What Does Business Email Compromise (BEC) Mean?
Business email compromise (BEC) is a type of cyberattack that targets corporate employees who are responsible for handling procurement and/or wire transfers within a specific business division. The goal of this social engineering scam is to trick the victim into sending money or other high-value business assets to the attacker.
According to the FBI’s Internet Crime Complaint Center (IC3), BEC attacks are one of the most profitable types of cyberattacks, resulting in the loss of billions of dollars each year domestically and internationally. Businesses that work with foreign suppliers, businesses that regularly transfer money wirelessly, and business that use public cloud email services are especially vulnerable to BEC attacks.
This type of attack is often initiated through a phishing email that appears to be legitimate business correspondence. For example, the fraudulent email might contain what looks like a simple address change request from a legitimate business partner. If the change request is accommodated without being verified, however, the victim will end up sending the next financial payment or purchase to a location under the attacker’s control.
Techopedia Explains Business Email Compromise (BEC)
BEC attacks are often initiated through spear phishing emails that target employees with specific job roles.
How BEC Attacks Work
A BEC attack typically begins with a spoofing email designed to impersonate a specific employee's manager, C-level administrator or vendor partner.
This type of malicious email closely resembles normal correspondence specific to the business that is being victimized. Popular strategies for conducting BEC attacks include:
- Change order fraud - the attacker asks the victim to “update” a legitimate business partner’s banking information with routing numbers supplied by the attacker. This type of attack is often used to redirect legitimate payments to an account under the attacker’s control, but change order fraud can also be used to redirect expensive purchases – such as new computers -- to a location of the attacker’s choice.
- C-Level fraud – the attacker poses as one of the company’s C-level executives and tricks an employee who is authorized to transfer funds into wiring money to an account under the attacker’s control.
- Permission fraud – the attacker targets a manager who has access to employee personally identifiable information (PII) and steals permissions to conduct future attacks.
BEC Attack Prevention
To prevent a BEC attack from being successful, the FBI recommends that organizations take the following steps:
- Enforce zero trust and strong multi-factor authentication for all email accounts.
- Establish more than one communication channel to verify significant transactions.
- Require both sides of every transaction to use digital signatures.
- Prohibit the use of virtual meeting platforms that are not approved by the organization’s information and communication technology (ICT) department.
- Treat unplanned wire transfers and change requests with suspicion and require employees to verify the legitimacy of such requests before accommodating them.