BEST PRACTICES: Blunting ‘BEC’ capers that continue to target, devastate SMBs and enterprises

By John WIlson

It’s no secret that cyberattacks can happen to any business, and we should all be suspicious of messages from unfamiliar senders appearing in our email inboxes.

Related: Deploying human sensors

But surely, we can feel confident in email communications and requests from our organization’s executives and fellow coworkers, right? The short answer: Not always

The reason is the rise in business email compromise (BEC) schemes. This type of targeted phishing or whaling (executive-level) attack tricks email recipients into believing someone they know and trust is asking them to carry out a specific financial task. Here are a few examples of how these insidious campaigns use the power of human relationships to defraud businesses via email:

Scenario 1. A CFO receives an urgent email request from the CEO asking her to pay a supplier invoice immediately. The CFO commonly carries out such tasks and arranges a wire transfer using the account information provided on the invoice. In actuality, the request is coming from a BEC fraud ring, and the payment details direct the funds to an account controlled by the attackers.

Scenario 2. An HR benefits manager receives an email from the department VP asking him to purchase gift cards for a new employee rewards program. The email specifies that the HR manager should include the codes associated with each card, which the scammer behind the scenes then sells online for cash or cryptocurrency.

Scenario 3. An accounts receivable rep receives an email from a C-Suite executive asking for the company’s most recent Aging Report. If the rep complies, the attacker now has a list of customers who owe the company money.


It tells him how much the customers owe, when the payments are due, and the terms. The attacker also has the rep’s email signature. The attacker then creates a look-alike domain and contacts each customer on the report explaining that all future payments should be sent to a new bank account.

Planned attacks

BEC is a growing concern, and attackers have taken full advantage of the upheaval the COVID-19 pandemic has caused to ramp up their efforts. These campaigns are hard to spot because the perpetrators have done their homework to make emails appear completely legitimate, from the formatting to the language, to the type of request being made.

Today’s BEC attempts aren’t the easy-to-spot, typo-laden phishing campaigns of the past. For starters, attackers leverage social engineering tactics and information gleaned from websites and social media profiles to determine employees’ working relationships and connections.

They can also include personal details in messages, so the recipient doesn’t think twice about the message or request. On top of this, internal employee-to-employee email is rarely scanned, meaning BEC-driven access can go undetected.

Fraudsters prey on the target using the killer combination of trust, authority, and urgency. Businesses large and small can be the target of a BEC campaign because at the end of the day, most of us are trusting souls ready to help others. We would never expect someone we know and work with to scam us, much less defraud our organization.

BEC attacks don’t get the media attention of ransomware incidents and records theft, but they are far more prevalent and costly overall. In its most recent BEC report, the FBI estimated such attacks cost enterprises more than $1.8 billion in annual losses during 2020, resulting from 19,369 incidents. Although it’s possible for funds to be recovered, the cost of business disruption can be significant.

Prevention is the cure

We need to put a stop to this all-too-common attack vector.

As with any type of cyberattack, prevention is the best strategy. Employee awareness training is an important first step as most people aren’t familiar with BEC attacks. Training can include simulation so employees can learn to spot phishing or whaling exploits before blindly completing requests or clicking on links.

DMARC email authentication is also helpful to prove the sender is legitimate, and two-factor authentication (or multi-factor authentication) can reduce the risk an email account is compromised. Likewise, as these scams typically seek a transfer of funds, tighter accounting controls to verify legitimacy are crucial, as are identity-based phishing defenses that can recognize BEC in its varied forms.

About the essayist: John Wilson is senior fellow, threat research, at Agari by HelpSystems. He works with businesses of all sizes to prevent financial loss from BEC campaigns and help them achieve peace of mind in a fast-changing cybersecurity landscape. 

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone