Business Email Compromise and Email Account Compromise

No two BEC/EAC attacks are alike. A layered approach to security is essential.

Identity deception could be placing your business at risk

Whether they are spoofing an identity (BEC) or stealing a valid identity (EAC), attackers are using identity deception. That is the common email fraud element that needs to be addressed.

Business Email Compromise

Business email compromise (BEC) attacks ask the victim to send money or personal information out of the organization. Attackers do this by spoofing a person in authority, such as a CEO or VP of Finance. To stop BEC and email fraud attacks, consider implementing controls that:

  • Blocks email fraud attacks that use spoofed and lookalike domains
  • Analyzes all email content and headers using machine learning
  • Enables creation of global email authentication policy
  • Removes suspicious and unwanted email from end user inboxes
  • Shows authentication status across supply chain and business partners
  • Offers end user education to help identify business email compromise (BEC) attacks
  • Blocks attacks that use spoofed and lookalike domains

Email Account Compromise

Email account compromise can occur if a threat actor successfully tricks a victim into providing their credentials or accesses an account through other means. If an account is compromised, it can be used to move laterally inside an organization, steal data, or fraudulently communicate with your business partners or customers. In order to protect against email account compromise, you need a solution that:

  • Highlights brute-force attacks and suspicious user behavior across cloud applications
  • Identifies very attacked people
  • Forces password resets on email accounts that are compromised
  • Enables read-only access to unknown websites to prevent credential theft
  • Assess end user vulnerability to credential theft attacks

BEC

Business Email Compromise

At Proofpoint, we offer a layered approach to protecting against business email compromise (BEC) by addressing the many tactics that are used by threat actors. Tackling the problem in this way prevents threats using display name spoofing, domain spoofing, and lookalike domains. This also prevents BEC threats impacting your partners and customers with DMARC email authentication; this prevents potential financial impact as well as brand damage. We provide education and visibility so you understand how your organization is being attacked and the potential vulnerability of an individual or group to fall for an email fraud attack. And we improve the ability of your people to identify these threats.

EAC

Email Account Compromise

Preventing email account compromise spans different threat vectors, given the propensity of credential reuse across different accounts that an end user might have; this can also span personal and corporate accounts. We give you visibility and control across cloud applications, email, and personal webmail. This helps you prevent the loss of credentials and identify suspicious behavior accessing these accounts. It is critical to be able to identify attempted email account compromise and the symptoms of accounts that are already compromised. In this way, your organization can limit exposure to both infection and data loss.

Is Your Organization Protected Against BEC/EAC Attacks?

Business email compromise (BEC) and email account compromise (EAC) attacks are complex problems with no easy solution. They come in many forms, and no single approach can stop them.

See how well your organization is prepared with our free, easy assessment.

Question 1

My current solution effectively detects and blocks impostor emails from entering my organization.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
0% complete

Question 2

My current solution helps implement DMARC authentication to prevent fraudulent use of my domains to protect my employees, business partners, and customers.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
5% complete

View previous question

Question 3

My current solution helps me understand what DMARC policies I should create and enforce for inbound messages.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
13% complete

View previous question

Question 4

My current solution uncovers suspicious cloud account activities, such as failed logins, that are indicators of account compromise.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
20% complete

View previous question

Question 5

My current solution effectively detects and blocks advanced malware that are often used by attackers to compromise accounts.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
27% complete

View previous question

Question 6

My current solution can defend against credential phishing at the time of click and post-delivery

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
33% complete

View previous question

Question 7

My current solution provides actionable visibility into human attack surface, such as who my most attacked people are, and which users are being attacked with impostor and credential phishing threats

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
40% complete

View previous question

Question 8

My current solution tells me who is sending email using my domains – including third-party senders and lookalike domains

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
47% complete

View previous question

Question 9

My current solution provides visibility into cloud activities and tells me if there’s any sign of account compromise

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
53% complete

View previous question

Question 10

My current solution allows me to quickly contain and remediate BEC/EAC threats through automated threat detection and response

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
60% complete

View previous question

Question 11

My current solution allows me to train end users to spot identify deception and phishing tactics, which could lead to BEC/EAC

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
67% complete

View previous question

Question 12

My current security awareness training lets me customize training based on the type of threats employees are targeted with.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
73% complete

View previous question

Question 13

My current solution provides password training and educates users on why reusing passwords can lead to account compromise.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
80% complete

View previous question

Question 14

My current solution protects the main attack vectors for BEC and EAC, including corporate email, personal webmail, cloud apps, and social media.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
87% complete

View previous question

Question 15

My current solution allows me to consolidate multiple security products and vendors by providing an integrated, comprehensive BEC/EAC solution.

