October is National Cyber Security Awareness Month. Start your awareness journey now. START 
Skip to main content

By the Numbers: Business Email Compromise a Major Boon to Threat Actors

You can never be too careful these days when conducting business online. This is especially true when responding to email requests that require payments or the release of funds.
 
In what has become known as business email compromise (BEC), cybercriminals have become increasingly adept at not only spoofing email addresses but taking over accounts altogether once they are compromised. This makes overly trusting and eager-to-help employees not the least bit hesitant to honor a request from an “executive” to transfer company funds on demand. 
 
Officials in Peterborough, New Hampshire are all too aware of the threat. The town was recently defrauded of $2.3 million in such an email scheme, and is unlikely to recover much, if any, of the money. Bad actors outside the country had sent two separate emails over a period of several weeks, purportedly representing the local school district in one case and a construction contractor in the other. Each netted more than $1 million. 

The 5 Main Types of Business Email Compromise

The Peterborough scam is just the tip of the iceberg. According to the Federal Bureau of Investigation (FBI), these attacks have cost U.S. businesses $1.6 billion since 2013.  And the Bureau estimates that figure could top $5.3 billion globally during the same period.
 
A hand pointing at an email icon on a colorful screen.
 
To alert organizations as well as the general public about BEC as a significant and growing threat, the FBI has published detailed information on how business email compromise occurs and what you can do to protect your organization and report such attacks. Make sure your employees are aware of these 5 types of scams:

CEO Fraud

Attackers position themselves as the CEO or executive of a company. They typically email an individual within the finance department, requesting funds to be transferred to an account controlled by the attacker.

Account Compromise

An employee’s email account is hacked and is used to request payments to vendors. The email in this case is legitimate, but employees should be on guard to question and double-check unusual requests.

False-Invoice Scheme

Attackers act as if they are a company supplier and request fund transfers to fraudulent accounts.

Attorney Impersonation

Attacker impersonates a lawyer or legal representative. Lower-level employees are commonly targeted through these types of BEC attacks.

Data Theft

These attacks target HR employees in an attempt to obtain personal or sensitive information about individuals within the company, such as CEOs and executives. This data can then be leveraged for future attacks. For instance, CEO Fraud as mentioned above.

What Can You Do to Protect Your Organization from Business Email Compromise?

BEC attacks target employees up and down the corporate ladder. So, it’s important to take measures to avoid account takeover attempts and be aware of email fraud campaigns when they strike your in-box. 
 
Organizations should adopt strong password practices, multi-factor authentication, and establish payment verification procedures so employees only respond to legitimate requests. Security awareness training such as Arctic Wolf Managed Security Awareness® is a great place to start to ensure your employees use strong cyber hygiene practices throughout their workdays. 
 
Want to see a real-world business email compromise attack in action? And discover how quickly Arctic Wolf responds to it to protect our customer? View our Incident Response Timeline.