A Business Email Compromise (BEC) is a type of cyber attack using email fraud to achieve some specific outcome which adversely affects the victims, usually involving financial fraud. BEC may be conducted by gaining direct, unauthorized access to an individual’s email account or by using a very similar email domain to impersonate an account (called ‘spoofing’).
BEC is one of the most financially damaging cyber crimes. In the United States alone, US$1.77 billion in losses were incurred in 2019 according to a report by the FBI. In Southeast Asia, financial hubs such as Singapore and Hong Kong are two of the most targeted markets for BEC attacks.
How does a typical BEC work?
A typical BEC scam involves phishing emails purportedly sent by senior employees in an attempt to trick the recipient into making fund transfers or divulging sensitive information. As such, attackers often target employees with key decision-making powers, especially those with the ability to authorize financial transactions such as CEOs and members of finance, accounting, or vendor management.
In some cases, attackers may silently monitor sensitive communications for months (or years!), auto-forwarding email conversations to their own inboxes. Attackers may closely study these conversations in order to map out reporting lines, communications procedures, standard documentation, and even the typical language used by their targets. The resulting phishing emails are often well-crafted, well-timed, and virtually indistinguishable from a legitimate request, including familiar letterheads, banking, and invoice instructions.
BEC scammers also commonly ‘spoof’ government organizations such as law enforcement, tax agencies, or healthcare entities to create a sense of authority, urgency, or fear to convince victims to act quickly.
Common tactics, techniques & procedures (TTPs) used By BEC scammers
- Gaining Unauthorized Access
- Collecting Intelligence
- Attempts to defraud the organization or its clients
- Stealing information
How to prevent BEC scams
- Enable multi-factor authentication (MFA) on all user accounts. MFA requires any additional log-ins to provide a second method of authorization, blocking the majority of unauthorized access attempts
- Enforce complex password requirements. The more complex the password, the less likely credentials are to be stolen or brute-forced
- Minimize the number of employees with ‘Admin’ access to email configurations. Following the principle of least privilege to control and manage access reduces the number of targetable privileged accounts
- Reset email account passwords regularly and immediately when suspicious activity is identified. Resetting passwords secures the account and kills any active sessions
- Remove mailbox delegates who have been granted with read, send, delete or even full access of your mailbox depending on the setup. If any delegate’s account is compromised, your email account can be used in a BEC attack.
- Disable mail forwarding rules to external domains. This action prevents BEC scammers from silently collecting email communications
- Enable mailbox auditing and retain audit log for review. These logs would enable the organization to to monitor data, track potential security breaches or signs of internal misuse of information
- Continuously educate employees on cybersecurity awareness and good cyber hygiene practices
What to do if you suspect a BEC scam
- Do not interact with the suspicious email, including:
- Do not click any links or embedded objects in the email
- Do not open or download any attachments
- Contact the sender or sender organization via phone or other out-of-band methods (such as WhatsApp) to verify the legitimacy of the email
- If the message is not legitimate, report it to your IT Security team* immediately and forward the suspicious email as an attachment so that the team can analyze the email properly
- Consult the IT Security team if you are not sure how to forward the original email as an attachment
- Inform the team if you have interacted with the email or sender in any way
- Reset passwords on any compromised accounts immediately
- Analyze the email to identify any malicious content and its associated behavior
- Analyze relevant logs to identify any indicators of compromise and perform exposure checks
- Block the malicious domains identified and malicious sender address; add them to monitoring
- Document and communicate broadly any lessons learned from the incident to improve company policies and controls
- Conduct relevant employee awareness trainings to prevent similar attacks in the future
*If there are no internal IT Security team or other teams with the incident response expertise to handle such attacks, please consult a third-party incident response firm such as Blackpanda to assist you in resolving the issue.