See a sneak peek of Tessian in action featuring admin and end user experiences. Watch the Product Tour →
Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.
Business Email Compromise (BEC) is a cyberattack involving the hacking, spoofing, or impersonation of a business email address. The victim of a BEC attack receives an email that appears to come from a trusted business. The email looks and feels genuine. But it typically contains a phishing link, a malicious attachment, or a request to transfer money to the attacker.
In this article, we’ll look at why cybercriminals use BEC, how it works, and why it remains a serious problem. Looking for examples of BEC attacks or information about how to prevent business email compromise instead? Check out these pages instead:
BEC is a tried-and-tested cyberattack method that costs consumers and businesses billions every year. So what makes BEC such a prevalent cybercrime technique? Simply put: cybercriminals use BEC as a way to make social engineering attacks more effective.
A social engineering attack is any form of cybercrime involving impersonation. The attacker pretends to be a trusted person so that the target does what they’re told. According to Verizon’s 2021 Data Breach Investigation Report (DBIR), BEC is the second-most common type of social engineering attack. In a BEC or other social engineering attack, the threat actor pretends to be a trusted person so that the target does what they’re told.
Here are some examples of social engineering attacks that can involve BEC:
All these social engineering attacks involve some sort of impersonation. Fraudsters use every tool available to make their impersonation more convincing. And one of the best tools available is a genuine — or genuine looking — business email address.
BEC attacks target both individuals and businesses and the attacker will (generally) use BEC to gain access to one of the following:
Now you know why cybercriminals launch BEC attacks, we’re going to look at how they do it.
There are various competing definitions of BEC — so before we explain the process, let’s clarify what we mean when we use this term. BEC attack is any phishing attack where the target believes they have received an email from a genuine business. As noted by Verizon, “BEC doesn’t even have to compromise a business email address. Your.CEO@davesmailservice.com comes up all too often in our dataset.”
There are several methods that a cybercriminal can use to achieve this, including:
Let’s look at each of these techniques.
Email impersonation is where the attacker sets up an email account that looks like a business email account. Here’s an example:
In this case, we can imagine Leon Green really is Tess’ boss and that an invoice for Amazon really is due to be paid. This information is easy enough to find online. But, note that the sender’s email address is “firstname.lastname@example.org”. If you look carefully, you’ll see Microsoft is misspelled.
Many people miss small details like this, especially if looking on their phones. Worse still, mobile email clients typically only show the sender’s display name and hide their email address.
Email spoofing is where the attacker modifies an email’s envelope and header. The receiving mail server thinks the email came from a corporate domain and the recipient’s email client displays incorrect sender information. You can read more about email spoofing – and see an example of a spoofed email header – in this article: What is Email Spoofing? How Does Email Spoofing Work?
In account takeover (ATO), the attacker gains access to a corporate email account, whether via hacking or by using stolen account credentials. They gather information about the user’s contacts, email style, and personal data — then they use the account to send a phishing email.
In recent years, there’s been a rise in the number of scams that use “application impersonation”. In an application impersonation attack, the target receives an email that appears to be an automated notification sent via a workplace application, such as Zoom, Office 365, or Gmail.
Here’s an example—a phishing email masquerading as a notification from Microsoft Teams, which was detected and prevented by Tessian Defender:
Clicking the link will take the user to a sign-in page which will harvest their login credentials. Impersonation of automated business emails is an increasingly common threat. Research from GreatHorn suggests that business-related applications accounted for around 45% of impersonation-related attacks in early 2021.
We know BEC is a common cyberattack method. But how many businesses are affected, and how badly? Because many BEC attacks go unnoticed — and because different organizations use different definitions of BEC — there’s no simple answer. So what do we know about the prevalence of BEC? The best source of cybercrime statistics comes from the FBI’s Internet Crime Complaint Center (IC3), which reports that:
We’ve looked at the different types of BEC, how a BEC attack works, and how serious and pervasive this form of cybercrime has become. Next, let’s look at examples of BEC attacks. This will help you learn from the experiences of other organizations. This will help you learn from the experiences of other organizations. Or you can learn how Tessian prevents BEC attacks here.