Guidance to Detect and Prevent BEC Attacks

Business email compromise (BEC)—also known as CEO fraud—is one of the highest-grossing types of cybercrime, according to the FBI’s IC3 Internet Crime Report 2021, responsible for over $2 billion dollars in financial loss and increasing 10 times in the past few years. During a BEC attack, it’s possible for an employee to open a seemingly authentic message from their CEO or leadership, only for the whole organization to be compromised. 

This piece provides an overview of BEC attacks, methods to help identify BEC attacks and best practices to help detect and prevent email fraud and build a tailored, comprehensive BEC strategy. 

What Is a BEC Attack? 

A BEC attack is a form of social engineering and a subset of spear-phishing that targets companies and businesses of all sizes. Due to its nature, it can affect anyone in the organization, regardless of their role or position. C-suite executives are just as susceptible as entry-level interns. 

A BEC attack occurs when a fraudster posing as a legitimate, trusted source sends an email to an executive (or admin) and makes a legitimate-sounding request (typically for a financial transfer, but also for data or access permissions). More specifically, it involves targeting specific employees after gaining a certain level of knowledge of the company, the targeted individual and the leadership of the company. Recently, BEC has even been rolled out as a paid service to hackers, which is driving a surge in this type of fraud. 

How BEC Attacks Work  

BEC attacks follow a specific pattern involving research, impersonation and urgency.  Security teams will find a lot of variability in BEC attacks against individuals and organizations, but most start with the following steps: 

Step 1: Research the Company 

The “phishing” component of this attack entails researching the targeted company. Bad actors will often find an org chart or social profile that identifies the management team. They’ll learn who makes up the C-suite and direct reports, which are usually the main target groups for the attack. This draws on the concept of authority. Employees are more likely to do something for their CEO rather than a random stranger or a vague industry contact, especially when the CEO has an urgent request. 

The attacker will also research detailed specifics about the company and that industry in the event additional information is needed during the attempted attack. 

Step 2: Find the Targets   

Next, the hacker will identify a detailed list of potential victims. This is broken into two groups:  

• The individuals the fraudster plans on impersonating  
• The individuals the fraudster plans to send the malicious emails from the impersonated authority 

For instance, fraudsters might decide to impersonate your CFO and send malicious emails to your mid-level accountants.  To identify the targets, hackers usually research their company email address and full names. 

Step 3: Spoof or Compromise an Email Account 

In Step 3, the hacker creates an email account that looks just like the target authority figure’s (the CEO, CFO, COO, etc.). Keep in mind that bad actors may also obtain victim’s cell phone number to send an urgent text message, smishing the victim first for critical contact information. A text from your direct VP or president can look very convincing. 

Email phishing is accomplished through three different methods: 

• Lookalike domains – The most common method is when a hacker creates a domain that looks similar to a legitimate domain. Instead of @FedEx, a hacker might use @FedFx—at a quick glance, it’s hard to tell the difference. 
• Hacking the account - Alternatively, the hacker can compromise and gain access to the target’s actual email account. This entails stealing the login and password and physically logging into the target’s account. 
• Spoofing the domain – Hackers may spoof the email’s domain instead by mirroring their display name and email address, despite having no access to the account. This happens to targets when organization’s email servers are not protected with DKIM or updated DNS records. Victims will receive a spoofed email that looks like it was sent directly from their CFO, using their legitimate email address. However, the email was actually sent from the hacker’s personal Gmail account. 

Step 4: Roll Out the Attack 

Now that the bad actor has a seemingly legitimate email, target and victims, they roll out the attack. They will send a malicious email from that spoofed, compromised or lookalike email account to unsuspecting employees. 

When the employees receive the email and fall for the deception, they can usually be tricked into transferring/wiring funds to accounts under the control of the hacker and/or performing other actions that can harm the organization, all while believing their boss told them to do it. Sometimes, hackers include malicious links or attachments in the emails that, when clicked, end up compromising the organization in several ways – funds can be accessed from the employee and company, malware might take over their computer, networks breached, and data stolen. 

