Business Email Compromise (BEC) Scams

Rahul Sharma
Dolores Bernal
September 13, 2023
Cyber attacker hacking into email server

Image by katemangostar

Online scams involving phishing have been around since the Internet emerged.

Over time, scammers have only gotten better at using this form of attack, with more complex methods, maneuvers, and technical acumen to devise avenues of attack that are difficult to detect and mitigate

Of the many kinds of email-based attack formats, one of the most concerning is Business Email Compromise or BEC scams. These scams are often deceptively simple at first glance, but they can create substantial financial losses or loss of sensitive data.

Also known as email account compromise scams or man-in-the-email scams, BEC scams have already attracted the attention of most prominent corporate and government entities, thanks to several infamous cases in the recent past.

Recently, the prevalence of BEC (Business Email Compromise) scams has surged, demonstrating their adaptability in various deceptive forms. 

Statistics reveal a startling reality, with over 241,000 reported complaints and a staggering financial loss exceeding $43 billion. These figures underscore the substantial potential of BEC scams to wreak havoc and cause significant financial harm.

BEC scams are known to be extremely difficult to prevent. This article will cover the basic concepts of orchestrating BEC scams, their usual mechanisms, and their most crucial impacts. We will also discuss some ways to protect yourself and your organization from BEC scams, including adopting certain best practices.

What are BEC Scams?

BEC scams rely on the fact that most companies and their employees conduct various business processes using email as their preferred communication medium. This makes the platform rich for scam opportunities

BEC scams rely on an attempt to trick employees or executives of a business into either carrying out a spurious financial transaction or handing over sensitive data. 

This is done using various techniques, including spear phishing, spoofing, social engineering, and malware. The attackers might take over a legitimate email account and use that to culminate the scam.

The culprit poses as a trusted individual or company, sending in a request that might seem legitimate. This involves a lot of research into the target. Typical targets are new or relatively entry-level employees, human resources and finance department personnel, or C-suite executives. The idea is to create the appearance of legitimacy so that the demands are met instantly without raising suspicion or inviting scrutiny. 

BEC scams can be highly damaging to any organization, with the fallout involving significant financial losses, loss of sensitive data, theft of intellectual property, identity theft, and data leaks. 

When you understand these consequences, it becomes apparent why it is crucial to understand the tactics and methods of BEC scammers properly and have the proper safeguards in place to prevent and mitigate such attacks.

BEC Scams – Usual Methods and Types

Over time, BEC scams have become more sophisticated and complex, going beyond simple phishing attacks to more involved processes like social engineering to make the attacks look more like legitimate transactions. To assume the identity of a trusted party, BEC scammers can go to great lengths, including purchasing one or more domains, building entire websites, and studying and researching their targets’ behavior patterns and work responsibilities.  This can include checking vendors and suppliers you do business with regularly.

However, taking a look at past cases of BEC scams, one can form a solid idea of some of the usual ways these scammers operate. Here are a few types of BEC scams you might encounter.

1. Payment or Invoice Scams

Mail Phishing Scam royalty-free vector graphic

Image by Mohamed Hassan

This is the most popular method of BEC scammers to date. Here, the scammers will contact someone in the organization in a position to clear payments and demand immediate payment of an invoice or bill. The email may come from a vendor requesting payment for goods or services that have actually been provided recently. Or, it may come from a service provider or government organization, often with the hint of a negative consequence in the event of non-payment. For example, you might receive an email that appears to come from your phone or internet service provider, asking for an urgent payment and threatening to stop the service otherwise.

To appear genuine, scammers might purchase a domain to spoof the email address of the entity they are impersonating. They might even obtain previous communication from a vendor to your company and follow the same template, including payment to a bank account number that is only a few digits off the vendor’s actual bank account. When posing as a utility or service provider, they might have a fake website set up in case someone verifies their credentials, which will look very similar to the actual website of your genuine service provider.

