Business Email Compromise

Something as simple as a “spoofed” email, where the display name in the email is modified to appear as an individual within an organization, when in reality, the return address is actually that of the attacker. The email format allows for a “display name” that doesn’t have to be related to the actual sender’s email address. This kind of format is less difficult to fraudulently use the name of a trusted individual. The message often appears to be sent from a senior staff member to someone at a lower level in the company, and the body of the email will imply a sense of urgency. Spoofing is the most common mechanism for payroll diversion attacks because it simply identifies an individual within an organization and sends an email to the payroll department asking for their bank account details to be updated.

What’s worse, suppliers and customers can be attacked using your organization’s email domain, which greatly impacts relationships, your organization’s reputation, and stakeholder trust.

Then there’s the business email compromise where a legitimate user’s email account is compromised. Attacks can obtain user account details and then use those credentials to log into a user’s account. Sneaky attackers will sometimes set up forwarding rules to monitor a victim’s email conversations following the initial message. That gives the attacker the opportunity to step in at their leisure with urgent messages that appear authentic, making the attack even more convincing.

These attacks pose a significant risk. According to the annual 2020 FBI Internet Crime Report, this phishing tactic has raked in nearly $2B this past year alone. But the damage caused by these attacks reaches well beyond financial losses. Fraudulent invoices, which are the most common of BEC attacks, the recipient gets what appears to be a legitimate invoice from an organization.

According to HelpNet Security, there was a 200% increase in business email compromise attacks focused on invoice or payment fraud from April to May 2020, posing an internal risk to organizations; and a reputation risk. As stated above, if a supplier or customer falls for a BEC attack that claims to come from a known organization, it can harm the established trust in the existing relationship as well.

There are actions you can take to inform your employees to avert this threat. Educate your executive leadership team about this type of threat and discuss business email compromise with your organization at-large — especially those employees responsible for payments/payroll AND suppliers, customers, and clients. Training should include preventative strategies and reactive measures in case they are victimized. See our full checklist for details.

There is no single technology solution to BEC, rather it’s a combination of technology, process and user awareness.

In no particular order the four most common business email compromise scams include:

• Fake invoicing, in which the hacker requests funds as a familiar supplier or service provider.

• Wire fraud requests, in which the hacker pretender to be a senior executive handling urgent or confidential information.

• Impersonating a lawyer, who like the wire fraud scam pretends to be handling confidential or time sensitive information.

• Impersonating human resources, where the attacker is attempting to collect personally identifiable information (pii).

• Knowing what to watch out for is the best defense any organization has. If something doesn’t feel right, it is always best to verify and authenticate the request before doing anything that might compromise you or your organization.