The 5 Types of Business Email Compromise

Business Email Compromise is a deceitful cyber attack, involving hackers employing social engineering tactics, for financial gain.

5 types of business email compromise

Business Email Compromise (BEC) involves cyber criminals hacking into an email account and impersonating the email owner. They aim to deceive the company, customers, employees, and/or partners, by tricking them to send sensitive data or money to the hacker’s account. The hackers usually target companies that have international suppliers and conduct wire transfers. Corporate email accounts of high-tier employees or executives related to finance are spoofed or compromised through social engineering and phishing. Later, they are used to conduct fraudulent money transfers that result in losses worth thousands of dollars.

BEC attacks are also known as “Man-in-the-Email” scams. The name is derived from man-in-the-middle attacks. This is when two communicating parties are intercepted by an attacker who is listening and altering the communication from both ends.

How Business Email Compromise Works

How Does Business Email Compromise Works

BEC scams start with an attacker researching publicly available data to identify relevant targets. They will go through the information from your website, social media and press releases. The hackers sift through the organisation’s hierarchy, official names and job titles of higher company executives, and sometimes travel plans with the help of auto-replies to emails. They then try to access the target email account by using malware, phishing or other social engineering techniques. In order to stay undetected, they may also alter the “reply-to” address so that the email owner does not get notified when the scam is carried out.

Another way is to create a spoofed email, which looks almost identical to the original email address, with a slight difference. For instance, instead of [email protected], the attacker may use [email protected]. If the receiver does not pay close attention, they might think that the extra “inc” attached to the domain is official address. Another real-world example is that of a spoofed domain “Paypa1.com”, which was a scam website imitating money transferring website paypal.com.

After spying on official communications for some time, the attackers conclude which scam strategy will be most successful. They know who has the responsibility of wire transfers. And they manufacture a scenario that is convincing enough to initiate a quick transfer of funds.

Why is email security important?

If someone gains unauthorised access to, or impersonates your email account, they can intercept or gain access to your private communications. This could result in fraud, with cybercriminals intercepting financial transactions such as invoices. Cybercriminals will use email to abuse trust in business processes to scam organisations out of money or goods. This type of email attack is often referred to as business email compromise (BEC).

The ACSC Annual Cyber Threat Report 2020-21 puts self-reported losses for business email compromise at $81.45 million for the 2020-21 financial year. In the same period, business email compromise made up nearly 7% of all cybercrime reports.

Types of Business Email Compromise

01. Fake Invoice Schemes

In this type of scam, the targeted companies are often those that have foreign suppliers. The attacker pretends to be the supplier and requests fund transfer to an account that is owned by the attacker.

03. Account Compromise

In an Account Compromise, the attacker hacks an employee’s account and requests invoice payment to vendors that are listed in their contacts. These payments are sent to the attacker’s bank account.

05. Data Theft

Business email compromise cyber attacks don’t only have a monetary motive. They also seek trade secrets or Personally Identifiable Information (PII) of executives and staff. This data is obtained usually by targeting accounts and HR employees. Cyber criminals can also keep this data to use for attacks in future.

02. CEO Fraud

The hackers typically impersonate the CEO or higher management.  They send an email to employees in the finance department, asking them to transfer money to their deceitful account.

04. Attorney Impersonation

In this type of scam, the attacker pretends to be an attorney or lawyer who is supposedly in charge of confidential matters of the company. They asks for immediate payment of money to keep everything confidential. These requests are normally done through phone or email, and at the end of a business day for least suspicion.

How to Protect Against BEC Attacks

Before we look into how we can protect our business against BEC attacks, it’s important to know the reasons why these attacks are successful. There are mainly three reasons for this i.e. successful social engineering, insufficient security protocols and lack of employee awareness. If we target these three areas as a part of our cyber security policy, we can protect our business against these attacks.

Firstly, implement multi-factor authentication as a mandatory part of IT your security policy. Authentication helps prevent unauthorised email access, particularly if the attacker is attempting to login from a new location. It is also vital to train your employees regularly about cyber security best practices. The evolving cyber landscape requires proactive and updated training. Employees need to know how to spot and save themselves from falling for such scams. They should know how to identify fake emails and be skeptical about urgent money transfer requests coming especially from executives. Never fulfill a payment request unless verified via phone or in person.

Current State of BEC Attacks

According to a recent Targeting Scams report by Australian Competition and Consumer Commission (ACCC), payment redirection (business email compromise) is the scam that caused the highest losses to Australian businesses with combined losses of $227 million in 2021. This accounted for the highest financial loss incurred among all types of scams that year.

