How To Stop Business Email Compromise Attacks

Business Email Compromise (BEC) is a type of cyber thereat or exploit, which is rapidly becoming one of the most widespread email attacks faced by organizations around the world. The premise of the attack is very simple: an attacker will compromise or imitate a legitimate business account, and then use this account to request fraudulent payments from customers or contacts. While simple in concept, these attacks are highly damaging, and difficult to prevent.

The FBI has reported that BEC attacks are becoming more harmful. They found that between December 2016 and May 2018, there was a 136% rise in the number of successful reported BEC attacks around the world. It’s estimated that between October 2013 and May 2018, Business Email Compromise alone has cost businesses over $12 billion. Analysts expect these attacks to only become more common, with the financial costs associated continuing to rise.

Business email compromise targets businesses of all sizes, but it is especially prominent against Fortune 500 companies, educational institutions and small and mid-sized businesses. They rely heavily on social engineering to try and trick employees and executives into making fraudulent payments. In this guide, we’ll cover how business email compromise works, the different types of business email compromise threatening organizations, why business email compromise is so damaging, and how your organization can take steps to stop business email compromise attacks.

What is Business Email Compromise and how does it work?

Business Email Compromise is a damaging email attack that involves cyber criminals compromising email accounts to try and trick employees into making fraudulent payments to them.

Email continues to be the main way in which businesses communicate with their trusted contacts, partners and other businesses. It’s very likely the case that you’ve used email at some point to email out an invoice, or request a payment. However, email addresses can be easily impersonated, and email accounts can be easily compromised.

BEC attacks exploit the weakness of emails to target top-level people within an organization. Often BEC starts with a phishing attack which allows cyber-criminals to gain access to an important email account within an organization. For example, someone in the finance department, or the company CFO or CEO. Once attackers have access to this account, they can then send out emails that appear to be legitimate, asking for wire payments to be made from others in the organization, or across their supply chain. These emails won’t be flagged as malicious by any anti-virus or basic email filtering technologies, and most users probably won’t expect their boss or a trusted contact to be compromised, making this a particularly harmful kind of attack.

Another method cyber-criminals can use is simply spoofing the domains of high-level business email accounts. For example, the attacker will see the email address ceo@majorcorp.com and use ceo@majorc0rp.com instead. This is known as Lookalike Domain Spoofing. The similarity of the email addresses may be enough to fool suspecting users into believing it’s the real contact that has emailed them, which could convince them to make a payment.

This type of BEC attack is less sophisticated than full account compromise, but it is much more common. It’s also much more likely to be stopped by email security technologies, as they can detect when a domain has been spoofed. However, it can still very successful in convincing unsuspecting users.

Lookalike domain spoofing is commonly used to impersonate brands, such as Microsoft or Apple. Attackers copy these brand domains to try and in convince users to enter passwords, or make payments.

What are the Different Kinds of Business Email Compromise?

We’ve broadly covered two methods in which attackers can carry out Business Email Compromise attacks, but the FBI has identified 5 unique variants of BEC. Here’s a brief rundown of what each involve:

CEO Fraud: Attackers impersonate a CEO, or a high-level executive, and target employees with requests for payments.

Account Compromise: An employee’s email account is compromised, and attackers use their contacts to request payments to their own accounts. 

Bogus Invoice Schemes: Attackers will impersonate suppliers of foreign companies, in order to request fraudulent fund transfers and payments.

Data Theft: Employees in HR and admin departments are compromised so that attackers can gain access to sensitive company and customer information.

Attorney Impersonation: Attackers impersonate lawyers or solicitors to find out confidential business events. This is sophisticated type of account compromise attack, and much less common.

Why Are Business Email Compromise Attacks Becoming More Common?

Most industry analysts agree that BEC attacks are becoming more common because they are low risk for attackers, can be relatively low cost to pull off, and they are often very successful.

Rather than needing to spend time developing malware, or trying to gain access to systems, Business Email Compromise allows cyber criminals to very quickly get access to accounts and send out emails asking for payments. With just one compromised account, cyber criminals can send out hundreds of fraudulent emails, with a pretty good chance that at least one will be opened or replied to.  

For high profile targets, cyber criminals may not even need to collect information for account compromise attacks themselves. High level employee email credentials are commonly bought and sold on the dark web. Research from LastLine tells us that CEO, CFO and executive account details fetch a high price, but attackers can make a profit of thousands by successfully mounting a business email compromise scam.

Why is Business Email Compromise So Dangerous?

Traditional approaches to email security rely on detecting threats. This could be a malicious domain that’s been known to send out spam emails. Or, it could be an attachment that contains malware, or a URL that leads to a harmful website. Email security technologies can identify threats based on patterns or signatures and stop those emails from being delivered to your users.  

However, BEC attacks don’t involve any malware or harmful content being sent. These emails come from legitimate domains and will appear to most email security technologies to be completely innocuous. This means that the email has a high chance of being delivered to your users’ inboxes.

Because they target the human factor within the organization to succeed, once in the email inbox BEC attacks have a good chance at tricking employees into believing they are real. As we’ve covered, BEC attacks often target company executives, like CEOs or CFOs, or employees that work within company finances. When an invoice arrives from an employee like this, people usually trust that it is legitimate, and may go ahead and make the payment without caching the legitimacy of the email.

