BEC stands for Business Email Compromise. BEC involves attackers gaining unauthorized access to a company's email account or impersonating a trusted individual for the purpose of carrying out fraudulent actions such as transferring money or obtaining sensitive information through social engineering tactics.
According to the 2021 IC3 report "BEC is responsible for $2.4 billion in adjusted losses in 2021 and a 556% increase since 2016."
BEC is expected to continue growing given the increase in remote workers, openly available generative AI tools, and the multitude of business-related accounts organizations have. These affordances increase the potential attack paths for threat actors. Thus, keeping email accounts secure is becoming increasingly challenging.
How does BEC work?
Business Email Compromise (BEC) is a type of cyber-attack in which an attacker impersonates a trusted individual, such as a senior executive or a vendor, in order to trick an organization or individual into divulging sensitive information or transferring funds. This attack vector has become increasingly prevalent in recent years and has resulted in significant financial losses for businesses of all sizes.
In a typical BEC attack, the attacker will conduct extensive research to learn about their target organization, including its key personnel, vendors, and business processes. They will then use this information to craft convincing emails that appear to come from a trusted source, often with a sense of urgency or importance, in order to prompt the recipient to take immediate action.
Now, with advancements in generative AI technology, BEC is becoming more common. Threat actors are able to generate textual messages that are believable and impersonate individuals, increasing their likelihood of tricking a victim.
Types of BEC
CEO fraud involves attackers’ impersonating high-ranking executives to solicit information from other members of the organization, whereas whaling involves attackers’ targeting high-ranking executives.
Threat actors attempt to obtain valuable personal information about an individual at a company. They could then use this information to launch future attacks.
This attack occurs when an employee's email is already obtained by a threat actor. The actor then uses these legitimate credentials to request valuable information from others within the organization.
Impersonating as the lawyer for an organization, a threat actor will contact low ranking individuals attempting to retrieve sensitive information.
Business Email Compromise (BEC) vs Email Account Compromise (EAC)
In both cases threat actors seek to disrupt or damage systems in order to carry out malicious activity. However, a business email compromise involves the impersonation of an important figure in an organization in order to trick an employee. This is considered a social engineering tactic.
EAC on the other hand, is the act of stealing legitimate login credentials. Sometimes phishing or social engineering is used to do so, but EAC is not overtly a social engineering tactic like BEC is. Instead EAC, is more closely aligned with the access to login credentials.
Who does BEC target?
Any individual or company can be a victim or suspected target to a BEC attack. If you work at an organization that is small and does not have a robust security infrastructure, be particularly weary of the communication patterns between yourself and other high-ranking members at the organization.
Threat actors will likely do research on high-ranking individuals in an organization because they have public facing accounts with a lot of information readily available on them. These individuals are likely to be impersonated by threat actors for that reason and because the use of their name in an email might alarm or call for urgency from the recipient.
New employees are an easy target for threat actors because they don’t know yet what normal communication within the business might look like. Similarly, they are easier to get an emotional reaction out of. By engineering an email impersonating a CEO who is asking the new employee for login information, they might answer without reading into the situation.
Employees with access to sensitive information
HR employees and those in the finance department are particularly vulnerable to BEC attacks because of the access they have to financial and personal information on other employees.
How to protect against BEC
BEC attacks are a type of social engineering, making it difficult for standard security tools to detect because legacy systems look for a malicious link or malware which BEC attacks don't have.
Organizations can protect from BEC attacks by:
- Improving visibility of account activity and user behavior
- Implement an AI powered security solution to assist your security team against AI powered attacks
- Automating detection and response security systems
- Making sure your most vulnerable employees are aware of and trained to identify BEC
- Keep your software up to date
BEC case studies
Darktrace Supports Compliant Email Security and Risk Management
Emphasizing the threat of social engineering
Challenges organizations face preventing BEC attacks?
Some challenges organizations face when preventing BEC attacks include educating employees on how to identify and respond to phishing emails, keeping up with evolving attack tactics, and ensuring that security solutions are effective without disrupting legitimate business operations.
Leveraging compromised accounts or send messages without attachments.
Social Engineering Tactics:
Spoofing high-level executives or the CEO to make the email appear legitimate and urgent
How can individuals protect against BEC attacks?
While organizations can implement robust security systems and training for their employees, individuals can follow these tips in order to stay ahead of BEC attacks:
Attackers will often impersonate high ranking officials in an organization as a way to trick new employees into divulging sensitive information. If it is unusual for your CEO or other high-ranking officials to communicate with you be weary of these messages.
Assess your emails
With the high magnitude of email communication that goes on in business it might be difficult to read through each email carefully. However, if you are about to click on a link or download a file, be sure to verify the sender’s account and read the email carefully looking for unusual language or poor grammar. Be on the lookout for emails that might be labeled as “urgent” as attackers often try to get victims to make rash and quick decisions, increasing the chance of them being caught.
Requests for money
Most businesses have distinct processes to transfer money and keep strict regulations around how money moves in the business. If there is an attempt to bypass these regulations and transfer money or information via email, it is likely that this is a scam.
Darktrace vs BEC
Modern security teams are often overstretched dealing with an increased attack surface, enabling workforces for secure remote work, and managing multiple security tools to protect that workforce. Now, AI tools are being used by attackers to make their attempted cyber attacks even more difficult to spot. With a growing attack surface, security teams are doing more “hand-to-hand combat” with attacks than they should be.
AI-powered email solutions can level up security teams in numerous ways. Historically, email security is trained on historical attack data, only alerting to previously seen threats. With an AI based model, it is possible to better prepare and stop unknown threats.
With the access to readily available AI tools that can assist with social engineering tactics, attack sophistication has increased. AI-driven security will understand behaviors of end users and how each individual operates within their inbox. In doing so, be able to detect and respond to threats that deviate from normal activity.
Prevent human error
By understanding you and your organization, Darktrace/Email can detect when an email is likely being addressed to the wrong person, and at the perfect time intervene with a warning before the email is sent.
Detect account takeover
Darktrace uses AI to learn what normal communication looks like for every email user, in order to spot the subtle signs of anomalous emails sent with malicious intent, no matter who has sent them.
Employee Input Feeding Back into AI
Over time, Darktrace/Email gradually factors employee feedback into its decision-making, improving productivity and overall security.
Instead of looking at previous attacks to predict those of the future, Darktrace AI learns the ‘pattern of life’ of an organization, including its users, devices, and servers. This allows it to identify the first signs of a ransomware attack, regardless of whether the method or type of attack has been seen before.