What is Business Email Compromise (BEC)?

 

Email fraud targeting companies is a rampant and global problem.  According to the Federal Bureau of Investigation (FBI), cybercriminals stole $12.5 billion worldwide from businesses between October 2013 and May 2018 by compromising their official email accounts and using them to initiate fraudulent wire transfers.1 The Internet Crime Complaint Center (IC3) and the FBI are asking individuals to be aware of scams targeting businesses that work with foreign suppliers.

What Is Business Email Compromise?

The FBI officially defines business email compromise (BEC) as “a sophisticated scam targeting businesses working with foreign suppliers and businesses that regularly perform wire transfer payments.” Formerly known as the man-in-the-email scams, these schemes compromise official business email accounts to conduct unauthorized fund transfers.  And, there has been a significant increase of computer intrusions linked to BEC scams in recent years.

How Do BEC Attacks Work?

The most common cons involve fraudsters impersonating high level executives, sending phishing emails from seemingly legitimate sources, and requesting wire transfers to alternate, fraudulent accounts.  BEC scams often begin with an online fraudster compromising a business executive’s email account or any publicly listed email they can get their hands on. This is usually done using keylogger malware or phishing methods—where attackers create a domain similar to the target company—or spoofing email that tricks the target victim into providing account details. Upon monitoring the compromised email account, the cybercriminal will try to determine who initiates wires and who requests them. The scammers often perform a fair amount of research, looking for a company that has had a change in leadership in the C-suite of the finance function, companies where executives are traveling, or by leading an investor conference call. The perpetrators recognize and use these as opportunities to execute the scheme.

There are five distinct versions of BEC scams:

  • Bogus Invoice Scheme/Supplier Swindle: Cybercriminal compromises employee email ► Compromised account used to send notifications to customers ► Payments transferred to cybercriminal’s account ► Cybercriminal receives money
  • CEO Fraud: Cybercriminal poses as company executive and emails finance employee ► Finance sends funds to cybercriminal’s account ► Cybercriminal receives money
  • Account Compromise: Compromised employee account used to request money ► Recipients transfer payments to cybercriminal’s account ► Cybercriminal receives money
  • Attorney Impersonation: Cybercriminal poses as lawyer and emails finance employee ► Finance sends funds to cybercriminal’s account ► Cybercriminal receives money
  • Data Theft: Cybercriminal compromises employee email ► Compromised account used to request PII of other employees/executives ► PII sent to cybercriminal’s account ► Cybercriminal receives PII, uses it for further compromise attacks

DMARC – Defending Against BEC Scams

To combat BEC scams from affecting your business, DMARC is your friend. Your inbound email servers should be configured to filter email that fails DMARC compliance, especially when it comes to email that purports to being from your own domain.

The DMARC protocol was designed to improve email quality: What should happen to messages that fail authentication and compliance test (SPF and DKIM)?  Should you Quarantine, reject, or approve?  How do you tell the purported sender that their email is failing compliance checks?  With DMARC implemented and correctly configured on your inbound servers, your company will have an advantage in reducing BEC attacks. Even with malware filtering, blacklist filtering and enhanced training/policies, DMARC reduces the threat of BEC attacks to your teams.

But what about your Customers, Suppliers and Partners?

DMARC really shines when it is configured correctly for outbound email as well as used to filter inbound email.  Outbound email leveraging DMARC, DKIM and SPF protocols protects your brand from being used in spam, phishing and malware attacks.  The key is to work with your internal and external email senders to properly configure SPF and DKIM.  Once your legitimate sent email is DMARC compliant, you can instruct recipient organizations to automatically reject non-compliant email.  Inbox Providers love DMARC because they can more easily screen for spam, malware and scam emails.  Senders love it because Inbox Providers are more likely to prioritize DMARC compliant email.

Aside from achieving DMARC compliance, businesses are advised to stay vigilant and educate staff on how to prevent being victimized by BEC scams and other similar attacks. Cybercriminals don’t discriminate on company size.  In fact, it is often easier to scam more small-to-medium companies than a single large organization. Additionally, online fraudsters don’t need to be highly technical as they have access to tools and services that cater to all levels of technical expertise in the cybercriminal underground. Because email is such a vital aspect of business communications, a single compromised account is all it takes to financially damage your company. Here are some tips on how to stay protected and secure:

  • Carefully scrutinize all emails. Be wary of irregular emails that are sent from C-suite executives, as they are used to trick employees into acting with urgency. Review emails that request transfer of funds to determine if the requests are irregular.
  • Educate and train staff. While employees are a company’s biggest asset, they’re also usually its weakest link when it comes to security. Commit to training them according to the company’s best practices. Remind all that adhering to company policies is one thing, but developing good security habits is another.
  • Confirm any changes in vendor payment location by using a secondary sign-off by company personnel.
  • Stay updated on your customers’ habits, including the details and reasons behind payments.
  • Verify requests for transfer of funds when using phone verification as part of two-factor authentication (use known numbers).
  • If you suspect that you have been targeted by a BEC email, immediately report the incident to law enforcement or file a complaint with the IC3.

Conclusion

Unfortunately, cybercriminals are a major threat to your business email. By devising malicious social engineering and computer intrusion schemes to fool employees into wiring money, cybercriminals create a serious risk for business whether large or small. This emerging global risk of business email compromise (BEC) has victimized thousands of companies around the world.

Fortunately, there are technologies, like DMARC, that help secure your company’s email  and fight against BEC and other phishing scams. By implementing DMARC and educating employees, the prevalence of online fraudsters and their BEC cons will be minimized. At MxToolbox, our knowledgeable team has over a dozen years helping companies improve their email delivery and protecting companies from email-based threats.  Our latest product, MxToolbox Delivery Center, leverages DMARC to protect your brand from fraud and phishing and improve your email deliverability.

1Information Security Media Group, Corp. https://www.bankinfosecurity.com/fbi-alert-reported-ceo-fraud-losses-hit-125-billion-a-11206