How To Defend Against Business Email Compromise

Business Email Compromise (BEC) attacks are causing businesses to lose 48 times more money than ransomware. Learn how to defend against these pervasive cyberthreats.

Enterprise cybersecurity has been focused on fighting ransomware and malware in recent years, but the latest data from the FBI’s Internet Crime Complaint Center (IC3) suggests that BEC is the more pervasive cyberthreat, with nearly 10x more complaints filed with the FBI in 2023 than were filed for ransomware. Also, businesses are losing roughly 48 times more money from BEC attacks—sometimes called email account compromise (EAC) attacks—compared to ransomware, making it a far more profitable and dangerous form of cybercrime. 

In 2023, BEC attacks in the US caused total losses of $2.9 billion. In contrast, the same report found that companies in the US lost only $59.6 million to ransomware.

A typical BEC scam, according to the FBI, involves criminals sending an email message that appears to come from a known email account (i.e. from the head of a company’s finance department to someone in accounting or accounts receivable), making a legitimate request (more or less, this is a phishing email, but one that looks as if it comes from a legitimate email account familiar to the recipient/target). These messages are coming from spoofed email accounts (or, in some cases, from the person’s actual email domain by using stolen login credentials), unfortunately, and they can be very difficult to detect. In a successful BEC scam, hundreds of thousands—sometimes even millions—of dollars are sent to criminals by unknowingly duped victims, as in the following examples of the various types of business email compromise:

  • A vendor the target person’s company regularly deals with sends an invoice with an updated mailing address (this is commonly referred to as an “invoice scheme”), demanding it be paid immediately.

  • A homebuyer receives a message from his title company with instructions on how to wire his down payment (these are often sent with the social engineering technique of using an extreme sense of urgency by, for example, claiming the sale will become void if the amount is not paid immediately).

  • A person who works remotely receives a message on social media from a company executive, possibly on a weekend or during off-hours, claiming an urgent matter has come up and he/she doesn’t have access to his office email and needs the employee to log in and send an important payment to a specific bank account for him to avoid some form of fake catastrophe.

  • An email from a company CEO (often referred to as a “CEO fraud” email) asks an assistant to purchase dozens of gift cards to send out as employee rewards. The CEO also asks for the serial numbers so he/she can email them out right away.

  • An email that appears to be from a company’s CFO is sent to someone in accounts receivable, explaining that a company merger or acquisition is going to fail if funds are not sent out right away. As with phishing emails, the senders likely researched a current and very real merger/acquisition the company is planning.

  • An “attorney impersonation” email, which appears to come from the target individual’s legal representative, explaining that funds are needed to file a legal document or that a retainer payment has not been made.

Business Email Compromise

It’s All About the Money

BEC attacks tend to get less media attention than things like ransomware, spear phishing, and/or Distributed Denial of Service (DDoS) attacks. However, in truth they are far more lucrative and less risky for cybercriminals than ransomware because they can get a targeted individual to send large amounts of money without the need for holding a system hostage for days.

The primary goal of ransomware is to hold a system and its data hostage in order to receive a payout from victims. Then they will often do a “double extortion” by demanding a second payout to stop them from selling or leaking the sensitive data or confidential information (such as intellectual property) stolen during the breach. While ransomware is lucrative, it can be difficult and time consuming to pull off in relation to a well-planned BEC scheme. Also, many businesses have made new policies stating they will no longer pay ransom demands from these sorts of attacks.

A BEC email attack, on the other hand, avoids many obstacles and cuts out a lot of the steps required by ransomware, going “straight to the source,” if you will. Because these emails often fairly accurately impersonate the person whose email account was compromised. For example, back in February 2024, officials in one eastern Iowa county found themselves trying to track down $524,284 they believed was stolen when an employee transferred it in response to a fake email message that appeared to be from the city of Dyersville. In truth, their email system had been hit with a BEC attack and certain compromised accounts were used to email requests (which appeared to come from the legit email address of a county official) to county employees, asking for fund transfers. The massive payout requested was fulfilled by at least one employee’s email account before the deception was discovered. When it comes to cyberattacks, being able to dupe just one person is often enough to gain temporary unauthorized access to an organization’s funds. Often as soon as the funds are transferred, a coconspirator is already waiting at a physical location to withdraw the money before the fraud is discovered and the transfer canceled.

As with nearly all forms of cyberattacks… it all comes down to money.

 

The Use of AI is Making the Situation Worse

Social engineering-based business email compromise (BEC) attacks have risen by 1,760 percent in the past year, mostly fueled by the advancements in generative artificial intelligence (GenAI). While AI has become a useful tool that boosts worker productivity, its use by cybercriminals and scammers has also made the detection of, and response to, certain cyberattacks more difficult. And it seems that this has led to a surge in BEC attacks, which accounted for only 1 percent of cyberattacks in 2022 yet made up a staggering 18.6 percent of all cyberattacks carried out in 2023 (BEC’s close cousin, phishing attacks, remained the top threat and accounted for 70 percent of cyberattacks in 2023).

Unfortunately, as the use of AI makes the highly profitable BEC attack vector easier to carry out, it is highly likely that the increase in this type of attack will only continue.

