How to prevent Business Email Compromise?
In a Business Email Compromise (BEC) exploit, the attacker typically uses the identity of someone on a corporate network to trick the target or targets into sending money to the attacker’s account. The most common victims of BEC are usually companies that utilize wire transfers to pay international clients.
In this article, you will read about:
What is Business Email Compromise (BEC)?
How serious is BEC?
Targets of business email compromise
Tips to prevent BEC
Once the cybercriminal has gained access to an email inbox, usually with a phishing scam, they search the inbox for high-value email threads such as email conversations with suppliers or other individuals in the company to gather information. Leveraging this information, they’ll send an email message that appears to come from a trusted source.
The problem is that BEC attacks bypass legacy email solutions. As the email comes from a trusted source, it is able to pass rule-based security controls, such as DMARC, DKIM, and domain authentication, without detection.
There are several methods that a cybercriminal can use to achieve this, including:
- Email impersonation is where the attacker sets up an email account that looks like a business email account.
- Email spoofing is where the attacker modifies an email’s envelope and header. The receiving mail server thinks the email came from a corporate domain and the recipient’s email client displays incorrect sender information.
- Email account takeover is when an attacker gains access to a corporate email account, whether via hacking or by using stolen account credentials. They gather information about the user’s contacts, email style, and personal data — then they use the account to send a phishing email.
How serious is BEC?
Many BEC attacks go unnoticed — and because different organizations use different definitions of BEC — there’s no simple answer. So, what do we know about the prevalence of BEC? The best source of cybercrime statistics comes from the FBI’s Internet Crime Complaint Center (IC3), which reports that:
- Between 2016 and 2020, the IC3 recorded 185,718 BEC incidents worldwide, resulting in losses totaling over $28 billion.
- In 2020, losses from BEC exceeded $1.8 billion—a fourfold increase since 2016.
- The number of BEC incidents went up by 61% between 2016 and 2020.
Targets of business email compromise
Anyone can be the target of a BEC scam. Businesses, governments, nonprofits, and schools are all targeted, specifically these roles:
1. Executives and leaders, because details about them are often publicly available on the company website, so attackers can pretend to know them.
2. Finance employees like controllers and accounts payable staff who have banking details, payment methods, and account numbers.
3. HR managers with employee records like social security numbers, tax statements, contact info, and schedules.
4. New or entry-level employees who won’t be able to verify an email’s legitimacy with the sender.
But what does a BEC attack look like in real life? This article details 5 examples of BEC attacks that have cost victims’ money, time, and reputation, to help you avoid making the same mistakes.
- Facebook and Google: $121m BEC scam
First, let’s look at the biggest known BEC scam of all time: a Vendor Email Compromise (VEC) attack against tech giants Facebook and Google that resulted in around $121 million in collective losses.
The scam took place between 2013 and 2015 — and the man at the center of this BEC attack, Evaldas Rimasauskas, was sentenced to five years in prison in 2019. Rimasauskas and associates set up a fake company named “Quanta Computer” — the same name as a real hardware supplier. The group then presented Facebook and Google with convincing-looking invoices, which they duly paid to bank accounts controlled by Rimasauskas.
As well as fake invoices, the scammers prepared counterfeit lawyers’ letters and contracts to ensure their banks accepted the transfers.
2. Ubiquiti: $46.7m vendor fraud
In August 2015, IT company Ubiquiti filed a report to the U.S. Securities and Exchange Commission revealing it was the victim of a $46.7 million “business fraud.”
This attack was an example of a type of BEC, sometimes called Vendor Email Compromise (VEC). The scammers impersonated employees at a third-party company and targeted Ubiquiti’s finance department.
3. Toyota 2019: $37 million BEC attack
In 2019 Japan’s Toyota Boshoku Corporation was hit with a $37 million BEC attack. The huge size of the company meant that though $37 million may appear alarming, hackers were able to implore an employee to transfer the sum out of the European subsidiary before being detected. As Toyota learned the hard way, BEC attacks often exist in multiples – with one attack opening the door to many more as money, IP, data, or identities are stolen.
