Understanding business email compromise (BEC)
Business email compromise impacts companies across the globe. Understand what these fraud attacks are, how to spot them and how to prevent them.
By ATB Financial 1 March 2023 10 min read
As businesses shift day-to-day activities into the digital space, they’ve begun to rely more and more on the internet to manage transactions and communication. But even as technology becomes increasingly ubiquitous, it’s far from bullet-proof when it comes to information security. For the sake of their clients, their employees and their owners, it’s essential for businesses to educate themselves on the fraud risks specific to the digital space.
Since 2013, criminal organizations have been exploiting the business sector’s reliance on cloud-based email infrastructures to perpetrate fraud. Despite extensive awareness of business email compromise (BEC) schemes, Albertan organizations of all sizes continue to be defrauded at a staggering rate. Companies in every sector and industry are being targeted, even those with robust cybersecurity systems. So what can organizations do to protect themselves?
Why do Alberta businesses need to improve BEC awareness?
As Aisha Kitchlew, senior manager of fraud and cybercrime at ATB, confirms, BEC scams have been common for several years already. The fact that many businesses are still so ill-prepared to protect themselves demonstrates the importance of ramping up awareness and education efforts—as well as making the internal policy changes that have proven most effective at stopping BEC scams before they damage an organization.
“Employees of business organizations are using personal devices and home network connections for work purposes, putting these organizations at a higher risk of a cyber attack,” says Kitchlew. “Some organizations may not have enough control over these devices or networks to protect themselves. Because of the human element embedded into a sophisticated scam like BEC, it can be very easy to overlook the red flags.”
Typically, BEC perpetrators are sophisticated, organized and well-funded. Most victims do not detect the fraud attempt until it’s too late.
Cyber criminals are zeroing in on BEC as their preferred modus operandi for a good reason: it’s extremely lucrative. Also known as a “man-in-the-middle” scheme, BEC can be perpetrated using a number of methods, which means that bad actors often have multiple avenues of executing a scam available to them.
This type of fraud attack method is made even more attractive by the fact that—ironically for a scheme that exploits technology dependence—it has low technology requirements. Furthermore, the risk of criminal prosecution for BEC is low while success rates are very high.
How does BEC work?
While there are numerous methods a cyber criminal can use to execute a BEC scam, the end goal is always the same: to convincingly request fraudulent and unauthorized fund transfers.
Bad actors compromise official business email accounts of the targeted organization and impersonate trusted identities, such as executives or senior leadership, who have the authority to request large fund transfers. The fraudster either creates an email address that mimics the address belonging to the person of authority (a practice known as spoofing), or compromises that person’s real email inbox by gaining access to their login credentials. Fraudulent requests for funds that appear to be sent from legitimate email addresses often include an element of false urgency—for instance, claiming that the targeted executive is off-site or unable to be contacted but has requested that a transfer be executed immediately. It’s not uncommon for the impersonator to make several follow-ups, usually via email, before any red flags are detected by the employees responsible for responding to the fraudulent request.
The cost of BEC fraud to Canadian businesses
According to recent cybercrime statistics, BEC has resulted in losses of more than $26 billion dollars from unsuspecting victims worldwide.
Closer to home, the Canadian Anti-Fraud Centre (CAFC) reports that average losses in a BEC case are typically over $100,000 CAD. Of over forty different types of fraud methods identified by the CAFC, BEC is currently responsible for some of the largest losses being experienced by Canadian businesses.
Who does a BEC attack target?
Criminals look for organizations (of any size) that regularly send wire transfers or other external fund transfers to pay suppliers and vendors for goods and services. In most cases, these businesses have high volumes of outgoing transactions with similar characteristics, allowing fraudulent transfers or requests to seem like normal day-to-day account activity.
High-profile companies are just as susceptible to BEC scams as relatively unknown organizations are. In 2017, Fortune reported that Google and Facebook had lost a total of $100 million USD to a fraud threat group using a BEC phishing scheme. While the threat group was eventually convicted and the majority of the funds recovered and returned to their respective organizations, it’s important to note that few attacks of this scale have such a positive outcome.
Know how to spot the different types of BEC
SpoofingHow it works: “This is the art of disguising communication from an unknown source to a known source”, says Kitchlew. Fraud actors can spoof email addresses, phone numbers, websites and even IP addresses, often by taking a legitimate address/phone number/website/address and changing one or two characters. In BEC schemes, fraud actors mimic email addresses belonging to high-level executives, changing them in slight, almost imperceptible ways, especially within the domain name. For example, email@example.com can become firstname.lastname@example.org (note the third ‘c’). When using spoofing to perpetrate BEC, the fraud actor does not require access to a victim’s email account to be able to execute the attack.
Email account compromiseHow it works: Malware is installed on an executive’s computer following a successful data breach or phishing campaign, providing the fraud actor access to the executive’s email inbox. Usually the fraud actor will delete sent emails and turn off notifications, so the victim may be unaware that fraudulent emails are being sent from their account.
How to prevent attacks
While BEC fraud might seem sophisticated, it is usually very simple to execute—and thus, in theory, simple to protect against. There are several practical and cost-effective ways organizations of all sizes can reduce their exposure:
- Create a BEC policy and implement the following controls:
- Document best practices, procedures and security measures to follow.
