Many organisations cover phishing attacks in their cyber security training, and most employees are familiar with the broad guidelines:

“If you don’t know the sender; are not expecting the email; feel a sense of urgency to respond or act on the email; receive a seemingly random or unexpected attachment or link; or notice the poor spelling and grammar in the email, it is probably a phishing email.”

But what if an attacker does manage to enter the organisation? This is the realm of Business Email Compromise (BEC).

What is Business Email Compromise?

A phishing attack is typically the first step in BEC. Once a business or business account is compromised, attackers then target specific departments and people such as finance, payments, senior executives and account managers or sales, and those who could have financial responsibility within the organisation.

The compromised account sends a carefully crafted email to the target, often using an existing email chain to better disguise the phish. The email may request payment details to be updated, or request recipients to review attachments or to follow links. The technique relies on the user to perform the task without question.

Why is BEC so dangerous?

BEC may not necessarily be more successful than other techniques, but it poses a unique danger due to the ability to dupe users. Simply put, the emails come from a legitimate source – often a known contact – and are relevant and expected. As such, they are more likely to escape the standard phishing identification heuristic outlined earlier.  

Even advanced, technical users who analyse email headers can be caught out, because the email has come from a legitimate email address from the compromised business. Without knowing the business is compromised, or without analysing any attachments or webpages in a sandbox, a user has no way to know with certainty that the email is illegitimate.

Identifying a BEC

It can be difficult to spot a BEC, but there are several warning signs that could help, including:

  • You receive an email from a higher-up ordering you to quickly process an invoice, change the recipient of a payment or provide sensitive documents.
  • The message is brief, urgent and presses you to bypass normal policies and procedures.
  • The sender says they are traveling, and the signature indicates the email came from a mobile device.
  • The email comes from a Gmail, Hotmail or other personal account rather than an organisational account.
  • Someone you’ve become close to online asks you to open a bank account for the purpose of receiving or sending them money.

Stopping a BEC

BEC attacks pose a serious risk, so organisations should be prepared to counter them. Here is how to prevent the success of BEC attacks in the short, mid and long-term:

Short-term:

  • Implement a policy to safeguard payment processes and payment details. For example, follow up requests with a phone call to a known contact at the company to confirm their legitimacy.
    • Contact the relevant internal IT or security teams to investigate suspicious activity.

Mid-term:

  • Incorporate BEC awareness into phishing and security training.
    • Consider email security filters that use advanced techniques to spot, quarantine, or delete BEC emails before they are sent to the end user.

Long-term:

  • Develop a cyber security culture within the organisation. Employees need to feel comfortable contacting the IT or security department without “blame” or fear of “punishment” for making an error.
    • Implement effective monitoring or IDS/IPS and IR capability/support in the event of a compromise.

For further information on countering Business Email Compromise attacks or advice on how to improve your policies and processes or advance your cyber awareness training programs, get in touch to arrange a chat with one of our experts today.