Business Email Compromise: What It Is & How to Prevent It

BEC (business email compromise) scams are a type of phishing attack in which a fraudster impersonates a senior executive at an organisation.

The threat of BEC attacks is something all organisations must address, with a 2021 GreatHorn report finding that 71% of organisations had been targeted in the past year.

Without appropriate defences, BEC scams can result in costly data breaches and ongoing disruption. This blog explains how you can identify fraudulent emails and protect your organisation.

How does business email compromise work?

Like all phishing attacks, BEC scams are designed to capture people’s sensitive information or to steal money.

However, the techniques are more sophisticated with BEC, as the attacks are highly targeted. Fraudsters take the time to research the victim and launch their attack with an email that replicates a genuine sender.

They might do this by compromising a senior employee’s email address with an initial password-stealing scam. Alternatively, the fraudster might create a facsimile of a legitimate email address by creating a domain name that imitates the organisation’s.

For example, if the target’s email domain was ‘@company.com’, the fraudster might register the domain ‘cornpany.com’ – with an ‘r’ and a ‘n’ replacing the ‘m’.

From there, the fraudster will email someone in the organisation in an attempt to compromise funds or sensitive information.

The specifics of the email will vary depending on the pretext that the attacker uses. In the next section, we look at the most common pretexts that BEC scams use.

Types of BEC scams

There are five common types of BEC scam:

  1. CEO fraud: the attacker poses as an organisation’s executive and asks someone in the finance department to transfer funds to a new bank account. Unbeknownst to the recipient, that account is controlled by the scammer.
  2. Fake invoice: the attacker claims to be a supplier for a good or service, and requests a payment.
  3. Account compromise: the attacker compromises an employee’s email account and uses it to request an invoice payment to a fraudulent bank account.
  4. Attorney impersonation: the attacker pretends to be a lawyer or legal representative and requests copies of sensitive information.
  5. Data theft: the attacker targets the HR department with a request for personal information about employees.

Signs of a business email compromise attack

BEC scams can be hard to spot, because attackers typically make a concerted effort to mask their tactics. For example, unlike traditional phishing, you wouldn’t expect to see links to bogus websites – which is often what alerts spam filters to fraudulent emails.

Likewise, many BEC scams will come from a legitimate (albeit compromised) email account, and their messages don’t ordinarily contain spelling or grammatical errors.

That’s not to say that BEC scams are impossible to spot. You just need to look for different clues, and a major giveaway is the context of the message.

One thing every BEC scam has in common is that it asks the recipient to do something in an unusual manner.

Whether the message requests a wire transfer or access to a database, it’s not something you will have previously discussed with this person, so you should be suspicious.

There will be times when a genuine request is made without warning, but it is always worth confirming before proceeding.

If you share an office with the person, it’s worth talking to them face-to-face about the request. If that’s not possible, you should give them a call or send an instant message asking for confirmation.

Don’t simply reply to the email, though. If the message was a scam, the person receiving your request will still be the scammer.

Although these precautions can be inconvenient, information security is an increasing priority and a few moments of your time can avert a disaster.

How to prevent business email compromise

As we’ve alluded to throughout this blog, the sophisticated nature of BEC scams means that organisations can’t rely on automated processes to prevent attacks.

Anti-malware software is great for detecting standard phishing emails, but they will have limited effectiveness against BEC scams.

Organisations must instead educate their employees on how to spot suspicious emails, and encourage them to be vigilant when dealing with unsolicited requests.

Employees should be encouraged to consider the following when they receive an email containing an unusual request:

  • Is this request reasonable and believable? Although every organisation is different, it’s rare for a CEO to ask for granular information such as tax forms or employee records unless there is a specific, previously discussed reason.
  • Are they asking you to keep this correspondence confidential? Scammers often ask recipients not to discuss their request with colleagues. They might claim that this is for ‘confidentiality’, but it is usually because they have sent the same request to several employees. If you each discuss the request, you’ll realise it is a scam.
  • Is this the way business is normally conducted? Most organisations will have a defined process for work requests or access to information. For example, the CEO will talk to the head of the relevant team, who then relays that request to the appropriate person. If you are contacted by the CEO directly when this isn’t normally the case, it’s a sign that something isn’t right.
  • Does the sender’s email address look strange? Fraudsters are excellent at imitating email addresses, so a bogus account might not be noticeable at first glance. But if there’s anything about the message that seems suspicious, you should take a closer look at the sender’s address.

Teach your staff to spot BEC scams

Help your employees detect a BEC scam with GRC E-Learning’s Phishing Staff Awareness Training Programme.

This online training course explains everything you need to know about scam emails, from the way attackers instigate their attacks to the steps you can take to defend yourself.

It uses examples like the one listed above to show how phishing works in real life, and the content is updated each month to ensure you understand the latest trends.