Save time with unbiased, independent feedback on vendor solutions.
Watch weekly bite-sized webinars hosted by IANS Faculty.
Business email compromise (BEC)—also known as CEO fraud—is one of the highest-grossing types of cybercrime, according to the FBI’s IC3 Internet Crime Report 2021,
responsible for over $2 billion dollars in financial loss and increasing 10 times in the past few years. During a BEC attack, it’s possible for an employee to open a seemingly authentic message from their CEO or leadership, only for the whole
organization to be compromised.
This piece provides an overview of BEC attacks, methods to help identify BEC attacks and best practices to help detect and prevent email fraud and build a tailored, comprehensive BEC strategy.
A BEC attack is a form of social engineering and a subset of spear-phishing that targets companies and businesses of all
sizes. Due to its nature, it can affect anyone in the organization, regardless of their role or position. C-suite executives are just as susceptible as entry-level interns.
A BEC attack occurs when a fraudster posing as a legitimate, trusted source sends an email to an executive (or admin) and makes a legitimate-sounding request (typically for a financial transfer, but also for data or access permissions). More specifically,
it involves targeting specific employees after gaining a certain level of knowledge of the company, the targeted individual and the leadership of the company. Recently, BEC has even been rolled out as a paid service to hackers, which is driving a
surge in this type of fraud.
BEC attacks follow a specific pattern involving research, impersonation and urgency. Security teams will find a lot of variability in BEC attacks against individuals and organizations, but most start with the following steps:
The “phishing” component of this attack entails researching the targeted company. Bad actors will often find an org chart or social profile that identifies the management team. They’ll learn who makes up the C-suite and direct reports,
which are usually the main target groups for the attack. This draws on the concept of authority. Employees are more likely to do something for their CEO rather than a random stranger or a vague industry contact, especially when the CEO has an urgent
The attacker will also research detailed specifics about the company and that industry in the event additional information is needed during the attempted attack.
Next, the hacker will identify a detailed list of potential victims. This is broken into two groups:
For instance, fraudsters might decide to impersonate your CFO and send malicious emails to your mid-level accountants. To identify the targets, hackers usually research their company email address and full names.
In Step 3, the hacker creates an email account that looks just like the target authority figure’s (the CEO, CFO, COO, etc.). Keep in mind that bad actors may also obtain victim’s cell phone number to send an urgent text message, smishing the
victim first for critical contact information. A text from your direct VP or president can look very convincing.
Email phishing is accomplished through three different methods:
Now that the bad actor has a seemingly legitimate email, target and victims, they roll out the attack. They will send a malicious email from that spoofed, compromised or lookalike email account to unsuspecting employees.
When the employees receive the email and fall for the deception, they can usually be tricked into transferring/wiring funds to accounts under the control of the hacker and/or performing other actions that can harm the organization, all while believing
their boss told them to do it. Sometimes, hackers include malicious links or attachments in the emails that, when clicked, end up compromising the organization in several ways – funds can be accessed from the employee and company, malware might
take over their computer, networks breached, and data stolen.
BEC attacks are versatile and can happen in a few different ways. These following take place during Step 4, the “roll out the attack” stage. The first group of attacks are based on who the hacker is pretending to be. They’ll usually
choose from one of the following:
READ: How to Prevent and Mitigate Social Engineering Attacks
The next component of a BEC attack is what the hacker is attempting to steal. This varies according to incident, but the end objective is to accomplish at least one of the following:
BEC attacks are among the most challenging hacks to prevent. They play on human psychology and can be very effective. After all, the victims simply think they’re getting an email from someone with some authority over their job. Also, BEC attacks
are the hardest to detect because the approach is very subtle and cannot be easily caught via security tools. These emails can seem very legitimate, especially if they’re sent from a spoofed or compromised account. The less secure your email
server is, and the less trained your employees and security staff, the easier it is to fall victim to a BEC attack.
There are many effective ways to detect and prevent a BEC attack. Some major ones to consider include:
BEC attacks are easy to fall for, hard to detect and anyone can be victim. It’s important to remember what signs to look for and how to react to avoid and mitigate these malicious attacks. Performing regular security risk assessments and keeping
both anti-phishing tools along with risk mitigation plans updated helps security teams build effective anti-BEC programs. Humans are the weakest link in BEC, and organizations should offer consistent education, training and simulations to help employees
and management teams learn to recognize and report potential BEC attacks.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in
connection with such information, opinions, or advice.
September 26, 2023
By IANS Faculty
Access key data sets from the 2023 edition of IANS and Artico Search’s Security Budget Benchmark Report. Gain valuable insights on security budget increases and the drivers behind them.
September 21, 2023
Learn why CISOs Need D&O Liability Insurance Coverage now more than ever along with guidance to help minimize potential cyber liability risk.
September 19, 2023
Discover the diversity of IANS Faculty's real-world expertise. Learn how our faculty members can help you solve your most challenging security issues.