A business email compromise or BEC is the latest variant of a sophisticated cyberattack in which an attacker hacks into a corporate email account and imitates the financial officer or CEO to defraud a company, its employees, customers and partners into sending money, personally identifiable information (PII), or material goods.
The source of such attacks is most often spoofed, compromised or fraudulent email accounts that are orchestrated by a man-in-the-middle to target key individuals who control the flow of finances.
BEC is a social engineering technique that is structured around establishing trust with the target and inflicting damage. Usual targets are companies that conduct wire transfers and personnel in accounting positions. However, any or everyone is vulnerable through the BEC attack if they possess any critical information which can yield dividends for the cyber criminals.
Action of Business Email Compromise Attack
Blueprint of BEC attack starts with attackers targeting email lists. Attackers collect targeted lists of emails from LinkedIn profile scraping, business email database sifting, and contact information present on social media.
Attackers begin launching BEC attacks by sending mass emails using BEC techniques like fake email names, look-alike domains, etc. The threat artist mimics the identity of someone the target should trust–typically boss, vendor or colleague. Their messages persuade the target into making wire transfer, diverting payrolls, updating bank details, etc.
At a stage when attackers succeed in building trust with targeted individuals, financial gain or data breach is made by them at a cost borne by the victim.
Techniques for carrying out BEC scams
BEC is more about social engineering and human manipulation than it is about technology and hacking. They are easy to execute with minimal tools and tradecraft. Easy accessibility and repeatable nature of the following techniques only add to the popularity of BEC among scammers. Standard cyber defences prove insignificant as BEC threats are little about malware and malicious URLs and more about impersonation, deception and social engineering.
Typo-squatting or domain squatting
Introducing slight changes in emails or domains creates lookalike versions of originals. It does the trick of bypassing the victim’s quick information processing, which thereby manipulates victims into acting before understanding fakes vs. authentics.
Malicious software embedded with sophisticated codes to extract internal data and systems can help an attacker infiltrate company networks to obtain access to billing and invoices email threads, which are key sources of information for timing requests to skip suspicion of accountants.
Phishing is a cybercrime in which a target or targets are contacted by email or sms or telephone by someone posing as a legitimate institution to lure individuals into providing sensitive data such as PII ( Personally Identifiable Information), banking details, credit card details and passwords.
The information is then used to access important account and can result in Identity Theft and Financial Loss.
Some of the prominent cases of Phishing are as follows:
- Love Bug of 2000 (Phillippines)
- Email message titled “I LOVE YOU”; “kindly check the attached LOVE LETTER coming from me”.
- .txt file will then unleash the worm that over wrote image files and sent a copy to user’s Outlook contacts.
- “Post 9/11 ID Check ; shortly after September 11 attacks on World Trade Center, New York.
- Late 2003 : Phishers register domains that look like eBay and PayPal. Asking rhe users to update their credit card details and other Personally Identifiable Information.
- 2011 : Internal RSA Staff successfully phished.
Master keys for all RSA SecureID security tokesn; for breaking successfully into US Defence Suppliers.
- 2016 : Year of “Fancy Bear”(Phishing goes Political)
- Attacks on the DNC leading up to US Elections.
- Attacks on the World Anti-Doping Agency (WADA).
- Attack on members of the Bundestag and other German political parties.
- 2018 : Phishing as a Service launched
- Phishing kits readily available on the Dark Web(To launch a phishing campaign with ease).
- It enables convincing emails, re-direct sites that mimics well known companies.
By acquiring personal details of a victim, such as their friends, employment details, a cybercriminal can disguise himself as the victim’s trustworthy entity to scoop sensitive information. These social engineering attacks that appear from a trusted sender account for 91% of total BEC attacks.
Common Features in all kinds of Phishing/Spear phishing attacks
- Threat or Sense of Urgency – A favourite tactic among cybercriminals is to ask you to act fast because the super deals are only for a limited time some of them will even tell you that you have only a few minutes to respond. When you come across these kinds of emails it’s best to just ignore them. Sometimes, they will tell you that your account will be suspended unless you update your personal details immediately. Most reliable organizations give ample time before they terminate an account and they never ask patrons to update personal details over the Internet. When in doubt, visit the source directly rather than clicking a link in an email.