This kind of attack is usually aimed at the people or departments of the organization that routinely handle payments in real life.

2. Email Account Compromise

This method works the opposite of the above scenario – it involves hackers gaining illegitimate access to an employee’s email account, ideally one who processes financial transactions with customers and vendors. 

Access to this email account is obtained using either phishing or social engineering attacks or malware. The scammers will then send emails from the compromised account to different customers and vendors who have an actual payment due soon and ask them to complete the payment.

Any payment made due to these emails will be routed not to the company’s account but to a bank account controlled by the scammers. Here too, scammers can painstakingly study past email transactions with customers and vendors and replicate the same style, tone, and template of conversation for the payment demand to appear legitimate.

3. Impersonation Scams

These are deep scams that can take many forms. Usually, the scammers will impersonate an employee or executive of the same or a different company and send emails to employees requesting either payment or information. The end goal might be money or gaining access to vital information, intellectual property, or customer information.

The scammers might impersonate someone high up in the company, even the CEO. Then, using a fake email account or the legitimate account of the person they are impersonating, they would send emails to employees with a request for an urgent payment or access to information. 

The email can also include attachments with malware embedded in them that can provide access to sensitive data or devices. For example, an email seemingly from the CEO or a highly-placed executive of the company might reach employees requesting access to a server or data bank, from which highly sensitive information can then be stolen.

Alternatively, scammers might impersonate someone in a company you regularly do business with. The most common example involves impersonating an attorney at your regular law firm and using their compromised email account to send a bill for legal fees. While the payment request will seem genuine under scrutiny, the money will actually go to a bank account controlled by the hackers.

4. Credential Fraud

Hacker Scammer

Image by Mohamed Hassan

This kind of scam involves implying that an existing employee or contractor scheduled to complete a task had misplaced their credentials or provided the wrong set of credentials by mistake. This comes with a demand for the correct credentials, often accompanied by social engineering cues. The victim of such a scam might deem the communication trustworthy and dispense the credentials, upon which the scammers will use them to steal data or carry out identity theft, often in preparation for further scams targeting the same business.

5. Service Fraud

In these cases, scammers would impersonate someone from a company you legitimately do business with, usually a company that provides you with software or hardware and is tasked with supporting the same whenever required. 

The email might refer to a software or hardware purchase you made recently and present an invoice that mentions tech support, routine maintenance, an upgrade or update, or a troubleshooting fee. These communications are likely to appear genuine and elicit an immediate payment.

How to Prevent BEC Scams

Preventing BEC scams is not easy. It often takes a multi-faceted approach to cover all bases. From encouraging security best practices in individual members to adopt sweeping, organization-wide prevention tactics, there is a lot you can do. Here are a few salient points –