  • Financial loss reported to Scamwatch by businesses fell by 27% in 2021, to $13.4 million from $18.4 million in 2020. The number of reports made by businesses fell by 13% to 3,624.
  • Businesses reported the most losses to false billing scams (which includes many payment redirection reports) with $6.7 million reported lost and investment scams with $5.1 million lost.
  • Small businesses had the highest median loss of $3,812 and lost a total of $3.5 million.

Two global tech giants succumbed to a BEC attack. This is a practical example of why focusing on cyber security is important for every business. These companies invest heavily on training and have security professionals tasked with protecting against every kind of cyber attack. If it can still happen to them, it can happen to any other business. Business Email Compromise scams are an existential cyber threat and we need to improve our cyber security measures proactively.

Recent BEC incident

Background

Sabrina works as a receptionist for a small conveyancing business called “Saffron Conveyancing”, which is owned by Gary.

Saffron Conveyancing has multiple email accounts – one for each staff member (e.g. [email protected]), and a generic [email protected] account that is managed by Sabrina.

This reception account receives customer inquiries and is the main point of contact for the business.

While Gary was away on annual leave, he sent an email to the recipient email address advising that he had just changed banks. The email included the new bank account details and asked if it could be updated for the next pay cycle, which was in a few days’ time. Sabrina provided the new details to her colleague who was responsible for payroll and asked them to update Gary’s banking details as soon as possible.

The Incident

A week later, Gary had returned to work and asked his staff why he hadn’t been paid yet. When they realised Gary was the only one who hadn’t been paid, the staff member responsible for payroll mentioned that it might be an issue with his new bank.

This took Gary by surprise as he didn’t have a new bank. Sabrina showed him the email, which Gary had no recollection of.

On closer inspection Sabrina noticed a spelling error in the email address:

The Resopnse

Gary immediately contacted Saffron Conveyancing’s bank but it was too late, the funds had already been transferred to the fraudulent account.

To limit the damage Sabrina followed these steps:

  • Outlined the situation and submitted a report through ReportCyber on cyber.gov.au
  • Included the steps they had taken so far, as well as a plan for further actions.
  • All staff members reviewed the security settings on their email accounts in case a cybercriminal had gained access and was spying on their emails.
  • Notified all of their clients and contacts that a malicious actor was impersonating their business.
  • Advised that the malicious actor may be targeting the contacts with financial scams and warned everyone to be aware of any suspicious emails.
  • Looked up the registrar of the fraudulent saffronconveyacning.com.au domain name and sent a  request to shut down the domain.
  • Sent an official complaint to auDA.

Outcome

Sabrina works as a receptionist for a small conveyancing business called “Saffron Conveyancing”, which is owned by Gary.

Saffron Conveyancing has multiple email accounts – one for each staff member (e.g. [email protected]), and a generic [email protected] account that is managed by Sabrina.

This reception account receives customer enquiries and is the main point of contact for the business.

While Gary was away on annual leave, he sent an email to the reception email address advising that he had just changed banks. The email included the new bank account details and asked if it could be updated for the next pay cycle, which was in a few days’ time.

Sabrina provided the new details to her colleague who was responsible for payroll and asked them to update Gary’s banking details as soon as possible.

Protecting Against Business Email Compromise

Kaine Mathrick Tech's Cyber Security Solution

Discover your business’ cyber strengths and shortcomings when faced with Business Email Compromise, with our Cyber Security Risk Assessment. We offer a complete Cyber Security solution, tailored specifically to your business, to help minimise downtime and financial risk if confronted by a cyber attack.

Summary
The 5 Types of Business Email Compromise
Article Name
The 5 Types of Business Email Compromise
Description
Business Email Compromise is a deceitful cyber attack, involving hackers employing social engineering tactics, for financial gain.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo

Related Stories

The strategic edge: How a Strategic Account Management Service will help your business

Navigate the complexities of legal compliance with confidence, ensure your legal practice adheres to the latest regulations and standards. Stay ahead of the curve.

Understanding the New Minimum Cybersecurity Expectations for Victorian Law Firms

Understanding the New Minimum Cybersecurity Expectations for Victorian Law Firms

Discover the critical updates to the minimum cybersecurity expectations for Victorian law firms. Take immediate action to protect your practice

Transitioning from Legacy Systems to Modern Digital Solutions in Healthcare

Transitioning from Legacy Systems to Modern Digital Solutions in Healthcare

Embracing Cloud Technology: A Leap Forward for Healthcare Efficiency

Want to be part of the crowd?

Summary
The 5 Types of Business Email Compromise
Article Name
The 5 Types of Business Email Compromise
Description
Business Email Compromise is a deceitful cyber attack, involving hackers employing social engineering tactics, for financial gain.
Author
Publisher Name
Kaine Mathrick Tech
Publisher Logo