Between The Hacks

View Original

Business Email Compromise (BEC)

The world of cybersecurity has some pretty creative and interesting terms, such as phishing, juice-jacking, rainbow tables, credential stuffing, and botnet. However, there is one type of phishing attack that was clearly named without anyone from a marketing team in the room. That is the Business Email Compromise (BEC) . (I almost fell asleep while typing that last sentence!)

While the name is not very sexy, the attack is simple to execute and can be very costly to the victim. According to a 2018 FBI report, BEC attacks have earned scammers over 12 billion dollars. BEC is a type of phishing attack with the goal of tricking the victim into sending money to the attacker.

Five Types of BEC

Phishprotection.com reports that there are five types of BEC.

Bogus Invoice Scheme When a business, which has a long standing relationship with a supplier, is requested to wire funds for invoice payment to an alternate, fraudulent account.

CEO fraud When the compromised email account of a high level executive is used to request a wire transfer to a fraudulent account.

Account compromise When an employee of a company has their email account compromised and it’s then used to request repayment of an invoice by a customer to a fraudulent account.

Attorney impersonation When victims are contacted by fraudsters identifying themselves as lawyers and are pressured into transferring funds to a fraudulent account.

Data theft When fraudulent e-mails are used to request either wage or tax statement (W-2) forms or a company list of personally identifiable information (PII).

With each of these attack methods, the victim is sent an email in an attempt to trick them into trusting the sender and either revealing sensitive information or transferring funds. Typically, the attacker does enough research to know the name and email address of their target, and the person in the company who would normally ask for large sums of money to be wired somewhere. We’ll call this person the requester. Often the target is the CFO and the requester is the CEO.

In practice, the BEC attack is fairly simple. The attacker sends an email that appears to be from the requestor, to the target. This email requests that a wire transfer be made to a specific account. If the attacker sends a well-crafted email and asks for an amount of money that doesn’t raise suspicion, they will likely reap the rewards of this scam. Blow is a sample BEC email.


These types of attacks have been happening for more than 10 years, but many people have never heard of them. As targets have become more savvy at identifying phishing attacks, the attackers have changed their approach.

What Can You Do?

With a few small changes to your business processes, you can greatly reduce the risk of being a victim of a successful BEC attack.

  1. Education and Awareness: The most important thing you can do is to be aware of this type of attack. Understand that this happens a lot in the business world and make sure that your team knows how to identify these types of scams. I have written about advanced phishing attacks in the past but your company needs regular education and awareness training, even if you are a small company--maybe especially if you are a small company.

  2. Test Your Employees: If your company does not have a cybersecurity education and awareness program that includes internal phishing tests of your employees, consider starting that project. The results are typically eye-opening, but studies show that regular testing of employees makes them much better at identifying phishing attacks.

  3. Verification Processes: Then, institute processes around money transfers that require secondary verification using a different communications medium. For example, if a request comes in through email, verify with the requester over a phone call.

  4. Hire an Expert: Even small and medium sized businesses are being targeted with BEC attacks. While the large corporation likely has a staff of cybersecurity experts on hand who mitigate attacks and manage an education and awareness program, small businesses likely do not. So find an expert. Here are a few companies to review to get you started on you search. And here is a CSO magazine review of some of the top companies in this business.

    1. KnowBe4

    2. Cofense

    3. PhishProtection

    4. PhishingBox

Remember that your email inbox is a dangerous place! Anyone in the world can send you an email. I’m sure you have a spam filter but the spammers and phishers who are good at their job, also have them, and they work hard to make sure their email gets past the filters. Read all email with the thought in the back of your mind that this might not be what it appears.