The 5 Types of Business Email Compromise

Business Email Compromise (BEC) involves cyber criminals hacking into an email account and impersonating the email owner. They aim to deceive the company, customers, employees, and/or partners, by tricking them to send sensitive data or money to the hacker’s account. The hackers usually target companies that have international suppliers and conduct wire transfers. Corporate email accounts of high-tier employees or executives related to finance are spoofed or compromised through social engineering and phishing. Later, they are used to conduct fraudulent money transfers that result in losses worth thousands of dollars.

BEC attacks are also known as “Man-in-the-Email” scams. The name is derived from man-in-the-middle attacks. This is when two communicating parties are intercepted by an attacker who is listening and altering the communication from both ends.

BEC scams start with an attacker researching publicly available data to identify relevant targets. They will go through the information from your website, social media and press releases. The hackers sift through the organisation’s hierarchy, official names and job titles of higher company executives, and sometimes travel plans with the help of auto-replies to emails. They then try to access the target email account by using malware, phishing or other social engineering techniques. In order to stay undetected, they may also alter the “reply-to” address so that the email owner does not get notified when the scam is carried out.

Another way is to create a spoofed email, which looks almost identical to the original email address, with a slight difference. For instance, instead of [email protected], the attacker may use [email protected]. If the receiver does not pay close attention, they might think that the extra “inc” attached to the domain is official address. Another real-world example is that of a spoofed domain “Paypa1.com”, which was a scam website imitating money transferring website paypal.com.

After spying on official communications for some time, the attackers conclude which scam strategy will be most successful. They know who has the responsibility of wire transfers. And they manufacture a scenario that is convincing enough to initiate a quick transfer of funds.

If someone gains unauthorised access to, or impersonates your email account, they can intercept or gain access to your private communications. This could result in fraud, with cybercriminals intercepting financial transactions such as invoices. Cybercriminals will use email to abuse trust in business processes to scam organisations out of money or goods. This type of email attack is often referred to as business email compromise (BEC).

The ACSC Annual Cyber Threat Report 2020-21 puts self-reported losses for business email compromise at $81.45 million for the 2020-21 financial year. In the same period, business email compromise made up nearly 7% of all cybercrime reports.

Before we look into how we can protect our business against BEC attacks, it’s important to know the reasons why these attacks are successful. There are mainly three reasons for this i.e. successful social engineering, insufficient security protocols and lack of employee awareness. If we target these three areas as a part of our cyber security policy, we can protect our business against these attacks.

Firstly, implement multi-factor authentication as a mandatory part of IT your security policy. Authentication helps prevent unauthorised email access, particularly if the attacker is attempting to login from a new location. It is also vital to train your employees regularly about cyber security best practices. The evolving cyber landscape requires proactive and updated training. Employees need to know how to spot and save themselves from falling for such scams. They should know how to identify fake emails and be skeptical about urgent money transfer requests coming especially from executives. Never fulfill a payment request unless verified via phone or in person.

According to a recent Targeting Scams report by Australian Competition and Consumer Commission (ACCC), payment redirection (business email compromise) is the scam that caused the highest losses to Australian businesses with combined losses of $227 million in 2021. This accounted for the highest financial loss incurred among all types of scams that year.

• Financial loss reported to Scamwatch by businesses fell by 27% in 2021, to $13.4 million from $18.4 million in 2020. The number of reports made by businesses fell by 13% to 3,624.
• Businesses reported the most losses to false billing scams (which includes many payment redirection reports) with $6.7 million reported lost and investment scams with $5.1 million lost.
• Small businesses had the highest median loss of $3,812 and lost a total of $3.5 million.

Two global tech giants succumbed to a BEC attack. This is a practical example of why focusing on cyber security is important for every business. These companies invest heavily on training and have security professionals tasked with protecting against every kind of cyber attack. If it can still happen to them, it can happen to any other business. Business Email Compromise scams are an existential cyber threat and we need to improve our cyber security measures proactively.

• ACSC Email Security: https://www.cyber.gov.au/emailsecurity
• Targeting scams: report of the ACCC on scams activity 2021: https://www.accc.gov.au/publications/targeting-scams-report-on-scam-activity/targeting-scams-report-of-the-accc-on-scams-activity-2021