  • I have no
    solution for this
  • Strongly
    Disagree
  • Slightly
    Disagree
  • Neither Agree
    or Disagree
  • Slightly
    Agree
  • Strongly
    Agree
93% complete

View previous question

Assessment Complete

Get your results

For a detailed look of how your organization scored, fill out the form.
You’ll see a breakdown of your score, and one of our representatives will follow up with you.

You are Protected

Business email compromise (BEC) threats, in which attackers pretend to be you, and email account compromise threats (EAC), in which attackers become you, use social engineering and identity deception to trick or threaten victims into complying with a request. They don’t need malicious links or attachments; often they masquerade as a legitimate business. Read your score breakdown below for more information.

Business email compromise
How well are you protected against BEC attacks?

It’s never too late—or too early— to start developing a strong defense strategy for BEC/EAC attacks.

BEC/EAC Business email compromise (BEC) and email account compromise (EAC) have resulted in reported losses of more than $26 billion worldwide since 2016, and the financial losses associated with these scams continue to rise. These attacks target companies of all sizes and in all regions. If you have not addressed this matter yet, you need to prioritize it.

Addressing the common tactics used to commit business email compromise—such as domain spoofing, display name spoofing, and lookalike domains—is critical. Your email security solution must be able to accurately identify impostor emails that show up at your gateway and block them before they can reach your users.

Having a DMARC record and enforcing DMARC authentication on third- party domains are also key to preventing impostor threats and fraudulent use of your trusted domain. DMARC authentication adds another security layer to protect your internal users from impostor email and credential phishing. In addition, your email security solution should guide you on what DMARC policies to create and enforce without interrupting your core business communication.

You are on the right track to combating impostor threats.

A robust gateway can help you reduce cybersecurity “noise”— incidents you must investigate, verify and remediate. A gateway built for modern BEC/EAC threats accurately blocks imposter emails and credential phishing with dynamic detection for all users, which is more effective than those relying on manual or static rules for limited number of users. In addition, your email security solution must address common tactics used to commit business email compromise, such as domain spoofing, display-name spoofing and lookalike domains.

Having a DMARC record and enforcing DMARC authentication on third-party domains are also key to preventing impostor threats and fraudulent use of your trusted domain. DMARC authentication adds another security layer to protect your internal users from impostor and phishing email. It also protects your organization’s brand so that it doesn’t get used by attackers to steal money from customers or business partners. In addition, your email security solution should guide you on what DMARC policies to create and enforce without interrupting your core business communication.

You’re off to a good start. A robust email gateway that can dynamically detect impostor emails and identify phishing scams helps stop these threats before they can hurt your users. It doesn’t rely on manual or static rules, which can’t keep up with the latest change.

Enforcing DMARC is also key to prevent fraudulent use of your domains. DMARC authentication protects not just your internal users from impostor email, but also protects customers and business partners from fraudulent email that misuses your domain.

But BEC/EAC is a complex problem. Attackers often shift around different security measures. Make sure you’re thinking holistically and address all attackers’ tactics.

Email account compromise
How well are you protected against EAC attacks?

There’s still room for improvement. You’re exposed to two kinds of email fraud: business email compromise (BEC), in which attackers pretend to be you, and email account compromise (EAC), in which attackers essentially become you. BEC and EAC intertwine with each other. You may still be exposed to email fraud even if you’re protected against tactics that rely on identity deception. Once they compromise your account, they can easily start phishing and BEC attacks internally and with your supply chain.

Attackers can get into your environment in multiple ways. Therefore, you must protect all the main attack vectors for BEC and EAC—including cloud applications, users’ corporate email and their personal webmail. For your most attacked users, you should also deploy adaptive security and access controls. That may include additional security awareness training, isolating their web access so their credentials don’t get stolen in phishing attacks and restricting their access to unmanaged devices. That way, you can prevent account compromise before it happens.

