What is Business Email Compromise (BEC)?

Business Email Compromise (BEC) attempts are on the rise. What is BEC, why are attacks on the rise, and how can companies detect and mitigate attacks?

Business email compromise (BEC) is one of the activities of attackers. Recent data shows that the cyberattack method is more common than ransomware. According to Cloudflare's Phishing Threat Report for the previous year, financial losses associated with BEC increased by 17% during that period. The authors note that attackers are increasingly resorting to methods of attacking organizations.

Unfortunately, hacking business email accounts is much easier than you might imagine.

Business Email Compromise (BEC) is a form of phishing in which attackers impersonate a company's CEO, suppliers, or customers in order to extort money. It's been around for years, but technologies like artificial intelligence (AI) are helping to make BEC attacks more convincing and sophisticated.

Voice deepfakes, which allow attackers to impersonate trusted individuals such as a CEO, are a growing concern, and generative AI systems such as ChatGPT are becoming increasingly available. So what is BEC, why are attacks on the rise, and how can companies detect and mitigate attacks?

Difference between BEC and phishing: how is BEC used in attacks?

In BEC attacks, the attacker changes the victim's payment details or requests unauthorized transactions in hopes that the victim will send money to their account. Mainton's head of cybersecurity says the company has seen some businesses lose "millions" to these types of attacks.

A senior cyber security consultant at Mainton, who previously worked as an investigator in the police cyber crime unit, cites the example of a BEC attack on a small manufacturing business that had received an invoice from a supplier.

“The bill looked identical to a genuine bill they had seen hundreds of times before and was of relatively low value. The only difference was that the bank account details were changed from the real invoice template. This was not a company the recipient had dealt with hundreds of times before, but a criminal posing as them”.

BEC fraud often involves the exploitation of individuals in financial positions, according to Mainton Research Group's principal security researcher. “These subtle deceptions are characterized by alterations to genuine business emails rather than mass phishing campaigns, making detection much more difficult”.

BEC does not always require sophisticated technology. Simple email manipulations are often enough to exploit sophisticated malware. Essentially, the strength of BEC lies in its use of the human element, making it both efficient and profitable.

Once attackers have stolen money, it can be retrieved immediately, says a threat intelligence analyst at Mainton. “Compare this to ransomware attacks, where a cybergang must expend enormous amounts of extra energy to extort victims: BEC is a much more efficient operation”.

How long will BEC be a threat?

BEC has been around for many years. While its origins are difficult to determine, experts say scams targeting businesses and organizations have been around since the advent of email. The FBI began tracking "emerging financial cyber threats" in 2013, calling them "business email compromises".

BEC attacks are difficult to detect because they do not use malware or malicious URLs that can hijack standard cyber defenses. Instead, they rely on impersonation and social engineering to trick people into unwittingly making contact with an attacker.

Artificial intelligence capabilities, especially tools like ChatGPT, have lowered the bar for sophisticated BEC attacks. Attackers, especially those with limited English language skills, can use tools like ChatGPT to launch increasingly sophisticated phishing campaigns. Creating these deepfakes is surprisingly easy with just internet access and a few dollars.

An example of this is an attack in which a CEO's voice was spoofed using a publicly available voice generator tool that creates "avatars" for marketing campaigns. The CFO of the target company was sent an audio message from an unknown number, but the attack was detected.

Even though the fake voice closely resembled the original, the CFO quickly realized that something was wrong and immediately contacted his CEO.

AI scammers can easily harvest personal information from LinkedIn or company websites to make their fake emails appear more real. AI can also learn how a person typically writes their emails and copy their style.

In the future, AI will undoubtedly be used to make it easier to create fraudulent accounts and conduct intelligence on businesses and individual targets. While deepfakes have already demonstrated the ability to convincingly imitate voices and faces, the potential of AI to analyze and simulate communication patterns opens up a new dimension.

At the same time, BEC attacks will become more automated and scalable through the use of AI.

How to identify and mitigate BEC attacks?

There are several steps companies can take to protect themselves and mitigate BEC attacks. First, companies can study the emails they receive. Look for small changes in email addresses. Check to see if payment details on invoices have mismatched fonts or indicate unrelated company names.

In the meantime, monitor for suspicious email forwarding rules that send certain emails to third-party systems. You should also be wary of pressure tactics or discounts offered for immediate payment.

To mitigate attacks, experts advise adopting strict password discipline, two-factor authentication (2FA), and appropriate tools to protect against hacking of these accounts.

Overall, the best defense is to have a strong policy in place. Sometimes these defenses can be time-consuming, so it is also important to establish a culture throughout the organization of understanding the risks that BEC attacks can pose.

Successful business email compromise relies on social engineering, so employee training is a must. Conduct internal testing to detect phishing and get feedback on any errors.

Also consider how training is tailored to your sales and finance functions. For example, training to ensure that all bank transfer requests are verified using vetted and established points of contact for suppliers, merchants and partners.

At the same time, perform regular checks of the mail server configuration, employee mail settings, and connection logs.

Experts say there are tools that can detect AI-based attacks, but at the same time, companies can help prevent attacks by limiting the exposure of their data.

Reduce the amount of publicly available information about company leaders and activities. The less data cybercriminals have to share with their AI, the less effective their impersonation efforts will be.

Mainton Company - custom software development and testing, DevOps and SRE, SEO and online advertising since 2004.