Business Email Compromise (BEC)

What Is Business Email Compromise?

Business Email Compromise (BEC) is a kind of cybercrime where a hacker gains control of an internal email account and uses that access for financial gain. Traditionally, after gaining access, the bad actor will send out fake emails requesting the transfer of funds, robbing the organization through impersonation.

The specifics of a BEC attack can vary, but the main tactic is to target internal employees (often in the C-suite) and obtain funds through fraud.

Access is the key aspect of BEC, as it gives a cybercriminal the ability to investigate the entire environment and cherry-pick the best options for attack — whether that be sending malicious files to the entire organization in the hopes of installing malware or ransomware or using the access and information to try and misdirect funds to their own financial accounts.

This kind of attack is common in the finance industry, where wire transfers are a common business activity.

This is a dangerous attack type that doesn’t grab the headlines or attention that ransomware does. Yet organizations lose three times as much to BEC as they do to ransomware, according to the FBI.

How Does A BEC Attack Happen?

A BEC attack has three major steps.

1. A hacker gains access to the email account of a user high up in an organization. This access can be obtained through credential theft, social engineering, or another method.
2. A hacker uses that access to learn about the organization. The threat actor will read emails and other files to understand who oversees finances and how they can deploy the best fraud possible.
3. The threat actor sends a fake email posing as the user (often someone from the C-suite) requesting the transfer of funds to their account.

BEC Attacks and Email Spoofing

Email spoofing can be critical to a BEC attack, however it’s important to note that not all email spoofing attacks qualify as BEC attacks. Email spoofing is common in other kinds of phishing and ransomware attacks as well.

In a BEC attack, email spoofing is the main way that the bad actor can trick users and exploit funds.

BEC Attack Examples

A town in New Hampshire lost $2.3 million in 2021 when threat actors posing as construction vendors and a local school district requested funds. This is a sophisticated example of a BEC where wire fraud happens through a third-party vendor. The attack was discovered when the officials for the town followed up and found that the school district neither requested nor received the funds.

Crimson Kingsnake, a BEC group, has gone so far as impersonating various law firms, complete with fraudulent websites and emails. The group then sends out emails with fake invoices, in what are described as blind BEC attacks.

What Are The Five Main Types of Business Email Compromise?

1. CEO Fraud

Attackers position themselves as the CEO or executive of a company. They typically email an individual within the finance department, requesting funds to be transferred to an account controlled by the attacker. CEO Fraud is one of the more common BEC tactics, as users are more likely to trust an email coming from a CEO or other C-suite employee.

2. Account Compromise

An employee’s email account is hacked and is used to request payments to vendors. The email in this case is legitimate, but employees should be on guard to question and double-check unusual requests. While this attack method may be sophisticated in origin, it relies on social engineering, and highlights the importance of security awareness training.

3. False-Invoice Scheme

Attackers act as if they are a company supplier and request fund transfers to fraudulent accounts. This is the kind of attack that was carried out in New Hampshire. Because organizations are often dealing with a multitude of vendors, a hacker can exploit multiple organizations at once through this method.

4. Attorney Impersonation

Attacker impersonates a lawyer or legal representative. Lower-level employees are commonly targeted through these types of BEC attacks. This is the kind of attack carried out by the Crimson Kingsnake group.

5. Data Theft

These attacks target HR employees to obtain personal or sensitive information about individuals within the company, such as CEOs and executives. This data can then be leveraged for future attacks. For instance, CEO Fraud as mentioned above.

How Do You Defend Your Against Business Email Compromise?

BEC attacks target employees up and down the corporate ladder. So, it’s important to take measures to avoid account takeover attempts and be aware of email fraud campaigns when they strike your inbox. Utilizing access controls such as multi-factor authentication can prevent account takeovers and using monitoring software can help detect unusual account activity or even credential stuffing.

Organizations should adopt strong password practices, multi-factor authentication, and establish payment verification procedures so employees only respond to legitimate requests. Identity and access management strategies are key to preventing this kind of attack.

In addition, once an account is taken over, the only thing stopping an attack’s success is users. Security awareness training here is critical to making sure an attempted attack doesn’t end in financial gain for the hackers.

How Arctic Wolf Can Help

Arctic Wolf offers solutions that help with preventing both the technical and the human causes of BEC attacks. Arctic Wolf is vendor neutral and integrates with existing email security solutions.

Arctic Wolf® Managed Detection and Response (MDR) utilizes 24×7 monitoring to help detect immediate threats. If there’s suspicious email logins or email accounts used for suspicious activities, MDR can help detect this and guide your organization through a response and possible remediation.

Arctic Wolf® Managed Risk helps organizations identify and mitigate vulnerabilities. Email vulnerabilities are a consistent threat and can lead to a BEC attack. By shoring up those defenses, you put your organization in a better position to ward off an BEC attack.

Arctic Wolf Managed Security Awareness® combines micro-learning sessions with relevant content to help employees not only understand how credential theft and BEC attacks happen but ensure that they can spot and report suspicious activity before it becomes a full-blown attack.

Arctic Wolf Incident Response can help organizations respond, restore, and remediate fast after a breach or attack such as an email business compromise attack. Valued for breadth of IR capabilities, technical depth of incident investigators, and exceptional service provided throughout IR engagements, Arctic Wolf Incident Response is a preferred partner of cyber insurance carriers.

Sule Tatar

Sule Tatar is a Senior Product Marketing Manager at Arctic Wolf, where she does research on security trends and brings groundbreaking cybersecurity products and services to market. She has extensive experience in the B2B cybersecurity space and holds a bachelor's degree in computer engineering and an MBA.

© 2024 Arctic Wolf Networks Inc. All Rights Reserved.
Privacy Notice	Terms of Use	Cookie Policy	Accessibility Statement	Information Security	Sustainability Statement	Cookies Settings

SOLUTIONS

INDUSTRIES

Quickly detect, respond, and recover from advanced threats.

Detect and respond to advanced threats targeting your cloud infrastructure and applications.

Discover, assess, and harden your environment against digital risks.

Explore, harden, and simplify your cloud environment against misconfiguration vulnerabilities.

Engage and prepare employees to recognize and neutralize social engineering attacks.

Recover quickly from cyber attacks and breaches, from threat containment to business restoration.

HOW IT WORKS

Delivering security operations outcomes.

Collect, enrich, analyze.

Ecosystem integrations and technology partnerships.

Tailored security expertise and guided risk mitigation.

Security experts proactively protecting you 24×7.

Meet some of the security experts working alongside you and your team.

TRENDING RESOURCES

Understanding ransomware — from its origins to its impacts to the TTPs that allow ransomware gangs to exploit victim organizations and make off with millions in ransom payments and extortion fees.

The elite security researchers, data scientists, and security developers of Arctic Wolf Labs share forward-thinking insights along with practical guidance you can apply to protect your organization.

Learn how our Concierge Security® and Triage Security Teams help end cyber risk.

SECURITY BULLETINS

CVE-2024-3400: Follow Up: Patches Released for Actively Exploited Critical Vulnerability in GlobalProtect Feature of PAN-OS

CVE-2024-26234 for Windows and CVE-2024-29053 for Defender for IOT highlighted in Microsoft’s April 2024 Patch Tuesday

CVE-2024-3400: Critical Vulnerability in GlobalProtect Feature of PAN-OS being Actively Exploited

COMPANY