Back to Resources

Business Email Compromise (BEC) - How to avoid or recover
By Alex Waintraub, DFIR Expert Evangelist
July 11, 2023
Business Email Compromise (BEC) - How to avoid or recover

Business email compromise, or BEC attacks, happen all the time. The FBI tracked nearly 20,000 complaints about business email compromises in 2020, and the rate is continuing to grow further: In 2022, BEC attacks had increased 81% and 175% over a two-year period.

But with the right employee education and training, you can do your part to keep email accounts secure and protect your organization’s employees from falling victim to social engineering phishing attacks.

And, even if BEC attacks get past your defenses, you’ll be able to respond appropriately and restore operations quickly if you have the right processes and technologies in place.

Let’s take a deeper look at business email compromises, and how to both prevent and respond to them with the right cybersecurity solutions.

What is a business email compromise?

A business email compromise (BEC) is a type of social engineering cyberattack in which an attacker compromises employees' email accounts or impersonates company leadership to fraudulently request money, confidential information, or other sensitive data, or to install malware or ransomware on the employee’s computer.

The most common BEC attacks usually involve spoofing the sender's identity, so it appears as if the message is coming from someone within the organization, such as impersonation of the company’s CEO to request that the accounting department send a wire transfer to an account controlled by a third-party cyber-attacker, or asking an employee to purchase gift cards on the executive’s behalf.

Scammers might also pose as third-party vendors, such as suppliers requesting payment for a fake invoice to their own bank accounts, or as attorneys, who might request sensitive data or account privileges that they can leverage to compromise accounts so that they can conduct additional email account impersonations. Scammers can also conduct ransomware attacks, which will use malware to encrypt files on the employee’s device until the employee or company pays a ransom fee in exchange for decryption.

Regardless of the type of attack, business email compromises typically rely on a sense of trust between the employee and the third party who is being impersonated. Phishing emails typically look like emails from known senders, making it difficult for the employee to gauge if the request is genuine. The fraudster can then leverage compromised accounts for future attacks, gaining access to even more legitimate email addresses that they can use to conduct their BEC scams.

What is the impact of a business email compromise?

BEC attacks pose severe consequences, including significant financial losses, reputational harm, and intellectual property theft. The financial impact of these spoofing attacks is staggering, with global annual losses estimated to surpass $43 billion globally.

Data theft is a common objective of BEC attacks, often aimed at obtaining access to sensitive information, such as passwords for legitimate email accounts. Cybercriminals exploit these compromised email addresses to send fraudulent requests for gift cards or money to the account owner's contacts. In many cases, the account holder remains unaware that their account has been compromised, amplifying the risks.

One prevalent form of BEC attack is wire transfer fraud, where businesses unknowingly send funds to third-party accounts based on fraudulent requests. Once the transfer is complete, recovering the funds becomes extremely challenging, even if the request was made by an impersonator. This can result in increased business insurance rates, potential legal liabilities, damage to professional reputation, and operational disruptions that contribute to future losses.

The devastating fallout from a BEC attack underscores the urgent need for businesses to implement robust security measures and employee training to mitigate these risks and protect against financial and reputational harm.

How to protect your organization from business email compromises

To safeguard against BEC threats, organizations should take proactive measures by implementing additional security measures and best practices. Firstly, organizations should focus on enhancing email security by deploying advanced filtering mechanisms, spam detection, and malware scanning to prevent malicious emails from reaching employee inboxes. This helps in reducing the likelihood of employees falling victim to BEC scams.

Secondly, strong authentication methods such as multi-factor authentication (MFA) should be implemented to add an extra layer of security to user logins. By requiring multiple factors for authentication, such as a password and a unique verification code, the risk of unauthorized access due to compromised credentials is significantly reduced.

Furthermore, organizations should establish clear policies and guidelines for password management, including regular password rotation and the use of strong, unique passwords. Role-based access controls (RBAC) should be implemented to restrict access to sensitive data, ensuring that only authorized personnel can access and modify critical information.

Organizations should conduct regular security audits to identify vulnerabilities and conduct comprehensive training sessions to educate employees about the latest BEC attack techniques and best practices for identifying and mitigating such threats. This includes simulated phishing campaigns to assess employees' susceptibility to BEC scams and provide targeted training to improve their awareness and response to suspicious email communications.

By adopting these proactive measures, organizations can strengthen their defenses against BEC attacks, reduce the risk of successful compromises, and better protect sensitive information and resources.

What to do in the aftermath of a BEC attack

While employee education and security measures are crucial in defending against BEC and other cyber threats it is essential to have a plan in place if a BEC attack is successful.

In such cases, it is critical to transition off potentially compromised communication channels to ensure secure correspondence with key internal and external stakeholders, including general counsel, c-suite executives, DFIR experts, etc. A secure out-of-band encrypted communication network enables real-time sharing of sensitive data and minimizes the risk of further compromise.

If you’ve already built an incident recovery plan specific for BEC attacks, closely following it with help formulate an effective response and expedite the recovery process with minimal damage to your organization. However, if you don't have a dedicated plan, adhering to a best practices framework for BEC attacks can guide your next steps and provide valuable insights for navigating the incident.

Taking swift action, leveraging secure communication channels, and following established incident response procedures or best practices will contribute to minimizing the impact of a BEC attack and ensuring a more efficient recovery process.

How CYGNVS helps

CYGNVS offers comprehensive solutions for dealing with business email compromises (BEC) by providing tools for prevention and efficient response.

On the prevention side, CYGNVS offers a secure out-of-band platform where you can store crucial documentation and sensitive data, including your incident response plans. This allows key stakeholders to access, review, and study the materials to ensure preparedness.

CYGNVS also offers the ability to run tabletop exercises and simulations against your IR plans, enabling your team to practice response strategies and be well-prepared to handle BEC attacks or other cyber threats. With CYGNVS, you can bring in both your internal and external incident response stakeholders into a secure environment for effective communication and collaboration. This ensures that key strategies outlined in your incident response plans are prioritized and properly executed.

In the unfortunate event of a successful BEC attack, CYGNVS enables your team to seamlessly transition from potentially compromised communication channels into a secure war room. This room follows established response plans and workflows, ensuring that stakeholders can effectively navigate the necessary steps while safeguarding sensitive information from falling into the threat actor’s hands or compromising the engagement.

By proactively utilizing CYGNVS for planning and practicing your response plans, you can ensure a faster and more effective response to cyber-attacks, enabling you to swiftly resume normal business operations.

If you're interested in harnessing the capabilities of CYGNVS to prepare and practice against BEC and other cyber-attacks, request a demo today and discover how it can help you strengthen your incident response readiness.