Protecting your business from email compromise attacks

Protecting your company from Business Email Compromise attacks
(Image credit: Shutterstock)

Business Email Compromise (BEC) is a fast-growing cybersecurity threat that all businesses, especially small and medium-sized (SMB) ones, face. The FBI’s Internet Crime Complaint Center (IC3) reported in their 2020 Internet Crime Report that they fielded 19,369 Business Email Compromise (BEC) complaints amounting to over $1.8 billion in adjusted losses in the United States for that year.

About the author

Christopher Budd is Global Senior Threat Communications Manager at Avast.

BEC attacks primarily use email, but can be carried out using SMS messages, voice mail messages, and even phone calls. BEC attacks are notable because they rely heavily on so-called “social engineering” techniques, meaning they use trickery and deception against people.

BEC attacks can be very effective and anyone can fall victim to them, no matter how rich or sophisticated. In February 2020, Barbara Corcoran - the American businesswoman, investor and judge of the television entrepreneurial reality show “Shark Tank” - nearly lost almost $400,000 in a BEC scam. Luckily, fast action enabled her to recover the money. But FBI statistics show that not everyone is so lucky.

Because BEC attacks rely so heavily on social engineering, traditional security software doesn’t always protect against them. That means you and your employees play a major role in protecting against them - and why it’s important to understand what BEC attacks are and how they work.

How BEC attacks work

While there are many ways BEC attacks can unfold, they all boil down to a simple formula. An attacker will try to convince an employee to send money to the attackers by impersonating someone that employee trusts.

Attackers will often try to stack the odds in two ways. First, they try to make their attack believable by who they choose to impersonate. Second, they try to create a sense of urgency so that the intended victim is less likely to question the transaction and be less likely to follow the proper channels for payments that could catch the scam. 

Sometimes attackers cleverly blend these two tactics for most effectiveness.

For example, one type of BEC attack we’ve seen involves an employee getting an urgent message from the CEO or other high-level executive saying that they need the employee to pay a past due invoice or get gift cards for an urgent company event right away. These can be email or text messages, but attackers have even used deep fake technology to imitate voice mail messages and calls. One executive in 2019 lost €220,000 (approx. $243,000) to an attack like this when attackers used deep fake technology to impersonate his CEO.

In another type of BEC attack, the attackers use fake and compromised email accounts to convince an employee that they’re dealing with a legitimate vendor. The attackers may exchange several emails with the intended victim to convince her or him that they’re a real vendor, and then send them a fake invoice. This is how the attack against Barbara Cocoran was carried out.

A third type of BEC attack targets company payroll. In these, the attackers impersonate employees and try to get company payroll staff to change the employee’s direct deposit information to their own bank account. These attacks are more subtle and take more time but can be very effective.

In almost all cases, BEC attackers’ goal is to get money in one of two ways: Electronic funds transfer (including cryptocurrency) or gift cards. While using gift cards for an attack like this might be surprising, attackers have found it’s an easy way to transfer and launder money.

How you can protect against BEC attacks

BEC attacks really are old-fashioned fraud attacks that happen to utilize current technology: We saw this type of scam long before there was email or voicemail. Because these aren’t technology-based attacks, it means technology-based solutions won’t be as effective against these attacks as they are against, say, ransomware. A well-made BEC email, for example, is hard for security software to distinguish from a legitimate one, especially if it’s coming from the actual - but compromised - account of someone you trust.

This means that protecting against BEC attacks needs to focus on two things: you and your employees.

First, educate yourself and your employees about BEC attacks. You and your employees should learn to be suspicious when a sudden unexpected email comes from the CEO saying “I need you to get $5,000 in gift cards for a birthday party today, send me the numbers and don’t tell anyone about it” goes a long way toward preventing these attacks.

Second, reinforce the importance of verifying payment requests and of following the established rules for paying bills, changing direct deposit information, and buying and sending gift cards. For example, let employees know that they should call an employee or vendor requesting payment. Make sure they know to use the number you have on file and verify that the invoice or request is legitimate before doing anything else. Emphasize that even if requests seem to come from high-level people in your company, employees still need to verify. Attackers try to convince intended victims to keep these attacks secret in order to increase their chance of success and they prey on employees’ reluctance to question those in authority. Make it clear that employees can and should raise questions in situations like this.

Ultimately, BEC attacks succeed because attackers fool their victims into believing their deception. While BEC attacks use technology, they’re really just a modern twist on age-old fraud and scams. And so thwarting them requires adjusting to the new ways these old frauds operate.

The good news is that with proper training, education, and following proper policies and procedures, you can thwart these attacks. You just have to take the time to educate yourself and your employees that these scams exist, how they operate, and the proper way to handle payment requests - regardless of how they’re delivered.

Christopher Budd is Global Senior Threat Communications Manager at Avast.