 

Employ Cybersecurity Tools

To prevent BEC, Multi-factor Authentication (MFA) and spam filtering should be implemented across any organization dealing with digital transactions, as standard practices. Finding the best way to secure corporate data from hackers or other suspicious users can be a challenge for many IT professionals. Through Microsoft Enterprise Mobility + Security (EM+S), IT professionals can quickly install multi-factor authentication for enterprise accounts.

MFA involves users providing a cell phone number or backup email, which bolsters security by asking for additional pieces of evidence. These generic codes are sent directly to the user, and act as a supplemental shield to traditional passwords.

Once those are implemented, the next step is to further reduce your organization’s attack surface with next-level security layers. For example, using conditional access to use email only from specific geographic locations and devices.

 

Intensify Security Awareness Training

Along with cybersecurity tools, organizations can institute ongoing employee security awareness training to reduce instances of BEC. Security awareness training programs should also highlight the importance of following up on suspicious activities. 

If a person suddenly changes their account or how they are paid, that should raise a red flag. Additionally, any change should be followed up by an immediate phone call to confirm. This helps to verify identity and flag fraudulent emails before an incident escalates.

Preventing and mitigating BEC requires the involvement of everyone in the organization. By focusing on employee cybersecurity training, implementing standard security measures in the organizational network, and responding quickly to a breach, security professionals can reduce their risk of BEC.

Employees are the “tip of the spear” when it comes to cybersecurity and defense. If your employees receive regular security awareness training, their calculated decision-making and quick response can effectively block BEC, rather than entirely depending on your IT team.

 

Responding to a BEC Attack

Even with all the security training, policies and technology tools in place, at some point in time, someone will eventually make a mistake. In any case, organizations must always be prepared to act in the aftermath of a breach. Here are some actions to mitigate the impact of a successful BEC attack.

  • Change all user passwords.

  • Review the rules dealing with forwarding to outside accounts.

  • Review any logs to determine which data and accounts were compromised.

  • Assume all information in the mailbox is compromised, in case logs are not detailed enough.

  • Contact affected individuals that may have their data leaked.

  • Refer to this guide on how to communicate data breaches to customers.

  • Finally, draft a detailed review on how the BEC incident happened for employee training education and reference.

Integrate Security Policies with Business Processes

Embedding data security policies right into business processes help organizations stay protected against such scams. For example, the process for updating payment details of a supplier must first comply with the company’s security policies. And the same steps should be applied consistently when signing a new vendor.

Experts also suggest enforcing a simple, standardized way for staff to report things that don’t add up. For example, if there’s an email that’s not monitored directly by the SecOps team, create one right away. If you think someone’s account might have been hacked, remind staff not to use that same account to voice your suspicions, whether it’s an email address, a Facebook account or a phone number.

 

A Little Suspicion Goes a Long Way

If you notice anything unusual, or receive a suspicious email, or an urgent message that is unexpected, always check and confirm with the alleged sender directly (either by phone or internal chat) before making any payments. Validate the request with a quick phone call before going ahead with any official financial transaction. 

Want to discover an easier way to protect your organization from data theft by employing cutting-edge security solutions? Contact UDT today to discover our comprehensive suite of cybersecurity solutions and services to safeguard you email security, sensitive information, data integrity, devices, apps, and more.

Accomplish More With UDT

Get your custom solution in cybersecurity, lifecycle management, digital transformation and managed IT services. Connect with our team today.

More to explore

Henry Fleches on AI’s role in business and UDT’s link to Intel

UDT’s Henry Fleches discusses AI’s transformative role in business. Learn how AI shapes operations and drives innovation for a competitive advantage.

Reasons to Spend Your Year-End Budget on a Smart School Technology Refresh

Discover how smart schools technology can transform your district. Invest your year-end budget in digital learning and safety for a successful new school year.

Technology and workplace culture: An evolving partnership — Table of Experts

Discover how South Florida’s best workplaces leverage technology for culture and efficiency. Learn from experts at the forefront of innovation, including our Chief Technology Officer, Fernando Mejia.

Professional Development for 1:1 Device Initiatives in School Districts

Explore how professional development technology training for teachers can enhance K12 education. Discover the impact of 1:1 device initiatives on teaching and learning.

How To Defend Against Business Email Compromise

Business Email Compromise (BEC) attacks are causing businesses to lose 48 times more money than ransomware. Learn how to defend against these pervasive cyberthreats.

How To Prioritize Cloud Security Best Practices at Your Organization

Remember these key principles as you implement cloud security best practices at your organization for a safe and secure cloud infrastructure with minimum security issues. Whether you’re using Microsoft Azure or Amazon Web Services (AWS), cloud data security must always be a priority.

Experiencing a security breach?

Get immediate assistance from our security operations center! Take the following recommended actions NOW while we get on the case:

RECOMMENDED IMMEDIATE NEXT ACTIONS

  1. Determine which systems were impacted and immediately isolate them. Take the network offline at the switch level or physically unplug the systems from the wired or wireless network.
  2. Immediately take backups offline to preserve them. Scan backups with anti-virus and malware tools to ensure they’re not infected
  3. Initiate an immediate password reset on affected user accounts with new passwords that are no less than 14 characters in length. Do this for Senior Management accounts as well.

Just one more step

Please fill out the following form,