What is Business E-mail Compromise? How It Works, Best Practices for Protection, and More

Definition of Business E-mail Compromise

Business e-mail compromise (BEC) is when an attacker hacks into a corporate e-mail account and impersonates the real owner to defraud the company, its customers, partners, and/or employees into sending money or sensitive data to the attacker’s account.

BEC is also known as a “man-in-the-email” attack. This is derived from the “man-in-the-middle” attack where two parties think that they are talking to each other directly, but in reality, an attacker is listening in and possibly altering the communication.

How Business E-mail Compromise Works

A BEC scam starts with research. An attacker will sift through publicly available information about your company from your website, press releases, and even social media posts. He/she might look for the names and official titles of company executives, your corporate hierarchy, and even travel plans from email auto-replies.

The attacker will then try to gain access to an executive's e-mail account. To remain undetected, he/she might use inbox rules or change the reply-to address so that when the scam is executed, the executive will not be alerted.

Another trick is to create an e-mail with a spoofed domain. For example, the attacker might use [email protected] instead of [email protected], or [email protected] instead of [email protected]. If you do not pay close attention, it is easy to get fooled by these slight differences. One of the most famous spoofed domain tricks ever was the “PayPa1.com” – a scam site imitating money transfer website Paypal.com.

After scouting corporate communications for some time, the attacker will probably have a good idea of scam scenarios that might work. For instance, if the company has a lot of suppliers, he/she can send invoices to accounting for the rush payment of materials. The attacker would know who is responsible for wire transfers and be able to craft a convincing scenario that would require the immediate transfer of funds.

Most Vulnerable Types of Business E-mail Addresses

While a BEC scam can target anyone in the company, high-level executives and people working in the finance department are the most likely targets. According to Krebs on Security, phishing attacks that spoofed the CEO or company director were among the most costly scams reported in 2016. “Whaling” and “CEO Fraud” are two emerging terms used to describe the phenomenon of targeting high-level executives, and are typically more difficult to detect than traditional phishing scams since they are so targeted.

Examples of Business E-mail Compromise

Some of the most prevalent examples of BEC scams are:

• The fraudulent invoice scam is when a cybercriminal uses an employee's e-mail to send notifications to customers and suppliers asking for payment to the cybercriminal's account.
• The fake boss scam is when a fraudulent email is sent from a business executive’s account to employees instructing them to urgently transfer money from the corporate account to the criminal's account.
• The fake attorney scam is when a lawyer's e-mail address is used to contact clients, asking that they pay money immediately to keep things confidential.

However, business e-mail compromise attacks do not only involve money; sometimes, attackers seek PII or trade secrets.