Your security solution must also detect EAC and any suspicious cloud account activities such as failed logins and brute force attack. It must also prioritize critical incidents and automate threat response with contextual and actionable alerts.

You have some ability to defend against EAC. But that’s just one form of email fraud. In business email compromise (BEC) attacks, attackers pretend to be you. In email account compromise (EAC), attackers essentially become you. Because BEC and EAC intertwine with each other, it is important to address both in a holistic manner.

Attackers can get into your environment in multiple ways. And once they compromise your account, they can easily start phishing and BEC attacks internally and with your supply chain. Therefore, you need to protect all the main attack vectors for BEC and EAC, including cloud applications, users’ corporate email and their personal webmail. Your security solution must be able to detect EAC and any suspicious cloud account activities, such as failed logins and brute force attack. It must also prioritize critical incidents and automate threat response with contextual and actionable alerts.

For your most attacked users, you should implement adaptive security and access controls. That may include additional security awareness training, isolating their web access so their credentials don’t get stolen in phishing attacks, and restricting their access to unmanaged devices. That way, you can prevent account compromise before it happens.

You’re doing it right. Email fraud involves two main threats: business email compromise (BEC), in which attackers pretend to be you, and email account compromise (EAC), where attackers essentially become you. Because BEC and EAC intertwine with each other, it is important to address both in a holistic manner.

Attackers can get into your environment in multiple ways. And once they compromise your account, they can easily start phishing and BEC attacks internally and with your supply chain. Therefore, you must protect all the main attack vectors for BEC and EAC, including cloud applications, users’ corporate email and their personal webmail. Your security solution must be able to detect EAC and any suspicious cloud account activities such as failed logins and brute force attack. It must also prioritize critical incidents and automate threat response with contextual and actionable alerts.

training or isolating their web access, so their credentials don’t get phished, and restricting their access to unmanaged devices. That way, you can prevent account compromise before it happens.

Visibility
Do you have a full picture of your human attack surface?

You might be flying blind to your BEC/EAC risk. Because BEC/EAC attacks target people, visibility into your human attack surface is critical. Without visibility, it’s hard to provide answers to your board and management about:

  • What your organization’s BEC/EAC risk is
  • Which people are vulnerable
  • What you should do to mitigate the risk

Your email security solution must provide you with people-centric visibility that helps you identify your most attacked people, who’s being attacked with phishing and impostor emails, and who’s cloud email account has been compromised. In addition to knowing who’s being attacked with BEC and phishing, you also need visibility into who’s sending emails using your domain. That includes trusted third-party senders. That way, you can better understand and communicate BEC/EAC risks to your management and the board, while prioritizing mitigation.

Not bad. You've got some visibility into your BEC/EAC risk. But if you don't have visibility into your human attack surface, you're still exposed. Because BEC/EAC attacks target people, visibility into your human attack surface is critical. Attackers are shifting their aim away from infrastructure to people directly. Without people-centric visibility, it’s hard to provide answers to your board and management about:

  • What your organization’s BEC/EAC risk is
  • Which people are vulnerable
  • What you should do to mitigate the risk

Getting people-centric visibility helps you identify your most attacked people, who’s being attacked with phishing and impostor emails, and who’s cloud email account has been compromised. In addition to knowing who’s being attacked with BEC and phishing, you also need visibility into who’s sending emails using your domain. That includes trusted third-party senders. That way, you can better understand and communicate BEC/EAC risks to your management and the board, while prioritizing mitigation.

Well done. You've got visibility into your BEC/EAC risk. You know that BEC/EAC attacks target people and having visibility into your human attack surface is critical to successfully defending against these types of attacks. Attackers are shifting their aim from infrastructure to people directly. With people-centric visibility, you can provide answers to your board and management about:

  • What your organization’s BEC/EAC risk is
  • Which people are vulnerable
  • What you should do to mitigate the risk

People-centric visibility helps you identify your most attacked people, who’s being attacked with phishing and impostor emails, and who’s cloud email account has been compromised. In addition to knowing who’s being attacked with BEC and phishing, you also need visibility into who’s sending emails using your domain. That includes trusted third-party senders. With visibility into all these areas, you can better understand and communicate BEC/EAC risks to your management and the board, while prioritizing mitigation.

