Mitigate the Risks of Business Email Compromise Attacks

We know you've seen the headlines: Cyberattacks are hitting enterprises at unprecedented rates. And business email compromise (BEC) attacks, in particular, are striking more often, leading to a loss of $1.8 billion in 2020, according to an FBI report.

BEC attacks are cyber-attacks in which a malicious actor uses a fake email account to pose as a member of a legitimate organization, often a colleague or other known business contact. This tactic makes them much more difficult to spot and requires employees to stay informed about the latest tactics.

Be aware of common BEC attack scenarios:

Criminals often rely on specific tactics to perpetrate BEC scams, including: 

  • A false sense of urgency. Scammers (typically posing as attorneys or executives) send spoof emails to victims and convince them to wire money in support of a business deal, such as an acquisition that the victim's company is undergoing. These emails feign urgency and demand secrecy from the victim.
  • A trick domain name. In this scenario, victims receive an email asking them to wire money to a specific account. The message originates from a domain that looks credible at first glance, but in fact, has been slightly altered (e.g., one character in the domain name is different). These types of attacks exploit the victims' lack of attention to sender details.
  • Impersonation of a vendor. This type of cyberattack involves electronic communications impersonating one of the company's vendors. The sender's domain name is genuine, and the transaction seems legitimate—often with proper documentation attached—because the scammer has hacked into the vendor's email account. However, the processing details direct payment to an account that the scammer controls.

Train employees to recognize BEC attacks:

A fundamental step in safeguarding organizations against BEC is to provide employees with adequate cybersecurity training. Employees should know the risk and implications of these attacks and how to respond to an incident. A firm grasp of cybersecurity leading practices can foster a sense of responsibility throughout the organization.

An effective training program emphasizes the central role that grooming plays in these attacks. BEC succeeds not so much because of its technological sophistication but for exploiting human vulnerabilities. Clear communication of roles and expectations and guidance in the appropriate use of IT and accounting controls can empower employees as the front line of risk mitigation.

Build a layered defense with technical controls

For all its psychological manipulation, BEC is not necessarily sophisticated from a technical standpoint. Most BEC attacks originate from spear-phishing or spoofing an internal email account. IT controls such as application-based multi-factor authentication (MFA), and virtual private networks (VPNs) can be prevented or detected.

Another practical anti-BEC approach is to use encryption to authenticate emails and allow users to exchange data safely. Encryption software translates the data into the code for transmitting over a network. The transmission is unintelligible without a 'public key' to decrypt the data.

Michael Markulec

technology executive, cyber-security guru, politician, rugby player, deadhead, brewer, former army officer, crossfitter, and hard-drinking calypso poet.