What is Business Email Compromise?

A Guide to CEO Fraud

By Shanna Utgard, Senior Cyber Advocate, Defendify

“URGENT – Are you available? I need you to take care of a pending invoice from one of our contractors. I’m in a meeting and can’t talk, but we have to handle it ASAP.”

You may have received a message like this or know someone who has. This is an example of a specific type of spear-phishing attack known as Business Email Compromise (BEC) that targets individuals with access to sensitive or financial data.

Cyber attackers use evolved social engineering techniques to take advantage of human interactions to manipulate employees into breaking standard security procedures or ignoring best practices. Even with traditional cybersecurity measures in place, these cybercriminals can gain unauthorized access to an organization’s systems, networks, and information through its employees, often without their knowledge.

How Cyber Criminals Leverage Research and Social Engineering

The FBI defines BEC as a “sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. The above is an example of a CEO impersonation scam, a growing type of BEC attack that attempts to trick employees into thinking a high official at their company needs them to send money – and fast.

Also called CEO fraud, this tactic relies on a sense of urgency and authority while playing off employees’ desire to be helpful and do a good job. According to the FBI Internet Crime Complaint Center’s (IC3) 2021 Internet Crime Report, BEC schemes were the costliest type of attack, with an adjusted loss of approximately $2.4 billion last year.

Before conducting these BEC schemes, the threat actors do their homework. They peruse the company website, social media pages, media coverage, and other publicly available data sources to collect information on their target organization. This research may include details about executive and high-level employees, new hiring announcements, travel plans or similar out-of-office notifications, company news, and other notable projects or events. In the CEO fraud example, they will identify key targets and spoof a trusted persona to ensure the best chance of success. These scams have even evolved to include SMS text messages, personal emails or social media accounts, and personal devices, such as cell phones.

Cybercriminals use the information collected to target employees and persuade them to divulge confidential information or sensitive data that bad actors may use for fraudulent purposes.

BEC’s common goals include convincing employees to click on a link and provide log-in credentials, send sensitive data, perform a financial transaction (wiring money, purchasing gift cards), or open malicious attachments.

Other types of Business Email Compromise:

CEO Impersonation: as mentioned above, this tactic involves spoofing a message from an executive, requesting employees perform some action, such as sending a wire or other financial transaction, providing employee W-2s, purchasing gift cards, etc.

Fake Invoice Scams: attackers spoof an email with an invoice from a vendor or 3rd party that an organization regularly works with, but with updated payment information

Data Theft:  HR Personnel are targeted to obtain sensitive data such as employee or company tax information, or attackers pose as employees and send new payroll direct deposit instructions

Account Compromise: Email accounts are compromised and are used to send out invoices or requests for payment to attacker-controlled accounts.

If an employee falls for these tactics, it could result in damage far beyond personal embarrassment. Providing passwords to bad actors, sending funds or sensitive data to an attacker, and ransomware delivered through the click of a link can all have wide-reaching effects on the entire organization.

Implementing Comprehensive Cybersecurity

We often come back to the pillars of comprehensive cybersecurity: leveraging people, processes, and technology to defend against current and future threats. Applying an adaptable approach to CEO fraud and other BEC scams can go a long way in protecting organizations from evolving tactics, especially with the new challenges of working in a hybrid or remote world.

Employees are often the first and last line of defense against cyberattacks like BEC. They should receive proper training and guidance to recognize and respond to potential threats. Conducting cybersecurity training on an annual (or even quarterly) basis is no longer enough, as threat actors change tactics frequently and awareness dwindles over time. New employees are prime targets for BEC attacks, so it is advantageous to begin their cyber education during their initial onboarding and orientation. Organizations should conduct frequent, engaging training and encourage employees to be on high alert for any scams they might encounter. With the recent move to a hybrid or remote workforce, many organizations implement collaborative cloud-based tools to stay connected. It is now more important than ever to communicate clear policies for these urgent requests, particularly for new employees who may have never met their colleagues in person.

You may decide to require multiple signatures or approvals, direct face-to-face or telephone verification, or another established process.

Provide a clear and easy way for employees to report suspicious activity or that they have fallen victim to social engineering attacks, including CEO fraud. An incident response plan for BEC is crucial to mitigate the possible repercussions of such an attack. The faster fraud is reported, the higher the chance any funds or data might be recoverable.

Finally, implementing basic cybersecurity measures can go a long way in preventing widespread impact in the event of a BEC attack. Provide tools for employees to easily create and use unique passwords and enable multi-factor authentication to make it more difficult for cybercriminals to take over email and other valuable accounts.

Through regular, engaging awareness training, simple and clear policies, and secure technology, every employee, from the (real) CEO to the intern, can significantly keep their organization safe.

About the Author

Shanna Utgard is the Senior Cybersecurity Advocate at Defendify, the all-in-one cybersecurity platform that makes cybersecurity possible for ALL businesses. Shanna is an award winning channel manager and a frequent speaker on how organizations can develop a comprehensive program that is simple, affordable, and works around-the-clock on multiple levels. ​​Email her at [email protected] or get in touch with the team at Defendify.com.