Overview

Business email compromise (BEC) is a specific form of spear phishing that occurs when a fraud actor or threat group sends an email that appears to originate from a legitimate source within a targeted organization. If the attack is successful, the confidence engendered by the apparently legitimate sender lures the recipient—an employee of the organization— into revealing confidential information or transferring a large sum of money to the fraudster, whom the employee believes to be representing their employer.

This lucrative technique is becoming increasingly popular among fraud actors and no business or organization is immune. While BEC schemes can be massively profitable for the criminals who perpetrate them, they are also designed to defame and destabilize the organizations they target. BEC is one of the most common types of fraud reported to the Canadian Anti-Fraud Centre (CAFC), and the losses to victims and the damage to impersonated businesses are significant:

• BEC has resulted in fraud losses of more than $26 billion dollars from victims worldwide.
• Spear-phishing, which includes BEC, continues to be one of the top reported scams out of about 40 fraud types recorded by the CAFC.
• In 2022, the Canadian Anti-Fraud Centre received fraud and cybercrime reports totalling $530 million in victim losses.
• According to Statistics Canada, in 2017, about 10 per cent of businesses in Canada reported that they lost revenue as a result of cyber security incidents, and six per cent of businesses reported that the incidents damaged the reputation of their business.

Large as they are, these numbers actually underrepresent the scale of fraud that has affected Canadians, notes Aisha Kitchlew, senior manager of fraud and cybercrime at ATB. “The Canadian Anti-Fraud Centre estimates that fewer than 5% of victims will actually file a fraud report with the agency or local law enforcement,” she says.

Protecting your organization from BEC

In this webinar, Kitchlew shares how business leaders can educate themselves and their employees about BEC, and covers pressing topics such as:

• Fraud statistics
• Phishing types and techniques
• The anatomy of spear phishing
• Major types of BEC
• Red flags
• Mitigation measures

Key takeaways

BEC tactics

Spear phishing campaigns, including BEC campaigns, will often use a tactic called social engineering, a term which describes an attempt to gain information through manipulation.

“In today’s post-COVID context, cyber criminals know that a majority of the world’s population has been forced to shift toward online environments when it comes to communicating and conducting business,” says Kitchlew. “Now that digital transactions and exchanges of information are so ubiquitous, BEC has become an even easier fraud attack method to perpetrate, since the telltale signs of BEC may be harder to spot.” 

Social networking sites like LinkedIn, Facebook, Instagram and others have also made it easier for fraud actors to discover potential victims’ personal and organizational information, which they can use to make a BEC attack more customized, sophisticated, and believable.

How BEC works 

“Business email compromise (attacks) will aim to sidestep the financial process controls that are designed and perhaps implemented by your business to safeguard against fraud,” explains Kitchlew. “Essentially, fraud actors are targeting the employees of your business or organization, not your technology.”

The step-by-step process of a BEC fraudster:

Step 1: Research

Fraud actors will deeply research a target company using open sources, such as official websites, social media posts, press releases and other publicly available information. “They will access each and every public record to learn as much as they can about the dynamics of the business and the individual they are trying to target,” says Kitchlew.

Step 2: Obtain email addresses

Before sending a fraudulent email request to their victim, the fraud actor needs an email address to send it from. Typically, they obtain this email address in one of two ways—either by obtaining access to the target employee’s email inbox through a data breach, or by spoofing one of the organization’s email addresses (which means creating an email address that looks almost identical to an existing address but often includes alternative numbers or capital letters).

Step 3: Execute

“Now that the fraud actor has all of the details that they need—who they are going to target, what information they need to use, and an email address to send the request from—the final step is to execute,” says Kitchlew. The three most common types of BEC are CEO fraud, account compromise and vendor scams. Each will use information collected in the research phase to craft an email aimed at manipulating an employee into revealing information or making a payment. The content of the email will create urgency or pressure by suggesting reputational losses or severe outcomes are a possibility.

How to spot BEC

Spear phishing emails don’t usually contain malicious links or attachments, so they often bypass traditional security email protections. Your best security measure is to equip your employees with knowledge on how to recognize and report BEC, so they can act as a human firewall to protect your organization. 

BEC emails will typically include:

• Requests for personal information
• Requests to update important information such as payment details, account numbers, method of payment, etc.
• Atypical payment requests
• Urgent language
• Reports of anomalous account behaviour
• Sudden changes in norms (for instance, requests to adhere to unfamiliar processes and protocols)

Whenever an employee sees an email that contains any of these red flags, they should take a moment to check the email address, question the legitimacy of the message, and confirm any out-of-the-ordinary requests by contacting the apparent sender using a trusted phone number, such as one from the company website.

How to mitigate the risks of BEC

“It might seem costly to implement security controls and update business practices, but refusing to educate your employees or accepting the risk of your business being targeted by a BEC attack are both likely going to cost you more in the long run,” says Kitchlew.

To stop this type of fraud from being perpetrated within your organization:

• Review existing processes and procedures, including segregation of duties for financial transfers.
• Add a requirement for multiple signers to electronic transfers.
• Educate your employees about common types of scams, what to watch out for and what to do when they suspect fraud. You can also hire a company to simulate phishing campaigns as part of your employee training.
• Obtain verbal consent from the apparent sender of an email when any red flags appear in their emails.
• Make multi-factor authentication mandatory at your business.
• Confirm the email address before taking action on a request to ensure it isn’t a fake address disguised to look credible.
• Partner with your financial institution to explore ways to prevent unauthorized transactions.
• Be mindful of what information your employees and your organization share on public social media accounts.

Other types of phishing attacks

While spear phishing (which includes BEC attacks) is a particularly lucrative form of online fraud that targets individuals, primarily through email, it’s not the only form of phishing organizations and individuals need to be aware of. 

Other types of phishing campaigns include:

Content spoofing: “This is the art of disguising communication from an unknown source to a known source”, says Kitchlew. Fraud actors can spoof email addresses, phone numbers, websites and even IP addresses, often by taking a legitimate address/phone number/website/address and changing one or two characters. (Content spoofing can be an aspect of spear phishing, if fraud actors use spoofed email addresses to create the appearance that a trusted source is requesting information and/or funds from the victim.)

Pharming: Pharming schemes are built around malicious websites that are made to look legitimate. Cyber criminals often pay to promote these websites at the top of search engine results, increasing both the sites’ appearance of legitimacy and the likelihood of potential victims clicking through. 

Vishing/smishing: These are phishing attacks conducted through phone calls or texts.