Business email compromise (BEC): prevention and protection from attacks

In 2022, the FBI’s Internet Crime Complaint Center (IC3) received 21,832 business email compromise and email account compromise complaints resulting in more than $2.7 billion in losses. 95% of BECs result in financial losses between $250 and $985,000, with $30,000 being the median.

Business email compromise (BEC) is the biggest threat to corporate cybersecurity. BEC can see threat actors gaining access to a system and tricking employees into willingly giving away sensitive company information. Malicious phony business emails can also be trojan horses for ransomware.

The financial impact of BEC attacks can be devastating to your clients. Luckily, there are ways to prevent them. Let’s dive into how BEC attacks happen and how you can spot them before they wreak havoc.

How business email compromise attacks happen

To begin: what is business email compromise? Business email compromise (BEC) is defined as a type of cybercrime that involves using fraudulent emails to trick people into giving away money or sensitive information.

Business email compromise is not new. That said, email scammers are relentlessly creative, and they're constantly adjusting and updating their tactics to trick uninformed or careless employees. Here are a few of the common schemes cybercriminals use to abuse emails for financial gains, according to the FBI:

• Email or website spoofing. Hackers make a slight modification to a legitimate company email or website address in order to fool people into clicking on malware-loaded links. Say that a client’s employee is used to getting emails from Kelly.jones@testcompany.com. A hacker will create a similar-looking variation such as Kelley.joes@testcompany.com to fool them into thinking the fake account is authentic. That way, they’re likely to open what looks like an email from a familiar source and click links or download attachments that appear safe that, in fact, can open doorways into systems and information.
• Spear phishing. Spear phishing is another email that appears to be coming from a trusted sender. This form of attack extracts confidential information, including access to company accounts, calendars, and data, from willing yet unwitting victims. This information is a stepping stone to a larger attack.
• Malware. Every MSP is familiar with malware. But in terms of BEC attacks, this malicious software infiltrates a company’s networks in order to gain access to emails about billing and invoices. Such information is then used to time requests, so that financial officers won’t question payment requests. Malware also lets criminals gain undetected access to data like users’ passwords and account information.

Some forms of business email compromise are subtler than others. But don’t get complacent: anyone can fall victim to a sophisticated, cutting-edge cyber scheme.

Business email compromise types

There are a few major types of business email compromise you should be prepared to address:

• Attorney impersonation. Hackers posing as attorneys contact employees requesting sensitive information. Employees, thinking they’re speaking to trustworthy attorneys, give that information up willingly. Lower-level, less savvy end-users are generally targeted in these kinds of schemes.
• CEO fraud. A hacker, acting via a spoofed email as a company’s CEO, may request employees transfer funds into that hacker’s bank account. Thinking they’re complying with orders from higher-ups, employees may willingly do so without a second thought. This type of attack is an especially grotesque exploitation of intra-company trust.
• Data theft. These attacks are more about netting large amounts of sensitive information to use in future attacks — to lock up companies’ systems, target individual employees’ finances, or even hold an entire organization hostage by threatening to sell said sensitive information to theoretically more vicious cybercriminals.
• Account compromise. Hackers use spoofed email domains to dupe employees into wiring money into the bank accounts of illegitimate vendors.
• False invoice scam. This is a type of supply chain attack where a supplier-side company requests fund transfers from foreign recipients, who may be more liable to be duped if there’s a language barrier involved.

Any of the above attacks can also smuggle in spyware, malware, and any variety of viruses, the payloads of which can be immensely destructive.

While these are currently the most common varieties of business email compromise scams, cybercriminals are highly inventive; expect them to come up with more and more devious ways of capturing sensitive information.

Historical business email compromise attacks

Business email compromise attack examples serve as both a cautionary tale and learning opportunity for MSPs. Some notable historical attacks include:

• Facebook and Google lost a total of $121 million in coordinated attacks between 2013 and 2015. Evaldas Rimasauskas, a Lithuanian posing as a Taiwanese investor, sent fake invoices to the aforementioned in the name of Quanta Computer.

Rimasaukas’ scam succeeded in convincing Google and Facebook that they owed Quanta money for computer components they never, in fact, purchased.

Rimasaukas was eventually caught and pled guilty to one count of wire fraud, for which he was sentenced to 30 years in prison.

• Rubén Rivera, finance director of Puerto Rico’s Industrial Development Company, was bilked into transferring more than $2.6 billion to a hacker’s bank account.

This scam occurred in 2020, not long after Puerto Rico experienced a massively destructive hurricane and was still in the process of recovery.

To put it starkly, no business, no matter how large or powerful, nor any government, is fully protected against business email compromise attacks.

How to reduce business email compromise risk

All businesses — and, as shown above, world governments — are vulnerable to BEC attacks. That's why it's essential that, as an MSP, you provide your clients with the proper education and tools they need to combat BEC.  Our BEC checklist will show you what threats to look out for, how to monitor them, and the best ways to tackle them when they arise.

Here are a few ways you can protect clients from BEC attacks right now: 

• Training is key. Because end users are the main target of BEC attacks, it’s critical to implement a cybersecurity awareness training program. As a start, individuals should be taught to spot suspicious emails. They should also know what steps to take if they think they've encountered a potentially suspicious communication. You can go one step further and set up zero-trust network architecture so that no employee can be granted more access than they absolutely need to perform their job.
• Perform a risk assessment. For any sort of cybersecurity concern, MSPs should have a full understanding of where potential vulnerabilities are. Performing initial security risk assessments will allow your team to be proactive and minimize the chance of BEC attacks.
• Check and double-check any changes to the Accounts Payable (AP) process. Examine all invoices and flag anything suspicious.
• Review your technical controls. Look for signs of anomalous activity within your client's systems. What kind of activity do you see within, say, Microsoft Office 365 or Google apps? Take the time to spot things such as a new forwarding rule that was recently created, or suspicious logins that might come from a new location you've never seen before. Furthermore, make sure your client hasn’t turned multi-factor authentication off.

Deploy a modern email security solution. Bring a full suite of cybersecurity technology techniques to the table in order to automate endpoint detection and response protocols. This includes risk assessment, dark web monitoring, cloud app security, 24/7 incident response services, and more. Give clients the peace of mind that comes with full-bore cyber threat protection.

Stopping BEC is a sophisticated process. Check out our webinar, In the Aftermath: Business Email Compromise, to learn more about how to protect clients against BEC.

What to do after you discover a business email compromise attack

In the event of a BEC attack, instruct clients to remain calm — but act quickly behind the scenes. Here are the major steps MSPs can take to prevent an attack from worsening:

1. Request a recall or reversal from the financial institution in question, as well as a Hold Harmless Letter or Letter of Indemnity in order to prove that a transaction was fraudulent.
2. Gather as much information about the attack as you can.
3. File a complaint with the FBI’s Internet Crime Complaint Center.
4. Secure your client’s email accounts with new and complex passwords. You should also add a multi-factor authentication (MFA) protocol to the login process if your client doesn’t already have one in place.

ConnectWise is here to help MSPs navigate today’s threat-laden cyber landscape. Check out our cybersecurity demos to see first-hand how you can keep your business and your clients safe.