What is Business Email Compromise (BEC)?

Business email compromise (or BEC for short) is a form of phishing attack, whereby a cyber criminal impersonates a senior executive and attempts to coerce an employee, customer, or vendor to transfer funds or sensitive information to the phisher.

BEC scams are a serious threat to organisations of all sizes and across all sectors, including non-profit organisations and government. It represents one of the fastest growing, lowest cost, highest return cyber crime operations.

The cost of BEC in the UK

According to Action Fraud, there were over 1,500 reports from UK companies in 2016-2017, which cost businesses approximately £32.2 million.

An example of a BEC incident was seen at Dublin Zoo in 2017, when cyber criminals reportedly obtained nearly US$ 600,000. They allegedly intercepted legitimate supplier invoices sent to the zoo and manipulated data on the documents to change payment details and account numbers, requesting that funds be sent into a fraudulent account.

What is an example of a BEC attempt in the real world?

Example 1

The following BEC email was received at a government organisation in the UK, and is representative of the kind of BEC emails you may see. It is suspected that the data used in the email (company names, contract type etc) were obtained from the publicly available procurement contract websites used by government organisations to tender for contracts.

Example 2

This is an example of a less sophisticated email, but still looking to trick the recipient into sending money for a fake contract. The criminal used a publicly available email account (such as gmail) to create a random account, but sets up the “display name” to show that of the target organisations CEO.

The attacker then finds contact information for a senior executive, who works directly below the CEO (either from the corporate website, social media, or guessing the organisations email format, usually first.last@domain.com), and watches social media to see when the CEO is out of the office on business. They then send the following email to the senior executive:

If the senior executive should reply to the email at all, even just to say “yes” or “how can I help”, the phisher sends a further email, along the lines of…

You can probably see where this is going…

Example 3

This third example is very similar to the second, but instead of a generic email with no personalisation, the attacker has attempted to craft the email to look like a legitimate, more personal one:

And guess what those ‘further details’ would be… yep, there’s a new contact with a vendor and we need to create a payment!

What can be done to minimise the risk of a sucessful compromise?

As BEC emails are essentially phishing, they can be mitigated in much the same way. One key way to prevent a successful BEC attack is to ensure that the creation of new payments has a strict process with the finance team / individual, requiring multiple levels of sign off and potentially a secondary check by contacting the company requesting payment by phone to confirm the request.

Action Fraud and the National Fraud Intelligence Bureau (FNIB) operate a 24/7 hotline on 0300 123 2040 for businesses (in the UK) to report live cyber attacks. If you think you’ve been a victim of a BEC incident, I would recommend keeping a timeline of events, and save any information that is relevant to the attack.

For more information, you can visit the NCSC website below:

NCSC – Avoiding Phishing Attacks

NCSC – Email Security and Anti-Spoofing

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.