Most skilled cyber attackers don't require exploits to get into a business network. In business email compromise (BEC) assaults, a straightforward phishing scam is often sufficient to trick the victim into providing their login credentials or sensitive business information.

In these attacks, a hacker sends a phishing email to an employee pretending to be a reliable person to fool them into giving money, revealing intellectual property, or revealing confidential company information.

This post will examine the top 5 business email compromise examples, explain how this scam works, and explain ways to become aware and safeguard your company against it. 

What is Business Email Compromise (BEC)?

Hackers who act as trustworthy individuals, including the CEO, business partners, or other executives in an organization, conduct a scam known as BEC. The goal is to successfully deceive email users into providing sensitive information and data to defraud businesses of valuable assets.

BEC attacks usually target companies, governments, or groups that deal with massive amounts of money or private data.

Similar to other phishing attacks, these attacks primarily use social engineering tactics to trick users into making security mistakes. Usually, you won’t even find malicious URLs or attachments. Instead, these hackers use psychological manipulation to get into the user’s mind. 

For example, scareware. The hackers will bombard the user’s screen with false alarms or fictitious threats. Considering the threats to be true, the user will eventually give in and click on the link and become a victim of cybercrime. 

Using your current standard email protection tools, BEC attacks are very challenging to identify. However, sometimes, it is the fault of businesses to rely on less secure email client service providers. That’s why investing in highly secured email service providers is best to drive growth. 

Types of Business Email Compromise Attacks

Following are the five types of business email compromise attacks; let us look at each of them:

1. Data Theft

Statistics show a cyberattack every 39 seconds, with organizations being the most frequent target. Cybercriminals typically target human resources (HR) staff in an attempt to obtain private or sensitive data about the CEOs, executive officers, partners, and investors of the organization. 

Data theft is the act of stealing digital information from computers, servers, or other electronic devices to access private or sensitive information. 

Unauthorized individuals can remove, alter, or prohibit access to financial or personally identifiable information without the owner's permission. They can also carry out more extensive cyberattacks on businesses, like asking for money in exchange for stolen data. 

2. CEO Fraud or Whaling

Scammers frequently act as the CEO or other prominent executives online to gain control over staff members. The attackers will influence lower-ranking employees to transfer money to fake accounts or disclose vital information after building rapport.

3. Email Account Compromise

A common BEC technique is email account compromise, or EAC, wherein the attacker searches through the employee's contact list for suppliers, vendors, and other beneficial connections. Subsequently, scammers pretending to be the business message these individuals, requesting that they pay invoices to fraudulent vendors.

4. False Invoice Scam

The threat actor acts as a supplier and demands payment for completed work. This attack usually uses a realistic template with separate bank account details to impersonate the target's actual provider.

5. Attorney Impersonation

An example of a business email compromise (BEC) scam is attorney impersonation, in which fraudsters act as the organization's attorney and attempt to scam CEOs by requesting financial wire transfers. Even so, lower-level employees are frequently the victims since they might not have the necessary expertise to challenge a request for a cash transfer. 

How to Recognize Business Email Compromise Attacks?

BEC emails usually contain a few lines of text without any attachments, links, or pictures. Using very few lines of message, the attacker attempts to convince the target to perform a certain action, such as adding money to an account or allowing access to secure systems or data. Following are some common elements of a BEC email:

• Time sensitivity: When initiating a BEC attack, attackers aim to move fast so the target acts before realizing they are being scammed. To accomplish this, the actor employs phrases like quick, urgent, important, soon, and reminder. These terms may exist inside the email but typically appear in the subject line.
• Authoritative sender: The actor conducting a BEC attack must pose as an authoritative figure, such as the CEO or CFO.
• Thorough impersonation: BEC business email compromise emails may appear as authentic senders by employing various techniques, like imitating the sender's email address or writing style.
• Justifying the request: Attackers may attempt to give a cause for an unusual request to make it appear legitimate. This strategy may convince the victim to act without recognizing it's a fraud as soon as possible.
• Specific instructions: Attackers typically give precise instructions when conducting business email compromise attacks. For example, to make the request appear more authentic, they may outline the location and the amount of money to send. The first email and a follow-up email sent after the target responds may contain this information.
• Requests not to contact the sender: The assaulters attempt to stop their target from contacting them through a different communication channel. The main objective is to ensure the target is unaware that the email is fraudulent, which is accomplished by telling the victim not to contact the sender or asking around to make sure the request is legitimate.

