BEC Attacks: What Is Business Email Compromise?

Javed Shah

Business email compromise is one of the many types of phishing attacks targeting both large and small corporations for financial gain.

What is a BEC attack? A BEC attack is a type of phishing scam where a hacker will email an employee pretending to be a higher up in their company, like a manager or executive, and ask for some type of payment.

What Are Social Engineering and Phishing?

When we think of hacking attacks, we often think about mysterious, malicious computer terrorists in dark rooms breaking encryption and accessing top-secret systems. The reality is less romantic, however. The most effective and prevalent form of hacking is actually built around social engineering.

Social engineering refers to leveraging human elements in IT systems to gain information about (or access to) those systems. This can include anything from tricking someone into providing their password to finding one on a Post-it note in a dumpster.

What Is Phishing?

One of the longest lasting, most effective, and ever-present forms of social engineering is email phishing. A phishing attack involves a hacker creating or forging fake emails claiming to be from a legitimate party or company to fool users into sending money, turning over information, or giving up their system security.

These attacks are by far some of the most effective, even with generations of digital natives having experienced them their entire lives. In 2018, the Federal Bureau of Investigations listed phishing as the third-largest form of cybercrime, and security firm IRONSCALES reported that 80% of respondents saw an increase in phishing attacks since 2020.

This makes sense: phishing is low cost, high reward, and a single victim can open an entire system to attack. Hackers can send hundreds or thousands of emails, and even poorly constructed fake emails can fool somebody at least some of the time. Many of the most high-profile attacks seen in the news, from ransomware to cloud-based malware, often originate from a successful phishing attack.

What Are Different Types of Phishing?

It’s critical to note the different types of phishing attacks and how they relate to BEC overall.

The different types of email phishing include the following:

  • Spear Phishing: Unlike traditional email phishing, which relies on high-volume but often low-effort emails to trick people, spear phishing uses more sophisticated email tricks and official messages to fool higher value targets, like managers or decision-makers with access to more important information.
  • Whale Phishing: The evolution of spear phishing, whale phishing, or “whaling,” targets executive branch members and often involves efforts to get these executives to directly transfer money or information to outside attackers. Due to the sophistication of these attacks, hackers will often coordinate their information gathering and spoofing across email and other technologies like video conferencing.
  • Clone Phishing: The attackers gain access to an official email, either from the company or someone in it, and then change it (for example, changing links or including attachments). They spoof the original sender’s address and resend the email with a note to the effect that the original sender “forgot” to include something. Trusting the original email, recipients then download attachments or click links from the new malicious message.

What Are Business Email Compromise Attacks?

Many phishing attacks will attempt to mix and match different approaches. For example, a hacker could clone a message in hopes of targeting a manager or executive as part of a whaling attack. The entire premise of the attack is to leverage some form of trust to get the target to do what the hacker wants.

With that in mind, one of the most insidious forms of attack is the business email compromise.

BEC occurs when a hacker spoofs or steals access to a business email account from inside your domain. These emails, appearing to come from someone in the company (often someone known by people in that organization), will look legitimate.

BECs can come in two different ways:

  • Spoofing: The emailer spoofs their email to appear to come from someone inside the company. This can mean either creating a generic email with a company domain (“hr@businessname.com”, for example) or using the name of a specific manager or executive.

Attackers can spoof emails in several ways, including the use of nearly identical domain names or faking information in the “From” field.

  • Account Theft: If a hacker has already gained access to someone’s business account, they can spam the business network with hacked emails. These BEC attacks are even harder to notice because the email comes from a legitimate account.

Account theft is a major concern, especially in cases of fraud where a hacker hijacks and spoofs an executive’s email account.

A trademark of BEC attacks is their tendency to seek specific private information. For example, BEC attacks will often go beyond simple login credentials to pursue the following kinds of engagement:

  • Money or Wire Transfers: BEC may target whales in the organization to instigate a wire transfer to an outside account. Because the email seems legitimate, the victim often doesn’t think twice about sending the money.
  • Personal Employment Information: The hacker may, if possible, reach out to finance or HR departments and gain access to tax information like W2 forms that contain earnings statements, social security numbers, and other personally identifiable information.
  • Healthcare Information: If the attack undermines the email systems of healthcare institutions, they may seek protected health information from the staff working there.
  • Malware Deployment: If the email is sufficiently advanced, it could convince users to download infected documents or files, launching malware into the system. This, in turn, could lead to ongoing, long-term information theft or the installation of ransomware.

How Can You Prevent BEC Attacks and Scams?

BEC, like other email phishing attacks, can be prevented with a combination of training, awareness, and special tools. However, preparing your organization to address the unique threats of BEC may call for more target solutions.

Some of the approaches organizations can take to mitigate BEC include the following:

  • Implement a Business Culture of Awareness and Compliance: It’s your job as security or business management to ensure that your people understand the red flags and warning signs of BEC attacks. This includes ongoing training on new threats, how to notice fake email addresses, and policies that cover what employees should and should not ask for over email. Additionally, your people should clearly understand any compliance or regulatory requirements tied to email security.
  • Track Finances and Suspect Behavior: While an executive might have the final say over the distribution of funds, it doesn’t mean that they are infallible. Having safety measures in place to triple-check financial activity can stop a wire-transfer attack before the company ends up sending hundreds of thousands of dollars to a thief.
  • Layer Defenses Around Warning and Email Blocking: Email systems can block outside domains from sending emails—but that would make it hard to do business. Likewise, evolving threats may shift domains week to week or even day to day. Couple updated email filters with built-in visual warnings so that when employees open emails from outside the company (even if they look like they come from inside the company), they will get a heads up.

Additionally, using DMARC policies and DKIM signatures can help authenticate emails between organizations, but they aren’t foolproof.

  • Implement Multi-Factor Authentication or Passwordless Systems: If hackers seek to get login credentials, make it difficult to use those credentials. While a system of usernames and passwords or PINs is vulnerable to phishing, strong MFA that includes biometrics is much more difficult to compromise even with a phishing attack.

Even better, a passwordless system can almost eliminate the risk of a system breach from a phishing attack, including BEC.

1Kosmos: Blunt BEC Attacks with Strong Identity Management and Authentication

The first step to solid phishing and BEC prevention is strong authentication. While strengthening security around system access is a no-brainer in the best situations, it also eliminates one of the attack surfaces that phishers count on—easily exploitable password systems.

1Kosmos BlockID provides that kind of authentication. With passwordless identity verification, identity management, biometrics, and decentralized, user-friendly interfaces.

1Kosmos provides the following features to help support strong authentication and security:

  • Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
  • Identity-Based Authentication Orchestration: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and validation.
  • SIM Binding: The BlockID application uses SMS verification, identity proofing, and SIM card authentication to create solid, robust, and secure device authentication from any employee’s phone.
  • Integration with Secure MFA: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
  • Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
  • Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.

Discover how your business can strengthen its anti-phishing and identity security systems with 1Kosmos BlockID Workforce. Also, sign up for our newsletter for updates on products and services.

Overcoming Resistance to Change on the Journey to Passwordless MFA
Read More

Expert Insights in Your Inbox

Subscribe to the blog
Meet the Author

Javed Shah

Former Senior Vice President Of Product Management

Javed has spent his entire twenty year career designing and building blockchain and identity management solutions. He has led large customer facing pre-sales teams, led product management for identity management platforms like the ForgeRock Identity Platform and the ForgeRock Identity Cloud. Javed has an MBA from UC Berkeley.