Business email compromise (BEC) can be thought of as spearphishing on steroids. Sometimes called whaling or man-in-the-email, it is a way of tricking employees into handing over large amounts of money. The FBI found between October 2013 and December 2016, there was over $5.3 billion lost to BEC scams worldwide. BEC uses the most successful tricks of the phishing trade, misuse of trust and deception.

How Does Business Email Compromise Work?

As with many of the most successful cyber attacks, BEC is a multi-component stealth exercise, mixing technology and the human factor. BEC can be broken down into four stages:

The profiling stage: The trust BEC fraud relies on is based on surveillance of a target organization. The cybercriminal needs to understand how the target ticks and this intelligence is needed to jump the trust-barrier hurdle. This may involve spearphishing to gain access to a system to install malware or harvest credentials. They then use this to exfiltrate information and gain unauthorized access to executive calendars and schedules. This allows the cybercriminal to build a knowledgeable profile of the victim — often a high-level executive in the company. The playing-with-you stage: The information gathered when profiling the company gives the cybercriminal an understanding of the hierarchy of the organization. They choose one or more targets — usually someone in the financial structure of the organization who can make payment decisions. The cybercriminal may groom the target individual using phone calls or emails, getting to know them over the course of several weeks. This builds trust between the cybercriminal and the target individual. The going-in-for-the-kill stage: Once the trust barrier has been crossed, the cybercriminal will send the “killer email” requesting a transfer of funds. At this point, the target individual has built a relationship, trusts this person and may not see what is coming next. The cash-in-and-run stage: The previous stage ends in a wire transfer to an account controlled by the cybercriminal(s).

What Are the Types of Business Email Compromise?

Example BEC scams types tend to be variations on a theme. Three common types include:

CEO Impersonation

This type of BEC crime focuses on close surveillance, mimicry, deception and trust. The cybercriminal either hacks into or spoofs the email of the organization CEO. Spoofed emails are a favorite as they are easy to disguise. For example, tina.mathews@mycompany.com could be tina.matthews@myycompany.com. The cybercriminal then sends an urgent email to their financial department head. The email will put the officer under pressure to send funds immediately to a given bank account or lose an important deal.

Bad Invoice in My Favor

There are two flavors of this ruse: Email compromise: Another favorite of the BEC scammer is to take a legitimate invoice and adjust it — a kind of Monopoly, “bank error in my favor” attack. In this scenario, the cybercriminal again uses deception and trust as the basis of the attack. The cybercriminal surveils the financial department of an organization before phishing a specific company employee — usually in accounts payable. The spearphishing email allows them to harvest credentials and compromise the email account. They then watch emails, intercepting any that contain an invoice. They amend the payment instructions on a chosen invoice and allow it to be processed — straight into their bank account. Email spoof: Another way to get the illegitimate invoice in front of accounts payable is to use the same spoofing method used in CEO impersonation. This time, an invoice is seemingly sent out from a known vendor (legitimate vendors to impersonate are identified during the surveillance stage). The email address carrying the invoice is so similar to the legitimate vendor that it goes unnoticed as being a spoof. Payment made —  job done.

CEO Death by Attorney

This scam has elements of CEO impersonation fraud. A cybercriminal identifies the CEO of an organization (easy enough). They then send out a compromised or spoofed email from that CEO with details of a “secret company acquisition” or something similar to the finance department. The email states an attorney will follow up with instructions on how to process the deal. The person who has received the email is essentially co-opted into this “secret and important deal” — building a trusted and special relationship. Finally, the financial representative receives an email or phone call from the “attorney” with the wire transfer details. They then use these details to transfer the money and seal the deal. The above scenarios are variants on a theme and you should expect more of the same, but in different flavors.

Business Email Compromise: Real-World Case Studies

Here are three real-world examples of BEC scams:

Walter Stephan, the CEO of Austrian company FACC Operations GmbH, was sacked after the organization lost $47 million due to a BEC scam. 17 different Dallas firms were scammed out of $600,000 by a sophisticated CEO impersonation BEC scam. Belgian bank Crelan lost 70 million euros in a CEO impersonation scam.

How to Spot a Compromised Email in Your Company

According to Proofpoint, 50% of malicious compromised emails target the CFO and 25% target HR inboxes. To prevent these types of attacks, an organization needs to be prepared and security aware. These tips will give you a good starting point to protect yourself and your company from even the most sophisticated of business email compromise scams.

Train your staff on the problem: Knowledge is power and just knowing that this problem exists will put it on your company and employees’ radar. Train staff to recognize and look out for the types of methods used by cybercriminals in BEC scams. For example, double check email addresses are correct, invoices make sense and that phone calls are with known persons or have a special keyword to identify callers. Vigilance is an important part of the solution. Checks and balances: Make sure there is a company policy of checks and balances when dealing with financial transactions — especially for larger amounts. Perhaps, if the amount is over a set limit, then the CEO or CFO has to verbally confirm the request is legitimate. Domain control: Register all domains that are similar to your main domain — think like a cybercriminal. Malware watch. Some BEC scams rely on malware infection. Follow rules to reduce the likelihood of malware infection on computers.

In future articles, we will look in more detail at some of the ways that BEC impacts our business and how a combination of technology and security awareness training can thwart cybercriminals.