Business Email Compromise

Business email compromise (BEC) can generally be defined as a spearphishing attack impersonating a trusted individual to truck an employee into making a financial transaction or sending sensitive information to an attacker. According to the FBI’s Internet Crime Complaint Center (IC3), BEC attacks have caused more than $43 billion in financial losses since 2016.

‍

Unlike other types of cyber attacks, most BEC attacks don’t involve malicious attachments or links. Instead, the content of most BEC attacks is simply benign text, which makes these attacks more effective at bypassing traditional email defenses.

‍

Historically, BEC attacks have focused on the impersonation of internal employees, primarily company executives. While these attacks are always financially-motivated, the ultimate goals of the attacks vary, which include the following:

• Payment Fraud: These attacks usually impersonate a company executive and request a targeted employee send a payment to a supposed external third party.
• Payroll Diversion: These attacks generally target human resources employees and ask to change the direct deposit account for an employee to another account controlled by the attacker.
• Gift Card Request: These attacks can target any employee at a company–campaigns sometimes target dozens of employees at a time–and request the purchase of gift cards, commonly under the pretext of employee rewards or customer gifts.
• Aging Report Theft: These attacks usually impersonate a company executive and, rather than requesting a financial transaction, they ask for an up-to-date aging report, which contains outstanding payment and customer contact information. The attacker then uses the information in this report to email the company’s customers to request the outstanding balances be paid to alternate accounts.

‍

More recently, a growing number of BEC attacks have impersonated external third parties rather than internal employees. The general term for these attacks is financial supply chain compromise and consist of some of the following types of attacks:

• Vendor Email Compromise: These attacks start with the compromise of the mailbox of a high-value target at a vendor or supplier. The attacker then uses intelligence from the compromised mailbox to target the vendor’s customers and divert funds from a legitimate business transaction. 
• Third-Party Reconnaissance Attack: These attacks typically depend on an attacker conducting open source research to identify relationships between vendors and customers. After collecting this information, the attacker will send an email to an organization, impersonating a vendor, inquiring about a potential outstanding payment or requesting that a vendor’s payment account be updated so any future payments get redirected to the new account. 
• Blind Third-Party Impersonation Attack: In these attacks, an attacker has no knowledge about vendor-customer relationships or legitimate financial transactions, relying on pure social engineering tactics to solicit fraudulent payments.

‍