Home / Digital Advertising & Marketing Glossary / Business Email Compromise

What Is Business Email Compromise?

Business Email Compromise (BEC) is a sophisticated scam targeting companies, particularly those working with foreign suppliers or those that regularly perform wire transfer payments. The scam involves attackers posing as company executives or vendors, manipulating employees into making unauthorized wire transfers or revealing sensitive information. Given its reliance on social engineering over technical vulnerabilities, BEC poses a significant threat to organizations of all sizes and across sectors, emphasizing the importance of understanding and defending against these attacks.

What Causes Business Email Compromise?

Several factors contribute to the success of BEC scams. These include inadequate security measures, the sophisticated tactics employed by attackers, and the reliance on email for business communication.

The Role of Social Engineering

At the heart of BEC is social engineering—manipulating individuals into breaking normal security protocols. Attackers often research their targets, using information gathered from social media or corporate websites to craft convincing emails.

Use of Spoofed Emails

Attackers typically spoof email addresses, making their messages appear to come from a trusted source within the company, such as a senior executive, or from a legitimate business partner. This deception is often achieved using slightly altered email addresses that are easily overlooked.

Lack of Employee Awareness

Without regular training on the latest cybersecurity threats and best practices, employees may not be equipped to recognize or respond appropriately to a BEC attempt.

How Do Attackers Carry Out a BEC Scam?

Actionable intelligence on how BEC attacks are orchestrated can significantly improve an organization's resilience against them.

Impersonating an Executive

In one common variant, fraudsters impersonate a company executive. They send an email to an employee with finance-related responsibilities, instructing them to wire funds for a purportedly confidential or urgent transaction.

Account Compromise

Another method involves gaining access to an executive's actual email account. From there, attackers can send authentic-looking wire transfer instructions to the finance team or modify payment details in legitimate invoice requests.

Fraudulent Invoice Scheme

Here, attackers pose as suppliers requesting fund transfers for invoices to a new account. This scam often targets employees responsible for processing invoice payments.

Lawyer Impersonation

Scammers may pose as a lawyer or legal representative in need of immediate funds for a confidential financial transaction, often at the close of the business day to pressure employees into acting quickly.

  • Data theft is also a significant component of BEC. Attackers might not always seek money but instead aim to steal sensitive information for espionage or to sell on the black market.

Who Are the Targets of BEC Scams?

It's a misconception that only large, multinational corporations are at risk. Small to medium-sized enterprises (SMEs) frequently fall victim to BEC due to less sophisticated security infrastructure and protocols.

  • Financial Departments: Individuals within an organization's financial department are primary targets, given their access to company finances and payment systems.
  • Senior Executives: High-level executives are often impersonated due to their authority in financial decision-making.
  • Human Resources: Attackers may target HR departments to gather personal or financial information about employees, which can be used in further attacks.

How Can Businesses Protect Themselves Against BEC?

Defending against BEC scams requires a multi-pronged approach that includes technical measures, employee education, and company-wide policies.

Strengthen Email Security

Implementing email authentication protocols like SPF, DKIM, and DMARC can help detect and block spoofed emails. Advanced email filtering solutions can also identify suspicious email behavior.

Employee Training and Awareness

Regular training sessions can educate employees on the latest BEC tactics and the importance of verifying email requests, especially those involving money or sensitive information.

Verify Requests

Introduce policies requiring the verification of all email requests for funds or data transfers, possibly through a phone call or an in-person meeting with the requester.

Access Control

Limited access to sensitive information and financial systems can minimize the potential impact of a BEC scam.

Incident Response Plan

Having a clear, actionable plan in the event of a suspected BEC attack can help mitigate losses and improve organizational resilience.

What Are the Challenges in Combating BEC?

Despite best efforts, BEC remains a formidable challenge due to its ever-evolving nature and the sophistication of attackers.

  • Constant Evolution: As defenses improve, attackers refine their strategies, exploiting new vulnerabilities and adjusting tactics.
  • Global Nature: BEC scams often involve parties in different countries, complicating legal recourse and recovery efforts.
  • Human Factor: The reliance on tricking employees rather than exploiting technical vulnerabilities means there's always a risk, no matter how advanced the security measures.

Recognizing the severity and sophistication of Business Email Compromise is the first step toward safeguarding an organization's assets and reputation. Through a combination of technical safeguards, vigilant employees, and robust policies, businesses can enhance their defenses against this prevalent threat.