Business Email Compromise – What it is & How it Happens

  • 11 October 2019

This question should be standard issue at any cybersecurity pub quiz:

What increased by 108% one day in September 2019?

It’s not the number of data breaches experienced around the world. It’s not even the proportion of businesses now targeted by cyberattacks.

No: it refers to the total amount of money stolen from businesses thanks to Business Email Compromise scams, according to the FBI. The Bureau’s flagship figure of $12.5bn was revised upwards by more than 100% on September 10th, hitting a staggering $26bn.

The two figures don’t cover identical timespans. But if anything, comparing the periods of time used to arrive at the totals generates even more alarm. The original $12.5bn figure was derived from business losses over a five-year period between 2013 and 2018. The new figure of $26bn is the product of just three years of criminal activity, covering June 2016 to July 2019.

So how are attackers able to extract such large sums of money from enterprises? And what can be done to stop them?

Perhaps part of the reason Business Email Compromise (BEC) has been so successful is that everyone has a slightly different definition of what it means, and no clear solution to stop it…

What is Business Email Compromise?

Business Email Compromise (BEC) is when a trusted relationship – between colleagues or counterparties – is hijacked through email. BEC can be accomplished in two ways:

  1. email impersonation (i.e. spear phishing attacks)
  2. email account hacking

Conveniently for attackers, account takeover is often achieved after a successful spear phishing attack.

BEC is a catch-all term often conflated with other kinds of email attacks, like phishing, spear phishing and account takeover. Account takeover (ATO) attacks, for instance, are often described as identical to Business Email Compromise. However, ATO attacks see the attacker literally gain access to an individual’s genuine account, potentially by using brute force “credential stuffing” hacking techniques. BEC attacks, meanwhile, are geared around impersonation. An attacker “compromises” an email account by convincingly impersonating a trusted counterparty of the target. What is being “compromised” in a BEC attack is the trust between the target and the impersonated counterparty.

Because BEC scams rely on people making mistakes and being tricked, attacks can be relatively simple or extremely complex. The initial step involves fraudsters identifying a company they intend to target. Once this is done, before executing the attack itself, the attackers must first impersonate an employee or one of the company’s external counterparties. (Attackers might choose to impersonate a display name or a domain in order to fool their target. To understand more about the different types of email spoofing and impersonation exploited by cybercriminals, head to the this Tessian blog.)

To execute a BEC attack, attackers will send spear phishing emails to targets within the company. Building trust over time comes down to communicating authentically. Although you might have read about spear phishing campaigns convincing people to click on malicious links or attachments, this is no longer a necessity. “Zero-payload” attacks, a growing phenomenon, build trust with targets over time using entirely innocuous communications. The request, when it comes, may be made in writing without the suspicious links or attachments that are easier for traditional security programs to flag.

This example shows an attacker impersonating a CEO, Thomas Edison, asking an employee to change invoicing details. There is no link or attachment required, only text:

It’s clear that subtle and hard-to-detect techniques can have a potentially damaging effect on enterprises. So what are the main methods by which attackers compromise this trust in BEC attacks?

What are common BEC techniques?

  • Supplier / vendor fraud
    The dangers of external impersonation are becoming better understood, but there is still a learning curve for security leaders within enterprises. Every business has a finite number of employees, which makes it easier for security products to keep on top of potentially suspicious activity on “employee” email accounts. But all businesses have networks of suppliers and vendors, which dramatically increases the number of people attackers might choose to impersonate. (Download Tessian’s guide to email impersonation to see this effect in action.)
  • CEO fraud
    CEO fraud is a type of spear phishing attack where attackers impersonate a CEO, CFO or another high-level executive. Attackers aim to trick the executive’s colleagues into carrying out actions that place data, money and/or credentials at risk. As with other BEC scams, the usual aim is to extract money from the targeted business by coercing an employee into making illicit wire transfers.
  • Whaling
    Whaling is related to CEO fraud, with a key difference: instead of impersonating senior executives and targeting lower-ranking employees, attackers target the big fish themselves (hence the term). A whaling attack might involve attackers trying to get the executive in question to divulge key credential information or other sensitive organizational data. This information can then be used to access confidential systems, or to make subsequent spear phishing attacks within the organization more authentic and effective. Because they tend to be very busy, and because of their access to key systems, senior executives can be especially profitable targets for attackers.
  • Account takeover
    As covered above, ATO describes the unauthorized takeover of someone’s actual email account, using brute force hacking to harvest credentials before sending a fraudulent email from the target’s own account. ATO attacks are understandably extremely hard for traditional technologies to identify as the “genuine” email account is in use.
  • Institutional impersonation
    Some of the most impersonated parties around the world are not necessarily businesses at all but institutions. Emails from entities like the IRS (HMRC in the UK), or a communication from a court, have the potential to worry people and cause them to react instinctively, rather than rationally. (It’s worth pointing out that the big tech companies, such as Microsoft and Netflix, are invariably among the most impersonated brands in the world, despite both companies employing DMARC to defend against spoofing.)

The consequences of BEC

As we’ve seen, the main motivation behind BEC attacks is commonly financial. But going after an organization’s finances can have wide-reaching consequences, also affecting intangible factors like company morale and brand reputation. Here are some of the main consequences cybersecurity leaders should be wary of.

Data breach / credential harvesting

Data breaches are rarely out of the press these days. One of the scams that resonates most with the media is credential harvesting and the stealing of user data. With organizations now holding more information on individuals (employees and customers) than ever before, these attacks can cause immense harm to people and to businesses.

Financial losses

Of course, a principal aim of BEC attacks is to extract money from targeted organizations. In 2018, film company Pathé lost more than €19m after an attacker posed as the company’s CEO and asked another senior executive to wire funds to a fake account. When second-order financial penalties like fines are taken into account too, BEC can prove extremely damaging to organizations’ balance sheets.

Fines

Nowadays it’s hard to think of data breaches and email attacks without the associated fines brought about by new regulation. Currently, for instance, Yahoo is tackling an enormous class action suit with estimated damages of more than $100m. And legislation designed to make fines more than a slap on the wrist is now ramping up all over the world. In one of the first big GDPR fines, the UK’s Information Commissioner earlier in 2019 announced its intention to fine British Airways £183m after a 2018 data breach.

Reputational damage

It’s harder to quantify on a balance sheet, but after a BEC-triggered data breach, hard-won brand reputations could be put at serious risk. An email security failure can cause share prices to fall and affect organizations’ relationships with their customers. Another second-order effect could be knocking employees’ morale and denting confidence, making rebuilding work still more difficult.

There are a wide range of reasons for businesses to protect themselves against Business Email Compromise, which raises the question: why are most business unprepared to defend against this threat?

Why rule-based technology does not stop BEC

Simply put, security products have not moved as quickly as cyberattackers in predicting and preventing new and emerging threats. Secure Email Gateways do a great job of preventing run-of-the-mill spam and “bulk” phishing attacks, but they do this with static lists of rules that can only stop attacks the software has already seen. They simply aren’t cut out to defend against increasingly sophisticated attackers deploying social engineering techniques and exploiting human frailties in order to trigger dangerous actions. (Read our CTO Ed Bishop’s thoughts on Secure Email Gateways and other legacy technologies here.)

BEC attacks are highly targeted towards particular individuals within organizations. Even the most vigilant employees can be foxed by a spear phishing scam if it is sent on a busy day, delivered in a particular tone, or perceived to be from an authoritative source. Indeed, some threats are confined to IP addresses hidden in email headers – undetectable by employees.

That’s why organizations must invest in technology that explicitly protects theirpeople. And that’s where Tessian’s software, trained on over 1 billion emails, comes in.

Our stateful machine learning engine learns what “normal” email communications look like within complex organizations. Using historical patterns and behavioral signifiers to understand relationships between internal and external parties, Tessian Defender identifies malicious impersonations before they have the chance to deceive employees.

If you’re interested in learning more about Defender or our other Human Layer Security products, sign up for a demo here.