  • Setting up Email Security Protocols – Corporate email solutions usually come with some security measures baked into the service. However, it is essential to go above and beyond these and implement your own stringent security protocols. The first step is to opt for a known secure email provider that can flag and even delete suspicious emails, relying on advanced sender verification processes. You can also take advantage of third-party sender verification services. You need a system that thoroughly checks email authenticity based on SPF, DKIM, and DMARC records for incoming emails.
  • Organization-wide Changes – The most critical part of preventing BEC scams is ensuring that there are no weak points in the entire organizational infrastructure. You can make significant strides here by encouraging and enforcing security best practices. Examples include setting up mandatory multi-factor authentication for the whole of the workforce, authentication challenges for risky or potentially illegitimate logins, and mandatory password resets in the event of any breach. Similarly, you can set up strict internal network access and usage rules that discourage information sharing outside of the network and limit the use of personal devices. Keep all your software up-to-date, installing the latest patches and bug fixes.
  • Securing Financial Transactions – As with your email and network infrastructure, it is also wise to set up safeguards for your finances, as this is often the preferred target of BEC scammers. Choose a payment platform for making outside payments taking a careful look at its security features. Adopt the use of digital signatures for all transactions and communications that involve payment of any kind. You should also have a process of verification in place specifically for payment requests received over email, such that those requests can be double-checked or confirmed from a secondary source. Set up quick communication channels with your bank, other financial institutions, and suppliers so that they can be quickly alerted if anything happens. You can also set up automatic alerts at various levels for financial transactions that exceed a particular threshold or go out to previously unpaid recipients.
  • Raising Awareness and Providing Training – One of the most critical parts of preventing BEC scams is creating awareness among personnel and providing adequate training to adopt the required security best practices. To this end, ensure that you carry out regular training, exposing employees of all levels to the usual modes of operation of BEC scams and teaching them how to identify and report any suspicious event. A great way to provide awareness and training is to simulate phishing and BEC attacks at regular intervals and gauge the response and readiness. You can also send out regular communication regarding the latest techniques used in BEC and similar scams and create a reward or incentive scheme for employees with the best security records.
  • Invest in Identity Theft Protection Services – Identity theft is one of the most severe consequences of a BEC attack and can lead to further attacks down the line. It is crucial that you focus on preventing identity theft at all costs. Therefore, investing in a highly-rated identity theft protection service, such as Aura, makes sense. These services have advanced technology at their disposal to be able to detect, prevent, and mitigate identity theft attempts while also keeping you informed in case there is a breach. These services also provide additional resources and features that can help you shore up security in your organization and prevent unauthorized access to information and devices. You also get access to anti-malware and anti-spyware software, which can be instrumental in detecting suspicious email attachments.

Responding to a BEC Attack

Gdpr Data Protection Regulation

Image by Mohamed Hassan

If you fall victim to a BEC attack, even after understanding the standard mechanics of BEC scams and implementing suitable preventive measures, you must start damage control immediately. This is in the interest of your organization and controlling the fallout of the fraud.

First, you need to carry out an immediate investigation and security audit. BEC scams are often not isolated incidents, and one scam leads to another. To prevent this, a forensic investigation of your digital assets is warranted. This way, you can take a look at email logs and activity logs, interview affected employees, and analyze your network and systems for intrusions. Document this process, identify the security loopholes the hackers used to carry out the scam, and flag these for immediate remediation. You should also study the mode of operation of the hackers and the attack vectors involved with the scam.

A full reset and mitigation should come next. Change all email passwords and harden your email filters. If needed, you can also create a temporary change in your payment protocols, requiring manual and multiple checks before any payment gets processed. Temporarily limit the responsibilities of all personnel with access control and payment capabilities and make sure everyone in the organization is kept well-informed about the attack, including the specific methods and techniques in use.

From here, you should get in touch with all parties you conduct business with, especially banks, law firms, suppliers, and vendors. If any financial transactions have already been processed, get in touch with your bank and inform them of the fraud so they can initiate mitigation proceedings on their end. Liaise with your lawyers to find out about issues regarding culpability and whether you can take any legal steps as the victim of a scam. If any sensitive customer data has been stolen, you need to notify them individually and immediately. Finally, inform all the relevant authorities in your area about the attack.

If you are a first-time victim, spend time creating a response plan for such incidents so that you can stay ready the next time scammers decide to target your business. If you already have a response plan, update it appropriately, keeping in mind the attack vectors and techniques of the scam.

Final Thoughts

Equipping yourself with the right information, insight, and action plan greatly increases your ability to anticipate and prevent BEC scams. 

If you fall victim to such a scam, having this preparedness will enable you to take immediate mitigative steps. Additionally, implementing proper security protocols and enlisting the services of a highly-rated identity theft protection service, such as Aura, should provide sufficient protection to help you steer clear of such scams.

The key to avoiding BEC scams lies in educating your employees and keeping them well-informed about security best practices. This includes instilling in them a habit of skepticism when they encounter emails that don’t feel right, even intuitively. By promoting this general sense of caution and arming them with knowledge, you can significantly reduce the risk of falling victim to such scams.