Remediation
Can you identify and respond to BEC/EAC threats quickly and efficiently?

You’re probably spending too much time cleaning up BEC/EAC threats across your organization. And the longer it takes for you to remediate BEC/EAC threats, the longer your organization is exposed.

To quickly contain the spread of BEC/EAC threats, your solution needs to automate the threat detection and response process. For example, it should allow you to quarantine potential impostor emails, reset user passwords, reauthenticate users, and suspend compromised accounts in an automated fashion. You should also be able to delete those phishing emails that contain URLs that are poisoned post-delivery with one click or automatically, even if it was forwarded or received by other end users. Automating these functions helps you accelerate threat response while doing less manual work.

Good for you. You have some capabilities in threat remediation. Cleaning up BEC/EAC threats across your organization could be time-consuming. The longer it takes for you to remediate BEC/EAC threats, the longer your organization is exposed.

To quickly contain the spread of BEC/EAC threats, your email security solution must automate the threat detection and response process. For example, it should allow you to quarantine potential impostor emails, reset user passwords, reauthenticate users, and suspend compromised accounts in an automated fashion. You should also be able to delete those phishing emails that contain URLs that are poisoned post-delivery with one click or automatically, even if it was forwarded or received by other end users. Automating these functions helps you accelerate threat response while doing less manual work.

Nice job. You are automating threat detection and response. It’s easy for you to clean up BEC/EAC threats across your organization. Your email security solution automates the threat detection and response process. It should also allow you to quarantine potential impostor emails, reset user passwords, reauthenticate users, and suspend compromised accounts, all in an automated fashion. You should also be able to delete those phishing emails that contain URLs that are poisoned post-delivery with one click or automatically, even if it was forwarded or received by other end users. Automating these functions helps you accelerate threat response while doing less manual work.

End User
Are your people equipped to recognize and report BEC/EAC attempts?

You’re missing a key component in your BEC/EAC defense strategy—end user training.

BEC and EAC have a lot in common. They both target people; they both rely on social engineering; and they both aim to solicit fraudulent payment. These threats rely on people to activate them. Therefore, mitigating BEC and EAC risks requires both technology and training. You need to educate your users to identify phishing and identity deception tactics, such as display-name spoofing and lookalike domains. You should also provide end-users with password training, so they know how to create a strong password and why they shouldn’t reuse or share passwords. Security awareness training plays a critical role in mitigating risks of email fraud because it helps your users to become part of your line of defense.

You should also customize security awareness training so that it maps back to your organization’s internal process. Make sure you have an abuse mailbox set up and instruct your users to send suspicious emails to it. You should also provide feedback to your users and let them know the analysis results of any email they report.

You have taken end-user training into account, which is a key component in mitigating BEC/EAC risks.

BEC and EAC have a lot in common. They both target people; they both rely on social engineering; and they both aim to solicit fraudulent payment. These threats rely on people to activate them. Therefore, mitigating BEC and EAC risks requires both technology and training. You need to educate your users to identify phishing and identity deception tactics, such as display-name spoofing and lookalike domains. You should also provide end-users with password training, so they know how to create a strong password and why they shouldn’t reuse or share passwords. Security awareness training plays a critical role in mitigating risks of email fraud because it helps your users to become part of your line of defense.

Your solution should allow you to customize security awareness training so that it maps back to your organization’s internal process. Make sure you have an abuse mailbox set up and instruct your users to send suspicious emails to it. Your solution should automatically analyze those emails and provide feedback to your users, letting them know the analysis results of the email they report.

You’re doing it right—you have taken end-user training into account. That is a key component in mitigating BEC/EAC risks.

BEC and EAC have a lot in common. They both target people; they both rely on social engineering; and they both aim to solicit fraudulent payment. These threats rely on people to activate them. Therefore, mitigating BEC and EAC risks requires both technology and training. You need to educate your users to identify phishing and identity deception tactics, such as display-name spoofing and lookalike domains. Security awareness training plays a critical role in mitigating risks of email fraud because it helps your users to become part of your line of defense.

