Email Security Blog

BEC Scams: What to Look For, What to Do

Armen Najarian October 30, 2020 BEC

We’ll cover what BEC scams (Business Email Compromise scams) are, how they work, what you should look for, and what to do about them, including:

  • What the Heck is BEC?
  • 3 Reasons BEC Attacks Are Getting Worse
  • What Are The Top BEC Scams to Look Out For?
  • Key Identity Deception Tactics You Need to Know
  • How Can BEC Scams Be Blocked?

What the Heck is BEC?

Here’s how BEC scams work: Business Email Compromise (BEC) scams occur when fraudsters use spoofed or hijacked email accounts to impersonate trusted contacts—like vendors or senior executives—asking employees to wire payments or make purchases under false pretense.

According to the FBI, BEC scams have led to more than $26 billion in business losses worldwide from 2016 through 2019—or more than $700 million per month. Then along came 2020. So far this year BEC attacks have been proliferating at an ever-increasing rate. As of May 31, the bureau’s Internet Crime Complaint Center (IC3) reported the total volume of advanced email attacks had already exceeded all of 2019.

3 Reasons BEC Attacks Are Getting Worse

There are three primary drivers behind these underlying trends.

  1. Successful BEC scams are growing less dependent on technical know-how than on savvy social engineering tricks. The malicious links or malware used in previous attacks are easily detected and blocked by most email security controls.
  2. The ROI achieved in these attacks has earned the attention of some of the world’s top cybercriminals. Agari researchers were the first to document the fact that the West African email fraudsters who pioneered BEC methodologies now face competition from sophisticated Eastern European crime syndicates and operatives in more than 50 countries, including the US.
  3. The coronavirus pandemic, social unrest, and political uncertainty have provided a surfeit of emotional levers for swindlers to exploit. In addition to grappling with remote working, housebound children, financial stress, and any number of other distractions, corporate employees are getting bombarded by BEC scams and other advanced email threats.

What Are The Top BEC Scams to Look Out For?

Once known primarily as “CEO Fraud,” BEC can now more accurately be described as a broad category of email-based attacks designed to pilfer money from corporations. Popular scams include:

  • Vendor Email Compromise: Fraudsters use stolen credentials to infiltrate corporate email accounts, spy on email conversations, and then impersonate the organization’s employees in emails requesting that payment for invoices be sent to bank accounts the imposters secretly control.
  • Payroll Diversion: Attackers target HR or accounting personnel by posing as employees in emails requesting last-minute changes to direct deposit details in time for the next pay period.
  • Gift Card Scams: Fraudsters impersonate senior managers asking admins and other employees to purchase gift cards for upcoming staff appreciation efforts. In these cons, perpetrators request the gift card number and the PIN on the back of the cards, which can then be sold in online cryptocurrency exchanges.
  • Aging Financial Accounts Scams: Here, cybercriminals assume the identity of a senior executive seeking aging accounts receivable reports from one company, and then use that information gleaned from those reports to target the company’s customers with requests that payment on legitimate, past-due invoices.
  • Transaction Diversion: Shysters infiltrate email accounts at VC firms, law offices, real estate offices, or other organizations involved in large transactions to surveil email conversations. At the most opportune moment, they send an email instructing the purchasing entity to wire funds to the thieves’ own accounts.

Key Identity Deception Tactics You Need to Know

Regardless of the form of attack, BEC scams use identity deception to convince recipients to take action under the mistaken belief they are responding to a legitimate request from a trusted individual or organization.

Lookalike domains, spoofing, display-name deception and messages sent from hijacked email accounts are just a few of the mechanisms cybercriminals use to send malicious emails that are virtually indistinguishable from legitimate email messages from known senders.

At the same time, BEC phishing messages sent from G-Suite, Office 365 and other cloud-connected email and services fly past traditional security controls due to the reputation and pervasiveness of these popular platforms.

Then there are the emails themselves. Instead of the spray-and-pray spam emails of old, the email messages these fraud rings send are flawlessly researched and exquisitely personalized using context-relevant information. This can be simple as a late-afternoon query from a senior executive who’s “stuck in a Zoom call” and needs an employee in accounting to wire an overdue payment to a new vendor.

These kinds of subtle mind games are effective at throwing recipients off kilter—especially with so many eager to demonstrate responsiveness to a key executive while working from home. Far too many will follow through on such requests before thinking to confirm the legitimacy of the message. In recent simulations, phishing awareness training firm KnowBe4 found that one-third employees will obey a fraudulent email request, no questions asked.

How Can BEC Scams Be Blocked?

Here are a few things you can do to stop BEC scams from attacking your company:

  • Train your employees to identify BEC scams
  • Tighten your payment processes
  • Deploy identity-based phishing defenses
  • Use continuous detection and response technologies

Unfortunately, doing only one of these independently of the others probably won’t be enough to protect you. Here’s why.

Lookalike domains and spoofed email addresses are hard enough to spot. Factor in malicious emails sent from pirated email accounts belonging to trusted suppliers, and the challenges grow exponentially.

Oh, and email account compromise (EAC) attacks launched from accounts belonging to a company’s own senior executives? That’s its own special nightmare. Most traditional email controls don’t even scan internal email.

But while phishing awareness and business email compromise training is always a good idea, relying exclusively on a human firewall to spot signs of BEC and report suspect emails to the security operations center (SOC) isn’t realistic.

The sheer volume and inventiveness of BEC scams account for as much as 40% of all cybercrime business losses each year. And our own research has found that 60% of employee-reported email scams are false positives, serving to bury SOC team analysts with more email attacks than they can possibly handle.

Instead, layered security and accounting controls are required given the enormity of the threat.

In addition to tightened payments processes, organizations will need to deploy modern, identity-based phishing defenses with tools and solutions for blocking even the most sophisticated, socially engineered BEC attacks—including those launched from internal email accounts. And continuous detection and response technologies are required to sniff out and automatically remove malicious emails that do manage to avoid early detection.

The cost of doing nothing to stop BEC scams is rising—sometimes in unexpected ways. As National Law Review reports, case law and regulatory bodies are increasingly bringing enforcement actions against organizations that fall victim to such attacks for being negligent and reckless in failing to adequately address BEC scams and other advanced email threats that can be successfully avoided.

Want to learn how companies like Allergan, Comcast, Informatica and others defend themselves against BEC scams and other advanced email threats? See for yourself with a simulated product demo for Agari Phishing Defense

laptop with envelope and security badge-secure email

November 24, 2021 John Wilson

TLS for Email: What is it & How to Check if an Email Uses it

Transport Layer Security (TLS) is encryption to secure email messages between sender and receiver to…

fish hook in envelope with letter

October 21, 2021 John Wilson

What Is a Phishing Attack? Types, Defenses & Prevention

  Phishing attacks are all too common and can make a company lose millions of…

Man perplexed looking at laptop computer

October 8, 2021 John Wilson

How to Prevent Business Email Compromise Attacks

How can you prevent business email attacks? Is training enough? We'll walk you through solutions…

Agari Blog Image

June 8, 2021 Crane Hassold

Inside a Compromised Account: How Cybercriminals Use Credential Phishing to Further BEC Scams

Why would a cybercriminal spend time developing malware when he can simply trick unsuspecting users…

Agari Blog Image

February 11, 2021 Crane Hassold

Cosmic Lynx Returns in 2021 with Updated Tricks

In July 2020, we published a report on a Russian-based BEC group we called Cosmic…

mobile image