When thinking of the different kinds of cyberatatcks, the deployment of a ransomware is often the first to come to mind. An apocalyptic scenario with the laptops of your teams locked when they arrive at the office, your backups encrypted and even, sometimes, the entry badges to the office broken.

But there is another type of attack, one that receives less media attention but that can cause significant financial damage to your company - and that is easier to execute for cyber criminals.

Business Email Compromise (BEC).

This article will answer 3 questions regarding BEC:

  • What is this kind of attack and how is it executed?
  • What are the impacts for a company?
  • How can you protect form it?

What is a Business Email Compromise attack?

What is the definition of Business Email Compromise?

A BEC attack is a cyberattack that originates or seems to originate from a legitimate email address, often from a company’s CEO or top executive. The goal is to trick the target into acting on behalf of the hackers, often by sending them one or more bank transfers.

Let’s take a very basic example (but quite realistic): someone for the accounting department receives an urgent invoice with a new bank account for a regular supplier. They pay. The payment was, in fact, made to the hackers.

What forms of BEC attacks are there?

We can identify two broad types of BEC attacks:

  • Spoofing attacks: in this case, hackers are going to find the format of corporate emails as well as elements to add credibility (such as the signature format, the first and last name of the CEO…) through OSINT and will imitate these with a lookalike sender to convince their target
  • Compromised email account attacks: here hackers have already compromised an account (within the company or from one of its customers or suppliers) and will use it for the attack. The email address is a legitimate one: it’s therefore much more difficult for the target to detect the attack

In more advance cases, the emails can be complemented with various other elements: fake text messages spoofing the CEO’s phone number, fake calls using voice alteration tools… Hackers will use all the social engineering tricks at their disposable to convince their target to act.

Two examples of BEC attacks

1. A $21 million fraud for Pathe (European movie producer)

In 2018, the executive team of Pathe Netherlands (CEO, CFO) received an urgent message from the CEO of Pathe France (the headquarters of the company).

“We’re conducting the acquisition of an entity in Dubai. This operation must remain strictly confidential in order to ensure we have the advantage over our competitors”

Because of this (fake) acquisition, a bank transfer of $800,000 had to be made to pay for initial fees. The Netherlands team mad this payment.

There followed several more payment requests, sometimes supported by elements such as the signature of the CEO of Pathe as well as the signatures of the members of the board of shareholders.

All in all, more than $21 million in payments were made in this BEC attack. That’s about 10% of the annual revenue of the company.

2. One million in payments for a French SME

There’s no need to be a larger, international corporation to be targeted!

An (anonymous) French SME from the region of Lyon, operating in the real estate sector, received an invoice payment request from one its suppliers.

The email was accompanied by invoices in the usual format, came from the supplier’s email account… and provided new bank account informations for the payment. The amount? About $1 million.

The accountant made the payments as usual before calling his supplier to inform him they had been made… and realizing that he had been the victim of a BEC attack. Fortunately - in this specific instance - a series of controls made by the Turkish bank to whom the payments had been sent allowed them to block the payment, enabling the SME to recuperate the funds.

Based on our conversations with CIOs and CISOs, this kind of attack targeting SMEs is extremely frequent.

What are the impacts for the company in a BEC attack?

There are 3 main consequences of a BEC attack for a company:

  • Financial risk: As mentioned in the examples above, payments made in BEC attacks can reach significant amounts. The FBI calculates that these attacks resulted in $43 billion in payments over 6 years between 2016 and 2021, or about $7 per year.
  • Reputation risk: As in every cyberattack, there is a reputation risk for the company and for the victims of the attack. In the Pathe example above, the executives who made the payments were fired after the fraud came to light.
    This risk is particularly important for companies whose emails have been compromised in a first step, and then are used to target their customers with fake invoices.
  • Cyber risk: Even though most BEC attacks are straightforward and seek to obtain a payment made to one of the hackers’ bank accounts, they can also be used to obtain initial accesses through the deployment of malware (drive-by-download, malicious attachments…) which can then be used for cyberattacks

How can you protect your company against BEC attacks?

What’s especially concerning with BEC attacks is that even though it’s a cyberattack that leverages technological tools, there is no technological answer to it.

One could think that anti-spam software could help against the spoofing of email addresses (they are of course not relevant against attacks coming from a legitimate but compromised business email address) but hackers know how to beat them

And yet, here are some potential answers to the threat of BEC attacks:

  • Procedures: It’s paramount to establish robust procedures for the payment of invoices, even more so if there is a new bank account information provided (double verification, authentication by an alternative communication channel…). Unfortunately, this is often not enough because these procedures might not be adhered to rigorously (repetition, amount of invoices to process) or might be bypassed through social engineering (urgency, fear, authority)
  • Technical: Setting up anti-spam software, multi-factor authentication, domain protection through SPF, DMARC, DKIM is obviously necessary. It protects customers and providers from domain spoofing and adds to the company’s cybersecurity. But, again, BEC relies on human actions that can invalidate or bypass these automated protections

It’s therefore necessary to add additional layers to the defense strategy:

  • Awareness: Awareness is another paramount element in the protection against BEC attacks. Employees have to be informed of the risk they face, the tactics hackers use (psychological tricks and social engineering), they have to be told the best practices to follow (email analysis, procedures, verification). Repeating these messages regularly ensures that they remain an element of focus for your teams
  • Training: Training your teams to detect fraudulous emails helps them develop an analysis reflex that will enable them to confront in the right manner the hackers’ emails

Finally, the live analysis of an emails threat level (beyond the elements taken into account by anti-spam filters) and the displaying of an alert message (when a legitimate email account provides bank information for example) can provide your teams with the information they need to make the correct decision.

Want to know more about how Mantra’s solution can help protect your company from the threat of Business Email Compromise attacks? Click here to book a meeting