4. Obinwanne Okeke: $11 million in losses
In February 2021, celebrated entrepreneur Obinwanne Okeke was sentenced to 10 years in prison for his involvement in a BEC scheme that resulted in at least $11 million in losses to his victims. Using phishing emails to secure the login credentials of business executives (including the CFO of British company Unatrac Holding), these initial phishing scams then acted as a platform for BEC.
Okeke created fraudulent web pages to further manipulate his victims. The money transfers also went directly into overseas accounts, meaning that local law enforcement couldn’t aid in recovering them.
5. Scouler Co.: $17.2m acquisition scam
This example demonstrates how fraudsters can play on a target’s trust and exploit interpersonal relationships. In June 2014, Keith McMurtry, an employee at Scouler Co, a company in Omaha, Nebraska, received an email supposedly from his boss, CEO Chuck Elsea. The email informed McMurty that Scoular was set to acquire a Chinese company.
Elsea instructed McMurty to contact a lawyer at the accounting firm KPMG. The lawyer would help facilitate a transfer of funds and close the deal. McMurty obeyed, and he soon found himself transferring $17.2 million to a Shanghai bank account in the name of “Dadi Co.”
The CEO’s email, as you might have guessed, was fraudulent. The scammers had used email impersonation to create accounts imitating both Elsea and the KPMG lawyer.
Looking at these examples, it is evident that if a business email compromise attack is successful, your organization could:
1. Lose hundreds of thousands to millions of dollars.
2. Face widespread identity theft if personally identifiable information is stolen.
3. Accidentally leak confidential data like intellectual property.
As BEC schemes evolve, so do threat protection strategies.
Tips to prevent BEC
Follow these five best practices to stop business email compromise:
1. Use a secure email solution
Use secure email solution such as Rainbow Secure Business Email (runs on Office 365) which adds BEC prevention features like:
- Advanced authentication options of multilayer password and passwordless login for your email further aided by Smart Multi-factor that stops phishing and automated cyberattacks like brute force, keylogger, and stolen password attacks, mitigate cyber threats, cyber risk, and account takeover fraud.
- Suspicious attachment scanning before it downloads to your device.
- Send and receive encrypted emails.
2. Train employees to spot warning signs
Ensure everyone knows how to spot phishing links, domain and email address mismatches, and other red flags. Simulate a BEC scam so people recognize one when it happens.
3. Set security defaults
Administrators can tighten security by opting for DKIM
4. Use a solution that provides Anti-Phishing Protections
Since BEC emails are a type of phishing, deploying email solutions such as Rainbow Secure Email running on Office 365 Business is essential to protecting against them. An anti-phishing solution should be capable of identifying the red flags of BEC emails including bad links.
5. Don’t Rely Solely on Native Email Security
G Suite and Office 365 have improved their native security offerings in recent years, providing better anti-spam and anti-malware protection. However, Rainbow Secure Email and Rainbow Secure Login for Email solutions provide advanced authentication and multilayer security by design and eliminate identity fragmentation by giving one unified login that works with both office 365 and Google Docs. No need to scamper for different login when you get a document shared from either platform.
6. Don’t click unnecessary links
BEC attackers do whatever they can to get victims to act before they think, relying on them being too busy to engage with emails rationally. Train users to attempt to read every email with a critical eye to avoid clicking on unscrupulous links.
7. Act responsibly not hastily while transacting
The surface-level nature of BEC attacks means they are here to stay. Organizations and employees need to transform their mindset, processes, and security tools to keep abreast of the growing Business Email Compromise threat.
Rainbow Secure provides world-class cutting-edge Solutions to secure your business email account.
· Advanced authentication options of multilayer password and passwordless login for your email
· Premium login experience on iOS, Android, and Web
· No more long complex passwords
· One unified log in for Office 365 and Google Workspace
· Stops automated cyberattacks like brute force, keylogger, phishing, and stolen password attacks
· Mitigates cyber threats, cyber risk, and account takeover fraud
Rainbow Secure has laid benchmarks in providing exemplary login and secure email solutions to businesses such as Certified Public Accountants (CPA) firms, Healthcare Practitioners, Business Schools, Wellness Startup, E-Commerce Retailers, and Retail Business owners where it strengthened business cyber security by mitigating cyber-attacks, cyber risk, and account takeover fraud.
Do you have more questions about the Business Email Compromise? Contact us today. Email us at Hello@rainbowsecure.com