Five Real-World Examples of BEC Attacks

There have been significant BEC attacks worldwide in the past few years. Below is a list of some of the most well-known and destructive business email compromise examples.

1. Tech Giants Google and Facebook

Source

Between 2013 and 2015, a BEC attack scammed Google and Facebook into transferring funds to the scammer's bank account. The man behind the attack, Evaldas Rimasauskas, received a five-year prison sentence in 2019. However, the tech giants lost about $121 million during this time.

Rimasauskas and his associates established a fake company named Quanta Computer, utilizing the same name as an authorized hardware supplier. They produced authentic invoices to Google and Facebook, which the companies paid into bank accounts under Rimasauskas's control. To ensure their bank approved these transfers, they also made fake contracts and letters from attorneys.

2. Puerto Rico Government

Source

In early 2020, the Puerto Rican government was still healing from a 6.4 magnitude earthquake when they discovered they had fallen victim to a BEC scam. Ruben Rivera, the director of the Industrial Development Company of Puerto Rico, was the victim. He accidentally transferred $2.6 million to a fake bank account.

This transfer was carried out in response to an email that asked for the banking account linked to the remittance payments to be changed. This email was sent from a Puerto Rico Employment Retirement System employee whose account had been compromised. Notably, the FBI froze public pension funds and suspended three employees. The company's director attested that the scam did not impact any of the pension accounts.

3. Vendor Fraud on IT Company, Ubiquiti

Source

A devastating BEC attack that cost Ubiquiti Networks Inc. $46.7 million occurred in August of 2015, affecting the San Jose-based manufacturer of high-performance networking technologies. The company notified its financial institutions and law enforcement agencies when it learned about the breach. Fortunately, Ubiquiti recovered a portion of the losses with the assistance of law enforcement. Another name for this fraud is "Vendor Email Compromise (VEC)".

The attackers sent fake emails posing as workers of a third-party company to Ubiquiti's finance department requesting to conduct fraudulent transactions. The hackers tricked an employee at one of the company's Hong Kong subsidiaries into transferring a large sum into the assaulters' bank accounts. Earlier, domain or email spoofing was used to initiate VEC attacks; however, more advanced account takeover techniques are now employed. 

4. Toyota Boshoku Corporation

Source

In 2019, a BEC attack resulted in a $37 million loss for Toyota Boshoku Corporation, a European subsidiary of the Toyota Group. The auto parts supplier was tricked into transferring a significant amount of money into the hackers' bank account. The threat actors sent professionally constructed emails to the accounting and finance departments, pretending to be one of the subsidiary's business partners.

Through these emails, the hackers requested that the money be sent to a particular bank account. The company's security specialists discovered they had been tricked soon after the transfer. However, it was too late to cancel the transfer.

5. Obinwanne Okeke 

Source

Well-known businessman Obinwanne Okeke was convicted of implementing a role in a BEC scam and given a 10-year prison term. The scam, which took place in February 2021, resulted in the victims losing $11 million. Okeke was convicted of BEC fraud and creating fake websites to mislead victims. Direct transfers of the fraudulent funds were made to foreign shell corporations.

How to Stay Vigilant From Business Email Compromise Attacks?

BEC protection needs to include several levels, enabling you to differentiate between unauthorized and authorized requests made within the organization. Let's go over the most common safety measures against BEC attacks. 

1. Introduce 2FA for Business Email Accounts.

An additional safety layer called two-factor authentication, or 2FA, protects online accounts against attacks. Users who have enabled 2FA must enter two pieces of information to access their account. One of these factors may be a physical token or a password; the other could be an OTP sent to only the user’s registered phone number or business email address.  