Types of BEC Attacks 

BEC attacks are versatile and can happen in a few different ways. These following take place during Step 4, the “roll out the attack” stage. The first group of attacks are based on who the hacker is pretending to be. They’ll usually choose from one of the following: 

• C-suite fraud. This is the most common type and the highest profile attack, similar to spear-phishing or whaling. In this scenario, the hacker will pretend to be a C-suite executive—a CEO, CFO, COO, etc.—and leverage their authority and a sense of urgency to persuade employees to do something for them. Namely, they’ll ask them to pay a fake invoice, transfer funds, disclose confidential information, share files or follow a malicious link. The hurried tone of these messages convinces employees to act quickly, and they most likely will bypass any company policies, or checks and balances. 
• Impersonating an attorney. Lower and mid-level employees might be especially compliant with a legal figure. In this version, the fraudster will pretend to be a corporate lawyer or attorney. They often ask for sensitive or confidential information under the guise that it’s needed for a critical reason. 
• Pretending to be a supplier. The hacker might spoof a trusted supplier, vendor or third-party. From there, they can easily request funds, data or sensitive information. They also may gather information just to roll out another phishing attack in the future. 

READ: How to Prevent and Mitigate Social Engineering Attacks 

The next component of a BEC attack is what the hacker is attempting to steal. This varies according to incident, but the end objective is to accomplish at least one of the following: 

• Data theft. The hacker might aim to steal confidential information and files from your company. This could be something as simple as a network file, but it could lead to taking all of the files on your network. The hacker can sell this information to your competitors, leak it or launch a ransomware attack with the stolen information. 
• Stealing funds. Sometimes a supplier or third-party email is spoofed, and the attacker will send over an invoice for payment. The funds will go directly to the hacker’s account instead of the supplier’s. In this attack, the finance or HR departments are targeted, and the goal is fraud. They might also ask random employees for gift cards or online payments, instead, while pretending to be a key account or a C-suite executive. 
• Compromising the device/account. Since the email is coming from a seemingly trustworthy source, employees will be more willing to click links, open attachments and give various permissions. In any of these instances, the hacker will be gaining more access to the network. In extreme cases, they can take over the recipient’s device and spread malware through your company’s system (since they now have internal access). 

Challenges in BEC Attacks   

BEC attacks are among the most challenging hacks to prevent. They play on human psychology and can be very effective. After all, the victims simply think they’re getting an email from someone with some authority over their job. Also, BEC attacks are the hardest to detect because the approach is very subtle and cannot be easily caught via security tools. These emails can seem very legitimate, especially if they’re sent from a spoofed or compromised account. The less secure your email server is, and the less trained your employees and security staff, the easier it is to fall victim to a BEC attack.  

How to Detect and Prevent a BEC Attack

There are many effective ways to detect and prevent a BEC attack. Some major ones to consider include: 

• Educate employees. Awareness training is the most effective way to prevent a BEC attack. If all users in your organization (especially the C-suite) have consistent cybersecurity training, you’ll be better equipped to fend off hackers. 
• Use anti-phishing protection. Configure email servers with anti-phishing protection. This will appear as a pop-up when the server detects a suspicious email coming from outside of the organization. It prompts the recipient to think about phishing attempts before acting on an email. 
• Use MFA for business email accounts. MFA requires the user to have access to their phone or offline email account before gaining access to the business email account. This prevents hackers from compromising an account before attempting a BEC attack. 
• Forward, don’t reply. A recommended method is to forward the message, don’t reply to it. If the email is spoofed, the actual email will display when you forward a message. Doing this removes the mask from the hacker’s email. Be sure to closely examine the email’s domain before doing anything else. 
• Never send money or data without verification. Directly call the manager or parties requesting funds before sending them money. It seems unlikely that someone will ask for money in such an impersonal way (namely, an email), rather than a direct conversation. Calling them will verify their identity or confirm the email is an attempt at a BEC attack. 
• Encourage skepticism. A skeptical workforce is a safe workforce. Approach every request with skepticism, even if you recognize the sender. Train employees to ask, “how can this message scam me?” 
• Contact IT. If employees suspect a BEC and something suspicious is currently in their inbox, encourage them to reach out to IT and the security team immediately. You should also advise your organization to defer to IT when it comes to emails that they’re unsure about. 

BEC attacks are easy to fall for, hard to detect and anyone can be victim. It’s important to remember what signs to look for and how to react to avoid and mitigate these malicious attacks. Performing regular security risk assessments and keeping both anti-phishing tools along with risk mitigation plans updated helps security teams build effective anti-BEC programs. Humans are the weakest link in BEC, and organizations should offer consistent education, training and simulations to help employees and management teams learn to recognize and report potential BEC attacks.  

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.