Your solution should allow you to customize security awareness training so that it maps back to your organization’s internal process. Make sure you have an abuse mailbox set up and instruct your users to send suspicious emails to it. Your solution should also automatically analyze those emails and provide feedback to your users, letting them know the analysis results of the email they report.

Integration
Are your BEC/EAC capabilities part of an integrated cyber defense?

Growing overwhelmed by too many security products and vendors—and not having enough people to manage them—are two common challenges for any security team. An integrated, end-to-end solution that addresses all attackers’ tactics helps to not only better defend against BEC and EAC, but also allows you to consolidate multiple security products and vendors. That saves you time and cost in managing point products that don’t talk to each other. In addition, you need visibility across all your security control points. A solution with tight integration should help you automate threat detection, investigation, and response, and connect the dots across different control points, including email, cloud apps, and users.

You have some integration. But growing overwhelmed by too many security products and vendors—and lack of security professionals to manage them—are two common challenges for any security team. An integrated, end-to-end solution that addresses all attackers’ tactics helps to not only better defend against BEC and EAC, but also allows you to consolidate multiple security products and vendors. That saves you time and cost in managing point products that don’t talk to each other. In addition, you need visibility across all your security control points. A solution with tight integration should help you automate threat detection, investigation, and response, and connect the dots across different control points, including email, cloud apps, and users

Excellent. You have an integrated solution that allows you to consolidate multiple security products and vendors. Growing overwhelmed by too many security products and vendors—and lack of security professionals to manage them—are two common challenges for any security team. While your integrated solution saves you time and cost in managing point products that don’t talk to each other, it should also address all attackers’ tactics used to conduct BEC and EAC.

You should already be getting visibility across all your security control points and automating threat detection, investigation, and response. An integrated BEC/EAC solution can help you connect the dots across different control points, including email, cloud apps and users.

Defend against BEC/EAC attacks quickly and effectively with Proofpoint

Because BEC and EAC intertwine with each other, you need to address them both with a comprehensive solution that addresses all tactics, automates detection and remediation, and provides visibility to your BEC/EAC risk. Proofpoint is the only vendor that provides an integrated, holistic solution to effectively stop BEC and EAC attacks. Our solution includes:

  • Visibility into which users are being attacked
  • Visibility into who's sending emails using your domain
  • Training that allows users to be more resilient to impersonation
  • Automated detection and remediation of attacks
  • An impostor classifier that prevents delivery of BEC attempts
  • Automatic remediation of compromised accounts through re-authentication and password results

Click here to re-take the assessment

How to Effectively Block BEC and EAC Attacks

Gateway

  • Block attacks that use spoofed domains
  • Tag external email to inform recipients of the origin of the email
  • Analyze message headers to identify anomalies
  • Analyze all email content with machine learning
  • Identify and block display name spoofing
  • Enforce email authentication policy

Authentication

  • Create a global email authentication policy (DMARC) and enforce it on an internet-wide basis
  • Block all attempts to send unauthorized emails from your trusted domains
  • Report on look-alike domain registrations

Cloud Applications

  • Identify suspicious cloud account activity
  • Detect brute-force attacks
  • Build policies to prioritize alerts

Web Access

  • Isolate access to unknown websites
  • Provide read-only access until security analysis is complete
  • Control content entering your organization through personal webmail accounts

Visibility

  • Identify the VAPs in your organization
  • View the authentication status of your supply chain
  • Provide user-centric visibility into account attacks

Automated Remediation

  • Identify and remove suspicious emails that have entered the organization
  • Remove unwanted email from internal accounts that are compromised
  • Force password resets and disable accounts that are compromised
  • Use an account authentication solution to reauthenticate sessions
  • Investigate account compromise incidents

Education

  • Assess user vulnerability to BEC and EAC threats
  • Train users on how to identify threats and credential theft
  • Automate abuse mailbox process

Demo

Protection against business email compromise

Proofpoint email analysis accurately identifies and blocks business email compromise using machine learning techniques and email authentication.

Watch the Demo

Ready to give Proofpoint a try?

Let us walk you through our BEC and EAC solutions and answer any questions you have about email security.