As a mediator between email providers and users, a secure email gateway (SEG) provides email security. In the same way a firewall eliminates malicious network traffic, it recognizes and filters out potentially harmful emails. 

2. Update Your Email Security Measures.

Knowing the best business email compromise strategy to protect a brand is beneficial if your organization wants to step up its security game. A few actions are necessary for complete security:

• A protocol called Sender Policy Framework (SPF) makes DNS records showing which email servers are legitimate. The main objective of the protocol is to stop spammers and cybercriminals from sending emails.
• DomainKeys Identified Mail (DKIM) validates outgoing mail by including a signature. It allows the recipient to confirm that an email is from a particular domain and, thus, a reliable source.
• DKIM and SPF are used by Domain Message Authentication, Reporting, and Conformance (DMARC) to provide strong email security. To be accepted, emails must adhere to DMARC's verification rules.

3. Install Anti-Malware Protection Programs. 

Malware is not a factor in business email compromise fraud, but anti-malware software enhances online safety. For optimal security, it is essential to fortify your IT infrastructure’s security fronts by installing antivirus, anti-spyware, and other security programs to detect malicious activities quickly. 

4. Cross Check With the Client or With Your Superior.

Finally, confirming fund transfer requests is an essential step you should include in your protocols to guarantee data security. The best way to do so is to contact the individual who allegedly sent the email. Do not hesitate to connect or contact your supervisor if you have any more questions after the phone confirmation about the request. Remember, it was always better to ask and get confirmation instead of regretting it later. 

Wrapping up,

Companies are regularly robbed by business email compromise scammers, so taking the necessary precautions to keep your company safe is important. Most BEC business email compromise attacks depend on a company's fake email domain to trick employees into thinking that phishing emails are coming from their superiors. 

Businesses can stop scammers from sending fake emails by securing their email domains with the help of a powerful email provider such as Neo. 

Neo is a business email service provider that takes data security seriously and makes sure that all of your email information is secure. Your data is always safe due to excellent security features, which include data encryption, two-factor authentication, antivirus protection, and anti-spam. 

With Neo’s security features, scammers cannot damage the second layer of protection, even if they manage to get a hold of the user's password. Besides, the email client is hosted on AWS, and all the accounts are secured by advanced antivirus and antispam protocols. It even offers data encryption, where the data is encrypted at rest and in transit with 256-bit ciphers.

If you are afraid of getting hacked or becoming a business email compromise attack victim, switch your email client to Neo today! At affordable rates, you get access to secure and robust email service along with highly advanced and AI-assisted email marketing tools. 

Frequently Asked Questions

1. What if I responded to a BEC email?

Take the following action if you think that you have responded to a BEC phishing attempt:

• Inform your company's IT/cyber security team about the incident immediately.
• Request a complete transaction suspension from the bank.
• Alter your email and other important passwords.
• Examine account statements to look for any unusual activity.
• Make a police report.
• Inform your financial institution, credit card company, and bank about the scam.

2. What if I fall victim to a BEC scam?

If you become a victim of the business email compromise scam perpetrated by cybercriminals, immediately address any data breaches or urgent wire transfers. The best course of action for you would be as follows:

• Inform your financial institution of the fraudulent activity as soon as possible.
• Send an incident report to the FBI office in your area.
• Use the FBI's Internet Crime Complaint Center to submit a complaint.

3. Why is it so hard to detect BEC attacks?

BEC attacks can also be hard to identify for the following reasons:

• Email security filters may become aware of an ongoing attack when there are unusual increases in email traffic. However, BEC attacks tend to be rare, frequently involving just one or two emails.
• Phishing attacks on a large scale usually originate from IP addresses blocked off quickly. Due to their low volume, BEC attacks can originate from IP addresses with a good or neutral reputation.
• The email may appear to be from a legitimate address because BEC attacks can send malicious messages on someone else's behalf without the target's knowledge by using a previously compromised email inbox.