The Real Threat of Business Email Compromise

The shift from an on-premise to a hybrid work arrangement has compelled businesses to adapt to some drastic changes, including changes that involve IT and data security. There has been a renewed focus on email security as email continues to be a preferred mode of communication, especially in light of the evolving security threats that continue to plague businesses like business email compromise attacks, spear phishing scams, and DDoS attacks.

Unfortunately, it’s not enough to rely on built-in security systems to keep cybercriminals from accessing your data. One of the best cybersecurity tips for businesses both big and small is to have security protocols in place dedicated to protecting email clients and servers. Most cyberattacks are done using email as a backdoor since cybercriminals also rely on human error and attempt to exploit unknowing users into providing sensitive data or access to vital information stored in company servers.

What is Business Email Compromise (BEC)?

With a more targeted and advanced approach, business email compromise attacks spoof emails in an attempt to impersonate company representatives, officers, and partners. Cybercriminals pull out all stops when spoofing emails so that the messages look authentic and legitimate, even going so far as to copy a company’s style guide or tone.

A BEC attack typically impersonates a known authority figure, like a company’s CEO or a manager, to dupe employees into complying with seemingly legitimate requests. BEC is used to request for money to be deposited to a certain account or payments to be made to a specific vendor, but it has evolved today to identity theft or stealing wage and tax forms. The ultimate goal is to gain access to sensitive information that can then be sold or held for ransom. 

How Does It Work?

A BEC scam differs from a typical phishing scam by targeting a specific user or group of users, making it more convincing and effective. As mentioned earlier, it’s designed to make it look like the email came from a trusted company officer or external partner. It can be done using a variety of methods, including the following:

Domain Spoofing

Spoofing domains is a common practice for cyber attackers because email address verification is not built into the SMTP email protocol. This allows a sender to fake the display name and email address, making it seem that the email was sent from a specific email address or domain. SMTP also allows users to define a different reply address so that they receive any responses.

Using “Lookalike” Domains

As the name suggests, this method uses a domain name similar to a registered business domain name in such a way that confuses unsuspecting users. The goal of this method is to use a domain name that looks exactly like another, with minor, unrecognizable differences, to dupe users.

Exploiting Compromised Accounts

This is arguably the worst BEC attack because it uses a legitimate account and indicates that your security systems have already been compromised. It also has a high potential for success due to its level of authenticity.

Should You Worry About Business Email Compromise Attacks?

Although phishing scams and ransomware attacks are common topics of conversation regarding cyberattacks, BEC attacks are something businesses should watch out for. It’s been dubbed the 26 billion dollar scam by the FBI, and with good reason. In 2019, reports show that there have been 166,349 incidents in and outside the US, with a total exposed dollar loss of $26, 201, 775, 589. BEC has defrauded people into providing access to personal and financial information and other sensitive data.

Below are three compelling reasons why you should be protecting yourself from business email compromise attacks.

BEC is 64 Times Worse Than Ransomware

The FBI 2020 Internet Crime Report refers to BEC as the costliest cybercrime of 2020, with adjusted losses amounting to $1.8 billion out of 19,369 complaints. Reports of phishing scams and ransomware attacks also continue to increase in both incidence and cost through the years, but not nearly as significant as the data for BEC attacks. The FBI indicates that the Internet Crime Report can only present data from reported cases, which doesn’t represent all scams in a given year. Still, the data in the report is alarming, to say the least, and should prompt businesses to be more vigilant in their IT and email security protocols.

BEC and Brand Impersonation Work Together

When looking for domains to spoof, cyberattackers look to the most known brands or businesses to easily gain a user’s trust. In the case of businesses, they turn to brands that employees deal with regularly or those that they know well. Unfortunately, it doesn’t take much effort to clone an email even from large or known companies; all cyber attackers need is one unsuspecting click. Some of the most impersonated brands include Microsoft, Apple, Amazon, Google, and LinkedIn.

BEC is Sophisticated and Complex

IT professionals continue to face BEC challenges because the attacks are varied and complex. Because cyber attackers can use a variety of methods, there’s no single, easy way to detect them. There’s a level of social engineering that goes into BEC attacks that give them a high rate of success. With the shift to remote work arrangements due to the pandemic, there has been a rise in the number of emails sent and received each day. This has helped cyberattackers slip fraudulent emails into the servers of email-dependent businesses, further increasing the overall BEC threat.

It’s no question that you should protect your business from BEC attacks, but it doesn’t have to be a time-consuming and resource-intensive endeavor. Data security shouldn’t only be on the shoulders of IT teams but a consolidated effort from all fronts. Educate your employees about the risks of BEC and ways to identify suspicious emails. An AI-powered, automated security platform will also go a long way in providing the protection you need without stealing a significant amount of time away from you and your employees.