Business email compromise: what to do and how to protect yourself after a BEC attack

| By:
Raffael Marty

Ransomware makes all the cybersecurity headlines, but ransomware is really just the outcome of an attack once a system has been compromised. The biggest threat to business that can lead to ransomware infections and other very significant financial impacts is the business email compromise (BEC) attack vector. While the cost for companies is more significant with ransomware, today’s businesses fail to realize the real impact of BEC because, unlike ransomware, BEC doesn’t cause shutdowns or immediate loss of productivity. 

Its impact is felt most in the financial department. BEC primarily includes automated clearing house and wire fraud. So, the money is gone, and then you go back to everyday life the best you can. This doesn’t underscore the recovery from the financial damages, though. The Internet Crime Complaint Center (IC3) received 19,368 business email compromise and email account compromise complaints with over $1.8 billion losses. Additionally, Verizon’s 2021 Data Breach Investigations Report analyzed the number, and 95% of BECs have a financial loss that fell between $250 and $985,000, with $30,000 being the median. 

You can’t ignore the financial impact of a BEC attack. Luckily, there are ways to prevent them. But first, let’s dive into understanding how BEC attacks happen and how you can spot them before they wreak havoc on your business. 

How does a BEC happen?  

The business email compromise scam is not new. That said, email scammers are relentlessly creative, and they're constantly adjusting and updating their tactics to trick uninformed or careless employees. Here are a few of the common schemes cybercriminals use to abuse emails for financial gains: 

  • Email or website spoofing—In this case, hackers make a slight modification to a legitimate company email or website address. So, for example, if you’re used to getting emails from, a hacker will create a similar variation like (note the extra “e” and missing “n” in Kelly’s name) to fool you into thinking the fake account is authentic. Now, you’re more likely to open the email and even click links or download attachments that can open doorways into your systems and information.  
  • Spear phishing—Similar to email spoofing, spear phishing is another email that appears to be coming from a trusted sender. This form of attack is geared to trick victims into revealing confidential information, including access to company accounts, calendars, and data. This information provides hackers a stepping stone to a larger attack.  
  • Malware—You’re likely familiar with malware. But to expand, in the scope of BEC attacks, we are dealing with malicious software that infiltrates a company’s networks to gain access to emails about billing and invoices. The information it finds is then used to time requests, so that financial offers won’t question payment requests. Malware also lets criminals gain undetected access to data like users’ passwords and account information.  
What should you do after you discover a BEC attack?   

If you’ve fallen victim to a BEC attack, don’t panic. One of the best things you can do is to remain calm and act quickly. Here are the major steps you should take to prevent the attack from worsening.  

  1. Contact the originating financial institution as soon as fraud is recognized to request a recall or reversal and a Hold Harmless Letter or Letter of Indemnity. 
  2. Alert your IT department/ manager about the incident and provide as much information about the incident as you can.  
  3. File a complaint with the FBI’s Internet Crime Complaint Center. 
  4. Secure email accounts with new and complex passwords. You should also add multi-factor authentication (MFA) if you or your client doesn’t already have it.  
How can you protect yourself and your organization from BEC attacks? 

All businesses are vulnerable to BEC attacks. That's why it's so essential that, as an MSP, you provide the proper education and tools to your clients to help them combat BEC. This checklist curated by ConnectWise will show you what threats to look out for, how to monitor them, and the best ways to tackle them when they arise. Here are three ways you can protect yourself from BEC attacks right now to give you a head start.  

  • Training is key—Because end users are the main target when it comes to BEC attacks, it’s more critical than ever to implement a cybersecurity awareness training program. Individuals should be well-versed—and able to spot—the tactics we discussed above. They should also know what steps they should take if they think they've encountered a potentially suspicious email. 
  • Check and double-check any changes to the Accounts Payable (AP) process—Create a process where the AP team gets an email with a new bank wire instruction, updated invoice, etc.  Be sure to go into the AP system and call the number on file to confirm a change is real. DO NOT email them back, the cyber criminals will have taken control of the email server and set up automatic email rules to respond with an email confirming the initial email is legitimate 
  • Review your technical controls—The goal is to look for signs of anomalous activity within any of your systems. What kind of activity do you see within Microsoft Office 365 or Google apps? Take the time to find out if you can see things like if a new forwarding rule was created or suspicious logins that might come from a new location you've never seen before. It would help if you also made sure multi-factor authentication hasn't been turned off. 
  • Deploy a modern email security solution like Armorblox that allows you to detect a lot of the BEC threats. These more modern email solutions are monitoring the email text for account numbers, user credentials, credit card numbers, etc. to catch scams early. These solutions also attempt to model the communications between employees to understand what normal communications look like to then flag potential BEC attempts.