks that result in greater financial losses than the average email-based attack.
How much does business email compromise cost?
BEC attack frequency doubled in 2023. That has led to increased costs to the organizations that are being attacked. According to FBI IC3 data, the average cost of a successful business email compromise attack is over $125,000.
In addition, in 2023, IC3 received a record number of complaints from the American public: 880,418 complaints were registered, with potential losses exceeding $12.5 billion. This is a nearly 10% increase in complaints received. It represents a 22% increase in losses suffered, compared to 2022. Investment fraud was once again the costliest type of crime tracked by IC3, with investment scams rising from $3.31 billion in 2022 to $4.57 billion in 2023 – a 38% increase. The second-costliest type of crime was BEC, with 21,489 complaints amounting to $2.9 billion in reported losses.
Why is business email compromise (BEC) protection important?
Business email compromise protection is crucial because of the profound risks BEC attacks create. BEC attacks can cause serious financial loss to companies. It can also be equally costly to the employees, customers, or partners who are victimized. When employees, customers, or partners are victimized because an organization failed to adequately protect against BEC, this can profoundly damage the organization’s reputation. It costs the confidence and trust that it needs to operate successfully.
How can organizations respond to business email compromise?
Effective prevention of phishing and BEC attacks demands more than a single-solution approach due to the limited view of the threat. Relying solely on artificial intelligence is insufficient. This is because AI alone may not catch all the nuanced tactics employed by cybercriminals. While AI is a powerful tool in detecting anomalies and patterns, it works best when complemented by other security measures.
Implementing robust email authentication standards helps verify the legitimacy of email senders and prevents email spoofing—a common tactic in phishing attacks. These protocols work together, ensuring incoming emails are from the claimed sources. As a result, it significantly reduces the risk of impersonation attempts. Threat intelligence feeds play a vital role in this integrated approach. These feeds provide real-time information about emerging threats, known malicious actors, and current attack patterns.
AI detection capabilities, while not sufficient on their own, are a crucial element of anti-phishing and BEC strategies. Machine learning algorithms analyze vast amounts of email content, embedded links, sender behavior, and communication patterns to detect subtle signs of social engineering or fraudulent activity.
By utilizing a combination of threat intelligence, authentication protocols, and AI-driven detection, it creates a comprehensive defense strategy against phishing and BEC attacks. This layered approach addresses various aspects of the threat. These include preventing malicious emails from reaching inboxes, detecting sophisticated social engineering attempts, and blocking access to malicious links.