Business Email Compromise Facts and How to Protect your Organisation
Business Email Compromise (BEC) is a method where an attacker obtains access to a business email account and imitates the owner’s identity, often targeting companies who conduct transactions (especially funds transfers) and may have suppliers abroad.
Often BEC occur as a social engineering attack where human weaknesses are exploited during the attack. Methods used by fraudsters for conducting BEC keeps evolving to focus and target humans in the transaction/payment processing cycle. Often fraudsters conduct lengthy surveillance on the parties within the organization associated with the business processes, and use methods to compromise emails of key parties to gain access to the organisation’s communications.
Over 13,000 cases of BEC attempts were recorded in 2019 globally (Trend Micro: 2019 Annual Security Roundup ). According to the US FBI Internet Crime Complain Center (IC3), organizations were tricked of over US$1.7 billion in 2019 alone through BEC attacks.
Figure 1: Distribution of detection of BEC attempts by country.
Source: Trend Micro Smart Protection Network Infrastructure
How a BEC attack is conducted?
BEC attacks are often targeted attacks, where attackers target organisations on a regular basis. The most common approach used by attackers is by gaining access to a business email and observe associated parties of the organization such as Accounts Payable staff, Payment approvers, and employee habits to identify the most appropriate plan for impersonation and time for the attack. Once the plan is clearly identified, the attacker will start sending a bogus emails pretending to be a legitimate supplier (or other party associated with a transaction) to the identified target within the Finance Department (or other department) requesting an immediate funds transfer using the legitimate supplier’s information with an altered account number. The victim would trust the legitimacy of the email and transfer the funds to the attacker’s account. In some cases, if the fraud has been recognized in a timely manner, it may be possible to recover the funds. However, in most cases criminals manage to transfer the stolen funds into other accounts that become impossible to trace and recover.
Different Types of BEC
False Invoice Scheme – Attackers target organisations with foreign suppliers by pretending to be a supplier and divert fund transfers to an account owned by the attackers.
CEO Fraud – Attackers pose as the organisation’s CEO or any executive, sends an email to employees in Finance and requests for transfer to the account of the attackers.
Account Compromise – An email account of an employee or executive is hacked and used to request payments to vendors, payments are then sent to the hacker’s bank account
Data Theft – Targeting employees to obtain personal and sensitive information that can be used for future attacks or use of sensitive data for personal gain.
Protecting your organisation from BEC
There are multiple methods that can be followed to help protect your organisation from a BEC attack. Some of the methods that can be used are:
Review and Hardening of Business Processes
Ensure business processes have suitable controls, segregation of duties and methods to minimize frauds and compromises. Correct use of automation and tools. Suitable documentation of the business processes, policies and procedures.
Employees shall be made aware of the constant types of evolving threats including BEC and how to identify potential frauds from legitimate emails. This could be achieved through cyber security awareness sessions and training where needed.
Supplier Account Verification
Prior to transferring any funds, Finance employees shall be instructed to verify the bank account number with the supplier and check the account number against previously performed transactions.
Intrusion Detection System Rules
Intrusion detection systems flag emails with extensions that are similar to the organisation’s email.
Email rules can flag email communications where the “reply” email is different from the “from” email address shown.
Payment Verification & Confirmation Requests
Verification using additional two-factor authentication.
Barracuda. (n.d.). Business Email Compromise (BEC). https://www.barracuda.com/glossary/business-email-compromise.
Federal Bureau of Investigation – Internet Crime Complaint Center (IC3). (Internet Crime Report). 2019 Internet Crime Report. US: https://pdf.ic3.gov/2019_IC3Report.pdf.
Trend Micro. (2019). 2019 Annual Security Roundup. https://documents.trendmicro.com/assets/rpt/rpt-the-sprawling-reach-of-complex-threats.pdf.