- Verify any requested changes, especially to bank account or payment details. Have sign-off measures in place in the case of requested changes to payment details.
- When verifying a request, pull contact information from an independent source (for instance, an official webpage or the company switchboard) and use a different method of contact from the request.
- Require multiple levels of sign-off for any fund movements and ensure that appropriate segregation of duties is implemented.
- Train and educate all employees on your BEC policy and security procedures. It’s important to think of fraud prevention as everyone’s responsibility, and not solely an IT issue. Train and test those with the responsibility to make payments on red flags, so they know what to look for and can identify any scams before it’s too late. (While fraudulent emails can seem extremely convincing, it’s important to remember that no legitimate business, institution or authority will request banking information to be communicated through an email.) Create a culture of awareness so that your team members can report any incidents (real or attempted) immediately. Your financial institution is in a much better position to partner with you when they are notified immediately.
- Conduct an assessment of your IT security. Whether you hire an outside agency or conduct a risk assessment internally, it’s important to identify your technological vulnerabilities, especially of your email system. Small changes such as applying advanced filters and limiting permissions can help secure your network and block access points, reducing the likelihood of a successful BEC attack.
- Keep software and security measures current. Use Fraud Prevention Month (March) and Cybersecurity Awareness Month (October) as regular reminders to evaluate your fraud prevention programs. Visit the Association of Canadian Fraud Examiners, The Canadian Centre for Cyber Security, Chartered Professional Accountants of Canada and ATB for updates on fraud trends, and access free resources and toolkits to improve your online security and fraud prevention measures. Protect yourself from a cyber attack by taking the Association of Certified Fraud Examiners (ACFE) fraud prevention check up.
- Report incidents and keep evolving and strengthening your defenses. Recent advancements in AI-powered defense systems offer new hope in the battle against BEC fraud, and are already helping businesses stand their ground against the epidemic of attacks.
What to do if your company is a victim of a business email compromise (BEC) attack
- Contact your financial institution immediately. The sooner they are aware of the situation, the more efficiently they can support you.
- Take action. Consider using a reputable IT firm to assist in scanning your devices to ensure any malware is identified and any infected hardware is promptly quarantined for removal. It is also very important to reset all impacted credentials and passwords, such as those for online banking and email accounts.
- Notify. Contact the two main credit reporting agencies, Equifax and TransUnion, and provide details on the incident. Ensure that a fraud alert is placed on your credit reports for any future applications made using your identity. This will prompt the creditor to contact you at a phone number you provide before approving any additional lending or opening new accounts. You may consider placing a temporary security freeze on your credit report to stop any fraudulent activity from taking place in the immediate future.
- Report. Consider reporting to: Your local law enforcement agency and The Canadian Anti-Fraud Centre (CAFC). Visit the CAFC website to learn about any next steps you should take.
- Protect yourself. Ensure you have enabled two-factor authentication, especially for banking services, and have proper password hygiene protocols in place.
- Educate yourself and your team. The best defense against a fraud incident is education; understanding and knowing what you are up against will allow you to consider what controls are best suited for your business. Consider using resources such as the Canadian Anti-Fraud Centre website, in combination with ATB’s cybersecurity guide on how to protect your business from cyber theft and payment fraud.
Be aware of other types of online fraud outside of BEC
As hackers develop increasingly sophisticated tools to breach our rapidly expanding technological spaces, it’s crucial to integrate a cyber security strategy to defend your organization against a plethora of ever-evolving fraud threats. BEC isn’t the only threat to your company’s funds and information. Other types of fraud could include:
Vendor email compromise (also known as supplier phishing)
How it works: Vendor email compromise targets businesses that have well-established relationships with suppliers. The fraud actor uses a spoofed or compromised email account to impersonate the business, and requests that the supplier provide payment via wire transfer to a fraudulent account.
How it works: Fraud actors call or send emails or texts to employees in an attempt to acquire sensitive information. Usually, they will try to mimic a genuine website, company, governing body or even employee in an attempt to make the target believe it’s safe to disclose the requested information. Typical phishing messages will ask the recipient to reconfirm, re-enter or input bank details (or similarly private information) in order to get a refund, pay postage on something the recipient supposedly ordered, or unlock an account. There are several different types of phishing:
- Spear phishing: Phishing scam in which fraud actors compromise email accounts in search of a specific piece of information.
- Vishing: Phishing scam done over the phone instead of email.
- SMiShing: Phishing scam perpetrated via SMS texts.
The future of cybersecurity
Every business is vulnerable to BEC, regardless of size, reputation or industry. While you may have gone to great lengths to protect your physical assets — have you applied the ingenuity, innovation and determination to ensure your digital information is safe? As hackers continue to evolve in their approach, business leaders are called to be savvier than ever before. Integrating the right processes, controls and tools into your operational structure is crucial in mitigating risk.
While we want this information to be useful for you, we make no promise, representation or warranty about its accuracy or completeness. We don’t accept any liability or responsibility whatsoever for any loss arising from any use of this document or its contents. This information is not kept up-to-date. Without our prior consent, this document may not be reproduced in whole or in part, or referred to in any manner, including any information, opinions and conclusions it contains. This document is provided for information purposes only and is not intended to replace or substitute for professional advice.