Business email compromise scams continue to be one of the most financially damaging cybercrimes in the U.S., according to the Federal Bureau of Investigation. It succeeds because so many of us rely on email in conducting business online, and we get busy or distracted and sometimes don’t read emails as carefully as we should. In business email compromise scams, cybercriminals send email messages that appear to come from sources we trust making what seem to be legitimate requests. They can fool us in a heartbeat if we’re not paying attention.
BEC schemes are sophisticated scams in which email accounts (and in some cases phone numbers and even virtual meetings) are compromised by criminals using social engineering or computer intrusion techniques. Social engineering generally uses phishing exploits, while computer intrusion usually involves hacking into a network.
In either case, the cybercriminals’ interim goal is to acquire access credentials that enable them to pose as trusted company executives, vendors, or partners. Their ultimate goal is always to divert monies away from the legitimate intended destinations and into their own accounts.
According to the Federal Bureau of Investigation, business email compromise scams generally follow four steps. They begin with cybercriminals identifying lucrative targets where the potential for diverting substantial amounts of money is strong and likely. They research information available online to develop profiles of the target company and its executives. Targeting may also look for companies with weak security safeguards, which take less effort to breach.
Step 2 entails grooming a victim in the target company, typically through phishing and spearphishing emails and replies over several days. Research from Step 1 is used to appeal
personally to the victim and establish credibility.
By Step 3, the victim is convinced that he or she is conducting a genuine business transaction with a legitimate individual, and sensitive information is shared in order to complete the transaction. Finally, in Step 4 the requested funds are transferred to the cybercriminal organization by the unwitting employee.
In its 2022 Congressional Report on Business Email Compromise, the FBI notes that “BEC is one of the fastest growing, most financially damaging internet-enabled crimes. It is a major threat to the global economy.” Comparing complaints to the FBI’s Internet Crime Complaint Center between 2016 and 2021, the report indicates that annual losses attributed to BEC scams were $360 million in 2016—and had escalated to $2.4 billion by 2021. BEC scammers have targeted large and small companies in every U.S. state and more than 150 countries around the world, according to the report.
Companies need to recognize the severity and prevalence of BEC scams and the financial damage they create and take internal steps to reduce this threat.
Adversary-in-the-Middle (AiTM) attacks are a form of hacking in which cybercriminals inject themselves into network communications to steal credentials, forge or copy encryption and identity verification keys, and launch BEC attacks to steal company funds or data. These are also known as man-in-the-middle attacks, because attackers lurk between users to secretly steal information shared in their communications.
New Multistage BEC Attacks. In May 2023, Microsoft warned of a surge in BEC schemes employing advanced tactics, such as the use of special criminal services to create commercial-grade malicious email campaigns. In early June, the global tech leader warned that banking and financial services organizations had become the targets of new, multistage adversary-in-the-middle attacks that employ phishing techniques and enable business email compromise scams.
According to the Microsoft report, one such attack “originated from a compromised trusted vendor and transitioned into a series of AiTM attacks and follow-on BEC activity spanning multiple organizations.” This multistage attack began with a phishing email that pointed to a link that redirected a victim to a spoofed Microsoft sign-in page—and then stole the login credentials and one-time one-use passwords entered by the victim.
Cybercrime-as-a-Service. The Microsoft warning describes in fairly technical detail some of the new Cybercrime-as-a-Service resources that are now widely available for purchase by enterprising cybercriminals. One specific platform “sells an end-to-end service including templates, hosting, and automated services for BEC.” Adversaries using this service also receive credentials and the IP address of the victim company. Well-armed with localized address space to support their malicious activities, in addition to stolen usernames and passwords, BEC attackers can obscure their movements and open gateways to conduct further attacks.
The FBI has recommended five actions that company employees and executives can take in order to reduce their organizations’ vulnerability to business email compromise schemes. These actions should be common sense by now, and included in every organization’s best security practices, but they always bear repeating. Make sure that all employees are schooled in these security tactics and retrained periodically.
Another powerful preventive measure against business email compromise scams is cybersecurity awareness training—and specifically training employees to recognize phishing schemes. Most BECs result from phishing exploits of some type, and multistage BECs employ phishing as one of their crucial and most effective tools. Phishing has dominated complaints to the FBI Internet Crime Complaint Center since 2019, with the four other top complaint categories trailing far behind.
Employees and executives, as well as vendors and partners, need to be aware of how common phishing is, how it works, how to recognize a phishing email, and how much its success relies on employee negligence, distraction, and lack of training. Every company should provide training for everyone and do it regularly to keep it at top of mind.
Personnel who receive overwhelming volumes of email and are required to meet urgent timetables or deadlines are particularly vulnerable to phishing exploits. Ironically, these are often employees or managers in Accounting, Payroll, and Human Resources where large volumes of company funds, sensitive data, and personally identifiable information reside. If unable to plan or conduct the training yourself, hire a professional cybersecurity firm who offers comprehensive phishing and cybersecurity awareness training. Many provide online training courses that can be completed at employee convenience and include testing to reinforce learning.
Business email compromise scams are not new. However, each year they seem to increase in frequency and financial damage. The FBI’s Internet Crime Complaint Center tracks BEC scams reported by U.S. companies, and financial damages have grown exponentially since 2016—most recently totaling $2.4 billion per the FBI’s 2022 Internet Crimes Report.
Companies can reduce their vulnerability to business email compromise scams by following advice offered by the FBI and experienced cybersecurity professionals. In today’s email-intensive business world, educating employees and executives in the serious consequences of BEC scams, training them to recognize phishing schemes, and improving their cybersecurity awareness are absolute requirements for all organizations.