Ready to get started? Schedule a Demo

    What Is Business Email Compromise?

    Business email compromise attacks are impersonation scams: Hackers create emails impersonating a senior executive of the company or one of its business partners in an effort to steal money. Sometimes, it involves the compromise of a legitimate business email account but often it’s accomplished through social engineering: By convincingly masquerading as a CEO, for example, in an email that tells an accounting employee to wire money to a supplier — but to a bank account controlled by the hacker. In another type of BEC attack, hackers intercept emails from suppliers and substitute their own account numbers for the supplier’s.

    6 major types of Business Email Compromise

    The first and most familiar form of BEC is known as CEO fraud: a business leader’s email is hacked or spoofed, and fraudulent emails are sent in his or her name instructing subordinates to immediately wire payments to fraudulent locations. Subordinates, accustomed to following instructions from senior business leaders without question, often do so without independently confirming the legitimacy of the transaction. While called CEO Fraud, these BEC attacks have often been made in the name of a senior financial executive such as a CFO.

    Since then, BEC has morphed into multiple variants, including these five:

    Personal email compromise (PEC). These attacks are similar to CEO fraud but spoof an executive’s personal email account. They can be even more convincing, since recipients may have received private emails from the executive before and may assume the account is legitimate.

    Vendor email compromise (VEC). In this case, the criminal impersonates a vendor by spoofing the vendor’s legitimate email account. Acting as the vendor, the criminal instructs the recipient to make payments or change payment destinations to an account controlled by the criminal. By doing careful research about vendors over time, criminals may be able to identify multiple target victims throughout a company’s entire supply chain.

    Spoofed lawyer or real estate email accounts. In these attacks, a criminal impersonates one party to a sizable financial transaction, spoofing that party’s email address. The transactions often involve real estate, but sometimes relate to other commercial transactions. The messages often includes transaction details gleaned through social engineering or a computer intrusion. The criminal may instruct the recipient to change previously anticipated payment information — for example, updating a wire transfer destination or account number.

    Requests for W-2 information. Instead of asking for cash, the cybercriminal (posing as a senior employee) asks an HR professional for an employee’s W-2 data. Given this data, the criminal may attempt to file fraudulent income tax returns in the victim’s name, appropriating the victim’s refunds; or use the victim’s social security number and other data to pursue other fraudulent activities that might not be uncovered until the victim’s credit is ruined.

    Gift card fraud. In this variant of CEO fraud, a criminal may impersonate an executive and ask an assistant to purchase multiple gift cards that will be used as employee rewards. In the interests of rewarding employees as quickly as possible, the phony “executive” will request the serial numbers for the gift cards, and then use those serial numbers to make fraudulent purchases.

    Align people, process and technology to prevent costly BEC fraud

    According to the FBI, Business Email Compromise (BEC) is the costliest of internet crimes, accounting for 44% of the $4.1 billion in US losses reported in 2020. It gets worse: half of security executives surveyed by Mimecast say BEC attacks using impersonation fraud rose in 2020. With BEC, attackers generate high ROI from low-tech attacks containing no payload other than social-engineered text. Cybercriminals now use sophisticated intelligence to divert legitimate payroll or vendor payments — and by the time these attacks are discovered, the money is long gone.

    To outsmart BEC attackers, combine better human awareness with more sophisticated machine learning, threat detection and integration. Mimecast’s comprehensive business email compromise solutions can help.

    Implement a complete, holistic strategy for reducing BEC risk

    • Leverage Mimecast’s AI-based Brand Exploit Protect and DMARC Analyzer to monitor and respond to malicious brand impersonation attacks out in the web and through email.
    • Give employees the knowledge and training they need to resist BEC fraud.
    • Support your team with technology that analyzes every email for BEC risk, in real time.
    • Stop emails that rely on domain spoofing before they reach employees or partners.

    Promote employee vigilance more effectively

    BEC attacks succeed by tricking distracted, busy employees who have priorities other than cybersecurity. Organizations can’t successfully resist BEC without the active vigilance and support of every employee — and Mimecast Awareness Training is the best way to get it.

    In minutes a month, Hollywood-quality comedic storytellers drive home the real experience of BEC and phishing attacks — with hilariously recognizable characters who transform security training into unforgettable fun. People don’t just learn what to do: they remember when it matters most because laughter instills the lesson in memory. Going further, Mimecast Awareness Training integrates breakthrough, customizable phishing tests built around real BEC attacks your organization has received, along with ongoing metrics to help quickly target training to the employees who need it most.

    When a business is ready to align its entire organization against business email compromise, Mimecast Awareness Training is the most complete, effective training solution.

    Learn More

    Systematically analyze every inbound email for BEC risk before it’s delivered

    Most BEC attacks impersonate real people or organizations: executives, colleagues, partners, customers, lawyers. Inbound BEC fraud may originate from compromised accounts or spoofed domains, and rely on lengthy intelligence gathering to make emails seem realistic. Even vigilant employees need technology help to prevent such attacks. Mimecast’s cloud-based Secure Email Gateway with Targeted Threat Protection safeguards them, no matter what cloud or on-premises email platform is used.

    With Mimecast’s Impersonation Protect service, every inbound message is analyzed in real time for signs of risk, from sender spoofing to suspicious international characters or body content. Email administrators have granular control over how risky messages are handled and centralized tools for managing, reporting and uncovering attacks. Plus, using Mimecast’s unmatched library of off-the-shelf integrations and open APIs, threat intelligence can be shared instantly across your security stack, empowering all security systems to respond more quickly and effectively.

    Learn More

    Prevent email impersonation that utilizes domain spoofing

    The DMARC authentication standard has rapidly matured into a key element of a layered-defense strategy against BEC. DMARC can help protect employees against BEC phishing attacks that seem to originate within your organization but were actually crafted by distant criminals. It can also help protect business partners against fraudulent emails that look like they came from your organization, so criminals can’t divert payments.

    With Mimecast’s 100% SaaS-based DMARC Analyzer, applying DMARC is finally practical. A valuable complement to Mimecast Secure Email Gateway with Targeted Threat Protection, it empowers organizations to authenticate email more reliably, identify senders and block delivery of unauthenticated messages from their domains. Many BEC attacks that rely on domain spoofing can now be halted before they arrive on employees’ devices or those of third-party partners.

    Learn More

    Stop business email compromise with Mimecast

    Mimecast simplifies and reduces the cost of email security, email archiving and email continuity. Mimecast's comprehensive security services provide data leakage prevention tools, 100% anti-malware protection, cloud-based email filtering for spam, secure email options, and Targeted Threat Protection to combat business email compromise and other advanced targeted threats.

    Mimecast email security services protect users on all the devices they use, including desktop, mobile and personal devices. This is a critical benefit for organizations where employees' personal devices are not protected at the same level as corporate devices, or where organizations lack comprehensive web security and endpoint protection. And as a fully integrated subscription service, Mimecast security solutions can be implemented quickly without additional infrastructure or IT overhead costs.

    Ready to get started? Schedule a Demo