In 2022, Business Email Compromise (BEC) attacks caused almost $3 billion losses in the US alone(1). In 2023, at least 70% of companies in Spain underwent such an attack(2).
For years, cybercriminals have been carrying out email frauds, such as phishing. A more advanced version of this attack is Business Email Compromise, a tailor-fitted phishing attack that uses spoofed or compromised corporate email accounts to commit fraud, usually for financial gain. Cybercriminals spy their victim’s digital ID (social media, online presence, etc.) and their workplace in order to come up with a convincing email that appeals to their role in the company.
In these emails, cybercriminals often pose as a superior or someone speaking on behalf of a superior who urgently needs the employee to perform an action. These requests come at the expense of overlooking official procedures or checks. Moreover, they are portrayed as a highly confidential and secretive matter. Usually, the sender asks to not to be contacted again if it is not with the requested information, as they will be unavailable; they may give excuses such as being busy with a very important meeting, a trip, etc.
How do they carry out a BEC attack?
1. Cybercriminals compromise a corporate email account by either stealing the victim’s username and password or by spoofing the account’s domain. In the latter case, cybercriminals slightly modify an email’s account domain so that victims mistake it for the legitimate one, as visually there would be no major differences.
For example:
user@domain.com
user@dornain.com
As we can see, visually the letter “m” is easily confused with the letters “r” and “n” -rn- together.
2. They email their target through the spoofed account hoping the victim will disclose confidential information or perform a requested action (i.e. modifying banking information or transferring money to cybercriminals). Attackers may ask for other tasks to make their petition more believable, such as enquiring about confidential information or data on the subject matter before requesting the financial transaction. This information does not have to be the ultimate purpose of the fraud, but may prove useful to carry out a larger fraud.
3. Possible use of malware: these attacks do not always use malicious links or files, but they could introduce them. This would allow them to infect the organization’s computers or access them undetected.
The most common types of BEC attacks are:
CEO fraud: in this instance, cybercriminals have an employee transfer money to a fraudulent account or provide confidential information by impersonating a high-ranking member of the organization, usually a senior manager or C-Level.
Supplier fraud: this happens when an attacker changes bank details or has payments made to a fraudulent account by impersonating a supplier or a business partner.
HR fraud: this takes place when a scammer manages to divert a payroll into another account in their control by requesting a bank account switch to HR pretending to be a real employee in the company.
As you can see, these types of fraud do not target technology, but people. If you receive an unusual or critical request, take a moment or two to stop, think, and verify the request through another channel.
Sources: