Business Email Compromise (BEC) Response and Investigation

A business email compromise (BEC) scam is a type of phishing or smishing attack in which threat actors pivot to network environments for financial gain. While business email compromise (BEC) via phishing utilizes email, business email compromise (BEC) via smishing uses text messages to target people.

Unlike traditional phishing scams, which are typically sent in large volumes, business email compromise (BEC) attacks are highly targeted, with attackers conducting extensive reconnaissance to ensure that their fake email requests appear as authentic as possible. When instigating an attack, BEC scammers will seek to build victims’ trust by sending a sequence of emails and will often use language to drive an urgent response, encouraging behaviour that ignores standard security protocols.

A business email compromise (BEC) attack involves the use of email to defraud an employee, customer or supply chain partner into sending money or sharing confidential information. The process starts with the attacker researching their intended victims, then trawling through business websites and social media for personal data relating to that person. Once they gain access to a company’s systems, they closely monitor emails to identify individuals that have the right to access or distribute money. They will then impersonate one of these people by spoofing the email domain before seeking to gain the trust of the email recipient in order to gain access to money or sensitive company data.

Business email compromise (BEC) scams can take a variety of forms. One of the most common types is executive fraud, in which an attacker poses as a senior executive and sends email communications to finance teams requesting an urgent wire transfer to an account they control. Another type of business email compromise (BEC) is payroll fraud, in which attackers send emails targeting HR employees to encourage them to update banking details, resulting in bank payments being fraudulently transferred elsewhere.

Any type of company can fall victim to business email compromise (BEC) fraud. Scammers frequently target the most senior and the most junior employees within an organization. Because employees such as C-suite executives, HR managers and finance managers often have a high profile on company websites and social media, it can be easy for potential attackers to find some level of personal information for use in the initial scam. New or junior-level employees are often targeted because they may be more susceptible to trusting an unexpected request for information or they may lack knowledge of key security controls.

Mitigating the risks of business email compromise (BEC) requires a layered approach that incorporates several key elements. Companies should nurture an organizational culture that encourages vigilance about potential phishing or smishing scams. They should also set up and enforce robust IT controls such as application-based multi-factor authentication (MFA) and virtual private networks (VPNs). Regular email and cloud security assessments can also be beneficial, alongside solutions such as managed detection and response (MDR) for Office 365, as these can flag suspicious behavior, ingest mail logs and survey for malicious activity.

In 2022, the Federal Bureau of Investigation released an alert about global exposed losses of $43 billion between 2016 and 2021 as a result of business email compromise (BEC) fraud. While much of this can be attributed to the impact of the pandemic, the issue continues to be consequential, presenting significant risk of potential financial and reputational damage to businesses. Even when companies put in a cyber insurance claim to cover their financial losses, these can be denied if the employees involved are shown not to have followed the appropriate security procedures.