Since people began to use email for personal and business correspondence actively, email fraud has emerged. Most likely, you have at least once received emails from wealthy distant relatives with the same last name as yours.
But if cybercriminals' tricks seem ridiculous, compromising business email is a modern method that uses technology and such a weak link as the human factor.
According to IC3's 2022 report:
- the potential total loss from cyberattacks and incidents has grown from $6.9 billion in 2021 to more than $10.2 billion in 2022;
- the IC3 received 21,832 BEC complaints with adjusted losses of over $2.7 billion, an increase of 12% from 2021 and 628% from 2016.
In this article, we will tell you what strategies are available, how to prevent possible losses, and show examples of companies losing millions of dollars by simply not checking enough information in an email.
What is a business email compromise?
A business email compromise is also known as a BEC attack. The main goal of business email compromise (BEC) is to defraud the company.
BEC attack is a phishing scam where criminals use unauthorized access to a company's email account or impersonate a company representative or partner. Often, an attacker will compromise the email account of a company executive, such as the CEO.
From this email account, they send a message asking to transfer money or provide access to sensitive data. To convince the recipient, attackers actively use spear-phishing and social engineering tactics.
The following factors have contributed to the growth of BEC attacks in recent years:
- increase in the number of remote workers;
- using numerous business-related accounts, registration for which occurs through access to an employee's email account;
- application of generative artificial intelligence tools for phishing.
This makes protecting business email accounts increasingly challenging.
Types of business email compromise attacks
As you already understand, in a BEC attack, the cybercriminal does not send out a mass email hoping that someone will be gullible enough. They prepare and collect information and only then act for sure:
- collect data about the company, its partners and suppliers, as well as its personnel occupying key positions;
- find out the company's hierarchy to understand who makes financial decisions.
All this information is used to select an attack target and create persuasive email copy that will inspire trust and provoke rash action by indicating urgency or importance. Generative artificial intelligence technologies help attackers create such texts as convincingly as possible.
Depending on the characteristics of the scam, the FBI identifies the following five types of BEC attacks.
False invoice scheme
In this case, email accounts associated with making invoice payments in the company are attacked. A criminal can impersonate a partner to whom the company must pay and issue a false invoice (sometimes it differs from the real one by only one digit). Or they could spoof the email account of an employee authorized to process invoice payments, such as a responsible manager, and send a fake invoice to the company's finance department on their behalf.
Cybercriminals use for BEC scams the email account of the CEO. They email the finance department employee on their behalf and instruct them to send money, usually urgently and using an authoritative tone, mentioning that otherwise, we will lose our partner. Also, on behalf of the CEO, they may be asked to send sensitive information to a fake partner urgently.
BEC scams are not always aimed at sending money. Sometimes, the main goal of scammers is personal or sensitive information about company employees. To do this, they attack representatives of the financial and human resources departments, who have such information so they can use it for their purposes.
Email account compromise
Email account compromise is a business email compromise scheme in which scammers use a compromised company email account to request payments from the company's clients. At the same time, they change the payment details to their own and receive all the money.
In this case, attackers use a fraudulent account to impersonate a legal representative or lawyer of a company whose credentials are rugged for ordinary employees to verify. Typically, employees believe this is a lawful request for some business transaction and provide sensitive data.
How to recognize BEC attacks
The main purpose of BEC email texts is to provoke a quick, thoughtless reaction upon receipt. We will tell you the red flags that you need to pay attention to when evaluating each sensitive data or sending money request:
- Repeat regular workflows — fraudsters often choose routine processes that can be performed automatically, such as password reset emails, intranet file sharing, and access grant emails from apps.
- They create a trusting relationship with the recipient — for example, they mention some details of a transaction with a client or an employee shares data about a salary transfer.
- The subject and content of the email contain urgency and importance, manipulative language, and a call to action. The following words should alert you: request, overdue, payments, immediate action.
- Use of free software — during an attack, you may be asked to share information in Google Forms and Docs or another service typical to company use.
Business email compromise examples from a real-world
We collect the loudest examples of business email compromise when companies lose a lot of money.
BEC attack on Facebook and Google
Between 2013 and 2015, Facebook and Google paid $121 million into fake accounts. The attackers founded a fictitious company, Quanta Computer, whose name was the same as the equipment supplier.
They then sent Facebook and Google plausible-looking invoices, which they duly paid into the fraudulent bank accounts. In addition to fake invoices, scammers have prepared fake emails and attorney contracts to ensure their banks accept the transfers.
Toyota Boshoku Corporation BEC attack
In 2019, fraudsters contacted the finance and accounting department of Toyota subsidiary Boshoku. The email was written on behalf of a legitimate business partner who required an urgent payment for spare parts. In the request payment, they indicated that Toyota's production would slow down if the deal was not completed. And the BEC scam worked. A company representative transferred an order for spare parts worth more than $37 million on fake invoices to the scammers.
Scouler Co. acquisition scam
In June 2014, a Scouler Co. employee received an email from the CEO. The fake email stated that Scoular was looking to acquire a Chinese company and instructed it to contact an attorney at the accounting firm KPMG, transfer money, and close the deal. The employee sent $17.2 million. Fraudsters used email impersonations to create accounts, impersonating both Elsea and a KPMG lawyer, playing on the victim's trust, and exploiting interpersonal relationships.
Fraud from fake company
St. Ambrose Catholic Parish in Brunswick, Ohio, lost $1.75 million in a 2019 BEC attack. Hackers hacked into the email accounts of two parishes and examined emails regarding payments to contractors. They used the information to develop a scam — posing as a contractor, calling on behalf of the construction company Marous Brothers, and explaining that its bank account had changed. They had not received payment for two months. Community employees did not double-check the information and transferred the money to the scammers.
Here are more examples of large back attacks:
- Ubiquiti lost $46.7 million in 2015 as a result of a vendor email compromise.
- In 2018, European cinema chain Pathé suffered a $21.5 million loss due to a BEC scam involving a fake purchase of a movie theater in Dubai, where the fraudster posed as the CEO and instructed to pay for the purchase.
- In 2021, celebrity entrepreneur Obinwanne Okeke, using phishing emails to protect the credentials of business executives (including the CFO of UK company Unatrac Holding), caused $11 million in company losses.
- Homeless charity Treasure Island lost $625,000 in 2021 due to the month-long BEC attack — hackers penetrated the organization's bookkeeper's email system and sent emails as Treasure Island's partner organizations.
- In 2020, the Puerto Rican government transferred $2.6 million to a fraudulent bank account in response to a magnitude 6.4 earthquake.
Tips to protect your business from future attacks
Use these basic BEC protection techniques to protect against BEC attacks:
- authenticate senders using Sender Policy Framework (SPF), Domain Key Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC);
You might also likeHow to improve deliverability with email authentication
- use two-factor authentication or MFA for business email accounts — request a password, PIN, or fingerprint to log in;
- apply anti-malware protection to protect your network from malware or malicious URLs;
- provide user training and information — train employees to recognize scams and phishing attacks and read every email with a skeptical eye, regardless of the designated sender.
Using these effective BEC protection measures helps prevent significant money and data losses.
Since BEC attacks are happening constantly and scammers are only becoming more creative in technical aspects and manipulation techniques, take all necessary precautions to keep your company safe.
In all the business email compromise examples we talked about, the decision to transfer a large amount was made by a specific person. Hence, the main goal is to teach critical employees to check essential emails and double-check their information.