In addition, attackers are spending more time to develop BEC, spending more time investigating which individuals within an organization are likely to have authority in asking for invoices to be paid.

Considering these factors, it’s no surprise that Business Email Compromise is growing more common and becoming more harmful to organizations. There have been numerous examples of high profile BEC attacks, against organizations of all sizes. 

The US Treasury found that the number of business email compromise attacks reported nearly doubled from 2016 to 2018, with nearly 1100 attacks reported every single month. The costs associated also continue to grow, now costing US companies an average of $301 million every single month, according to a Treasury Department Analysis.

How Can You Stop Business Email Compromise Attacks?

As we’ve covered, stopping business email compromise attacks is a challenge for businesses. However, with a strong multi-layered security approach and increased user education, business can greatly reduce their risk of attack. Here are the steps businesses can take to stop business email compromise.

Secure Email Gateway

The first layer in a multi-layered approach should be a Secure Email Gateway. This acts as a firewall for your email communications, and stop spam, malware and viruses from being delivered to your users via email.

A strong email gateway will detect a spoofed domain coming from an attacker and will in most cases block those types of business email compromise from being delivered. Admins can also use a secure email gateway to check for keywords commonly used in business email compromise attacks, such as ‘payment,’ ‘urgent,’ ‘sensitive’ and ‘secret.’ While it may not be practical to ban these emails altogether, the gateway will detect if something appears suspicious, and place it into a quarantine.

Post-Delivery Protection

The second step is implementing Post-Delivery Protection. Post-Delivery Protection tools use machine learning and artificial intelligence to monitor email networks for signs of malicious activity. They can pick up on the tell-tale signs of account compromise, such as multiple failed login attempts, unusual locations and times for sending email. If an advanced post-delivery protection service identifies these logins, it will mark any emails from this account as suspicious or stop them being delivered altogether, helping to minimize the risk of business email compromise.

Advanced post-delivery protection solutions also allow users to report emails as suspicious, which will remove those emails from the inbox of anyone else who has received them. They will also place warning banners on emails from new or unusual contacts, helping to mitigate the risk of lookalike domain spoofing in order to protect users against business email compromise.

Implement Security Awareness Training and Phishing Simulation

Training users to be aware of what malicious emails and phishing attacks look like is an important step in increasing your organization’s protection against business email compromise. This kind of attacks target users that are unaware of security issues, and trust that the emails they receive are genuine.

Security awareness training can teach users what phishing emails look like, and instil crucial security behaviours, like never replying to suspicious emails, and reporting them immediately to IT departments. It can also be useful to for IT departments to implement policies such as never paying invoices or transferring data without authorization from multiple sources. Security Awareness Training helps to reinforce these policies.

There are multiple vendors who deliver Security Awareness Training as a service, offering interactive and bite-sized learning courses to help users detect and report phishing attacks. While not every user will need these courses, and not every user will learn from them, implementing security awareness will still be useful in improving your resilience against business email compromise.

In addition to awareness training, many vendors also offer phishing simulation. This involves admins creating simulated phishing emails, which look genuine. These emails are then sent out to users to test how effectively they can spot phishing attacks.

This can be really useful for IT teams to monitor how at risk they are from phishing attacks, and to teach users what phishing attacks look like, and how vigilant they need to be looking out for real email threats. Because of this, phishing simulation can be a useful way of tackling business email compromise.

Implement Identity Management and Account Security

A final step in implementing strong defences against account compromise is improving the security of your accounts themselves. This has the benefit of stopping attackers from being able to compromise your accounts in the first place, and having a strong identity management solution in place can stop attackers gaining access to accounts in the first place.

The most important aspect to protecting accounts is ensuring that each user has a unique password for all of their accounts, which cannot be easily guessed. Business password management tools can help users to keep on top of their passwords, while allowing admins to ensure users are keeping passwords updated regularly.

Alongside strong passwords, each of your corporate accounts, but especially email should enforce multi-factor authentication. Identity Management solutions offer multi-factor authentication which can be enforced across all accounts. They will ensure that accounts can only be accessed when a user has something they know (like a password) and something they have, which can be a code from a text message, or even a fingerprint. Obviously, it’s unlikely that even the most sophisticated hacker will be able to steal a fingerprint from a target, so this is a great step to take to thwart business email compromise attacks.

Some identity management platforms take this further by offering Adaptive Authentication. This analyses each request to log in individually, taking into account factors such as the device being used, the location, and IP-reputation. This information can immediately enforce multi-factor authentication, and alert IT teams to suspicious attempts to login. This greatly improves account security, without getting in the way of legitimate users logging into their accounts.

Top Vendors to Stop Business Email Compromise

Proofpoint Essentials

Get a Quote

Proofpoint Essentials is one of the market leading email security solutions. It’s an Email Security Gateway product, meaning it sits in front of your inbox and blocks spam, malware and phishing attacks from reaching your inboxes. Proofpoint Essentials stops threats such as impostor email, phishing, spam, bulk email, and viruses. Proofpoint Essentials is very popular among MSPs, Resellers and Small and Midsized businesses. It provides enterprise grade threat protection, as well as being easily deployed and well-integrated with Office 365. Proofpoint also offers a range of additional features with the Essentials bundle, including Email Encryption, Email Archiving, Continuity, and full email logs and audits.
Get a Quote