An accountant wires money to the construction firm renovating a corporate office. A payroll specialist updates banking information for a newly married employee as for the week’s payroll. These are both ordinary scenes of routine business processes.
They’re also the targets of one of the most insidious types of cyber threats, known as business email compromise (BEC). BEC attacks masquerade as routine business email and use the power of familiarity and trust to divert money and information into malicious hands.
About this series
Today’s cyber threats rely on human interaction, not just technical exploits. In fact, 82% of data breached in Verizon’s 2022 “Data Breach Investigations Report” involved the human element. As the report puts it, this reality “puts the person square in the center of the security estate.” Attackers use social engineering to trick people into clicking unsafe URLs, opening malicious attachments, entering their credentials, sending sensitive data, transferring funds and more.
This is the third of our six-part blog series covering security awareness training topics all you should address in your security awareness training. Leading up to Cybersecurity Awareness Month in October, we’ll cover:
- Social engineering
- Business email compromise (BEC)
- Social media
- Insider risk
Business email compromise attacks rely on social engineering—and human nature—to succeed. It’s critical that your users understand what BEC is, how to recognize it and what actions they can take against these attacks.
What is business email compromise?
Business email compromise is a type of email fraud. Criminals impersonate a trusted source using a spoofed, lookalike or compromised account. Then they send targeted emails to employees, business partners or customers. The recipient, believing the email is legitimate, takes actions that place sensitive information or funds directly in the hands of the criminal.
The impact of BEC
The impact of BEC is considerable. In 2022, the FBI reported that adjusted losses from BEC attacks totaled $2.4 billion. That’s 49 times greater than losses from ransomware and represent 35% of all losses reported in 2021. A single diverted wire transfer can easily cost your business hundreds of thousands of dollars or more.
Here are four main impersonation tactics used in BEC attacks:
- Domain spoofing: Attackers take advantage of gaps in your email authentication system—or lack of one—to make it appear that an email is coming from your trusted domain.
- Display name spoofing: Attackers modify the sender’s name to display someone known to the recipient. Sometimes this a person in authority, but it can be anyone the victim trusts (internal or external).
- Lookalike domain: Attackers register domains that are confusingly similar to your company’s domain and impersonate the brand or a trusted individual. For example, an attacker might swap acompanysdomain.com for acompanydomain.com.
- Compromised account(s): Attackers use various tactics, such as social engineering and phishing to gain access to a user’s email credentials. They then use that compromised account to launch BEC attacks. Attackers may also use a compromised account from a trusted vendor to defraud customers and business partners—turning the supply chain into another threat vector. We often see supplier impersonation and compromised supplier accounts used jointly in a single attack.
Several themes appear frequently in the content of BEC messages. All aim to get users to complete a task or provide information.
- Tasks and lures: Attackers use simple, seemingly benign questions or requests to identify, verify and soften up potential targets. They may seek to dig up more information, confirm that the email address is valid or see whether the target seems easy prey.
- Payroll redirect: Attackers send an email to HR or payroll department posing as an employee and ask to change their direct deposit banking information. This change routes your employee’s pay to the bad actor’s account.
- Invoicing fraud: An attacker impersonates or compromises an internal source or a supplier and requests that payments be routed to a new account.
Virtual meetings or video conferencing
With the rise of remote work, virtual meetings have become a common theme in BEC attacks. Attackers use this technology theme in several ways, such as:
- Sending meeting invitations and citing “audio issues” at the start of the meeting; then using in-meeting chat or follow-up emails to request money or information
- Using “deep-fake” audio or video to impersonate someone the victim trusts
- Impersonating a company leader who’s “stuck in a meeting” and asking staff to complete finance-related tasks
- Using a compromised employee email account to gain access to sensitive information, get employees’ schedules and slip into ongoing email conversations
How users can recognize BEC
BEC attacks are difficult to spot because they look just like regular business email. They don’t always contain URLs or attachments, making them hard to detect with traditional security tools. But your users can look out for signals that something is awry and take steps to verify requests. These steps can include contacting the sender in person or through a different communication channel, such as the telephone.
- Misspellings: While they are not a smoking gun, misspellings should prompt your users to take a closer look at the email and ensure the request is valid.
- Sudden change in procedures: Emails that ask for sudden changes to procedures—and especially those that involve finances or private company data—should always be treated with suspicion.
- Banking or financial requests: Employees should always scrutinize requests to change banking or payroll information.
- Urgency: A sense of urgency should also raise a red flag for your employees. Attackers use urgency to elicit an emotional response from their recipient.
- Hover over sender display name: Closely look at the sender email address to see if it's a lookalike domain. When users reply to an email, always check and see if the reply-to email is consistent with the email in the sender field
More ways to reduce risk and report issues
Employees can help your company combat BEC attacks in several other ways:
- Be careful when posting personal information online. Attackers will often research targets to make their impersonation more convincing
- Don’t trust any senders. Always be on the lookout for imposters.
- When in doubt, consult the security team.
- Always verify requests for money or information using other methods to ensure they really came from the apparent sender.
Up next: more end user security awareness topics
The next blog in this security awareness training topic series will help you educate your employees on social media. We will cover common social media threats and how to use social media safely.
You can also visit the Proofpoint Cybersecurity Awareness Hub for more security awareness resources. Proofpoint Security Awareness can also help you build a security culture that drives positive behavior change.
Stop the full range of BEC email fraud tactics with multilayered security controls. Learn more about Proofpoint BEC protection.