Everything You Need To Know About BEC Phishing Attacks

Business Email Compromise (BEC) Attack: An In-Depth Overview of Targeted Phishing

Business Email Compromise (BEC) is a sophisticated type of phishing attack where the attacker targets businesses and individuals who use email as a primary method of communication. The goal is to deceive employees, executives, or partners into transferring money or sensitive data to the attacker’s account or enabling some form of unauthorized action. These attacks rely more on social engineering than on malware or system vulnerabilities, making them difficult to detect.

Key Elements of a BEC Attack

1. Social Engineering:The attacker typically impersonates a trusted figure, such as a CEO, CFO, or a known vendor. They exploit the victim’s trust to manipulate them into taking actions that benefit the attacker, like wiring money or sharing confidential information.
2. Email Account Compromise:Attackers often gain access to a legitimate email account within the company by using phishing techniques or through brute-force attacks. Once they control the account, they monitor ongoing communications, learning the company’s processes and identifying potential targets.
3. Spoofing:Some BEC attackers don’t necessarily gain access to an internal account but instead spoof an email address. This involves making the email appear as though it’s coming from a legitimate person or entity. For example, the attack might slightly alter the email domain or use a look-alike domain that goes unnoticed by the target.
4. Urgency and Pressure:Attackers often instill a sense of urgency to compel the victim to act quickly, leaving no time to verify the legitimacy of the request. Messages may claim the need for a last-minute payment, an emergency request, or even a confidential transfer, pushing the victim to act without due diligence.

Types of BEC Attacks

1. CEO Fraud:The attacker impersonates a CEO or another high-ranking executive and requests an urgent money transfer or sensitive data. These attacks often occur while the executive is traveling or out of the office, making it harder for the employee to verify the legitimacy of the request.
2. Invoice Scams:Attackers compromise or spoof the email of a known supplier or vendor, then send fraudulent invoices to the company’s finance department. The goal is to convince the company to transfer payments to the attacker’s bank account instead of the legitimate supplier.
3. Account Compromise:In this type of attack, the attacker gains access to an employee’s email account and uses it to send phishing emails internally or to external vendors, requesting wire transfers or sensitive information.
4. Attorney Impersonation:The attacker pretends to be a lawyer or legal representative and contacts employees, typically in the finance department, asking for a confidential and urgent wire transfer.
5. Data Theft:Sometimes, the goal of a BEC attack is not financial but rather to steal sensitive information. Attackers often target HR departments or finance teams to collect personally identifiable information (PII) or tax information, which can later be sold or used in identity theft.

Attack Lifecycle

1. Reconnaissance:Attackers usually spend time observing the target's communication channels, business processes, and employees before launching the actual attack. They may gather information from social media, company websites, and breached databases to create a highly convincing impersonation.
2. Phishing or Malware:Attackers may initially compromise a legitimate email account via phishing, where they trick the victim into providing login credentials, or through malware that logs keystrokes and sends the information back to the attacker.
3. Execution:Once the attacker has enough information, they craft emails designed to look authentic and credible. These emails usually contain a call to action, such as wiring funds or providing sensitive data.
4. Theft:After the victim takes the desired action—typically a money transfer—the funds are usually routed through various bank accounts, making it difficult to track them.

Consequences of BEC Attacks

1. Financial Loss:BEC attacks can result in significant financial losses. The FBI estimates that BEC attacks have caused over $50 billion in losses globally. The amount lost in each attack can vary from a few thousand dollars to millions.
2. Reputation Damage:BEC attacks can damage a company’s reputation, especially if sensitive customer or partner information is compromised. A breach of trust can lead to the loss of clients and partnerships, as well as decreased customer confidence.
3. Operational Disruption:Addressing a BEC attack can disrupt normal business operations. Companies often need to shut down compromised systems, investigate the breach, and take corrective measures, which can take time and resources.
4. Legal and Compliance Issues:In some industries, companies are required to report data breaches. If an attacker gains access to personal data, it may trigger regulatory scrutiny and fines under laws like GDPR or the CCPA.

Prevention Strategies

1. Employee Training:Regularly train employees to recognize phishing emails and to follow security protocols, particularly for financial transactions. Encourage employees to question unusual requests for money or sensitive information, especially if they seem urgent.
2. Multi-factor Authentication (MFA):Implement MFA for all email accounts, especially for executives and financial staff. This makes it harder for attackers to gain access to accounts, even if they manage to steal passwords.
3. Verification Processes:Establish strict procedures for verifying the authenticity of any wire transfer or payment request. For example, require a phone call or in-person confirmation for transactions above a certain threshold.
4. Email Filtering and Monitoring:Deploy advanced email filtering tools that can detect and block suspicious emails. Set up monitoring systems to flag unusual activities, such as sending large numbers of emails from a single account or unexpected file transfers.
5. Incident Response Plans:Create an incident response plan to deal with BEC attacks quickly. This plan should include steps for identifying the breach, notifying affected parties, and contacting law enforcement.

Real-World Example

In this case, a logistics company fell victim to a Business Email Compromise (BEC) attack through an invoice scam, resulting in the unauthorized transfer of over $100,000 to the attacker’s account. This attack showcases how cybercriminals exploit trust, urgency, and communication loopholes to deceive companies into paying fraudulent invoices.

The Attack: How It Happened

The logistics company received an email from what appeared to be one of their regular vendors, requesting a change in the method of payment from the usual process to ACH (Automated Clearing House). Over a series of emails, the attacker, impersonating the vendor, created a sense of urgency by repeatedly asking, “When is the money going to get here?”

An employee at the logistics company, pressured by the urgency, assured the impersonator that they would try to get the payment processed that day. Shortly after, the attacker followed up with even more insistence, amplifying the pressure to transfer the money quickly.

The first red flag appeared when the impersonator requested that the payment be switched to a wire transfer instead of ACH, citing issues with the original method. The employee recognized that this wasn’t a normal request, but by that time, the process was already in motion, and the sense of urgency made it difficult to pause and verify the transaction.

The Discovery: Too Late to Stop It

In an interview with a company employee involved in the transaction, they shared the moment they realized something was wrong:
‍

‍

"We get the email stating that he wants to be ACH, and then it was a constant. 'When is the money gonna get here? When is the money gonna get here?' And I would say, 'I'm trying to get it today.' About an hour later, he calls back and says, 'But that's not my cell phone number on the signature line.' I'm like, I don't care. I have no ethic for this guy anymore. I think he's completely a crook."

At this point, the employee began to question the legitimacy of the request, recognizing the unusual urgency and inconsistency in the contact information. When the vendor clarified that the phone number on the signature line was incorrect, the employee's suspicions were confirmed. The realization that they had been communicating with a fraudster set in, but by then, the payment had already been wired to the attacker.

‍

‍