- Too good to be true – Lucrative offers and eye catching or attention grabbing statements are designed to attract people’s attention immediately e.g many claim that you have worn an iPhone, a lottery , or some other latest lavish price or some other valuable price. Just don’t click on any suspicious emails. Just remember that if it seems too good to be true it probably it is not.
- Suspicious Attachments – If you see an attachment in an email you were not expecting or that does not make sense don’t open it. They often contain payloads like ransomware or other kinds of viruses with them. The moment these attachments are clicked they download and install the malware on the device which then steals the personal information and relays it back to the cybercriminal.
- Hyperlinks – A link may not be all it appears to be. Hovering over a link shows you the actual URL where you will be directed upon clicking on it. It could be completely different or it could be a popular website with the miss spelling, So look very carefully before being directed to a hyper link.
- Unusual Sender – Weather it looks like it’s from someone you don’t know or someone you do know, if anything seems out of the ordinary, unexpected, out of character or just suspicious in general don’t click on it. Normally the cybercriminals can change the name of the sender bye just changing one or two words which are difficult to understand while communicating with the sender.
Role of personality traits in social engineering-based attacks
BEC attacks aim to overcome security controls by finding weaknesses in human behaviours. These scams usually comprise a mixture of tactics to influence and persuade decision making such as authority, time pressure and tone.
BEC emails often arrive with an element of time pressure and urgency and if the employee is of lower rank who fears to question the authenticity of the requester, an attacker after mindful research can prey on his fear.
In classical decisional theory, decision making under pressure or risk depends on logic. Whereas reasonable people should opt for rational choices, humans’ decisions tend to be biased. If a criminal knows this hack, he/she can manipulate the decision-making process.
BEC frauds target different personality vulnerabilities, like the desire for overnight success, to be appreciated and praised by the managers. People with such “victim personalities” are more prone to Social Engineering scams, which blends easily with BEC and cause more harm and damage to the victim either financially or reputation wise.
There is a close link between personality traits and the probability of being duped by social engineering attacks. Social engineering, for its capacity to study victims comprehensively, proves fatal for persons with personality traits like:
- Conscientiousness: people with such traits adhere to rules made by the company and as stated under the policy. Such people are more vulnerable to SE techniques that exploit rules, social norms and policies.
- Extraversion: people with such traits rely on social aspects, usually obtaining gratification from outside oneself, which puts them vulnerable to the scarcity principle.
- Agreeableness: individuals who are more trusting raise little concerns about privacy invasion, which puts them vulnerable to SE targeting if a social engineer establishes a trust relationship.
Examples of Business email Compromise
Emails sent by perpetrators come in different archetypes and are scripted with a combination of tactics to qualify the vulnerability of the target. The Federal Bureau of Investigation (FBI) has put together a few major types of BEC scams:
Cybercriminal makes use of an employee’s or executive’s compromised email to ask for invoice payment from customers and suppliers listed in their email contacts to the fraudulent bank account.
Whaling and CEO fraud
Cybercriminal impersonates the CEO–also called whaling–or high-level executive of a company and writes an email to finance executives, instructing them to urgently transfer money from the corporate account to the criminal’s bank accounts.
A cybercriminal poses as a lawyer or representative from a law firm who looks after sensitive matters of a corporation and asks to pay money immediately to keep things confidential.
False invoice scheme
A company with foreign suppliers often falls victim to this tactic in which scammers pretend to be the suppliers requesting payments for goods or services to accounts registered under the fraudster’s name.
The usual targets of such attacks are normally HR employees from which personal or sensitive information of CEOs and executives is obtained. This data can be sold on the dark web or utilised for future attacks such as whaling and CEO fraud.
Financial Damages caused by Business Email Compromise
The number of BEC may be less in magnitude but the damage inflicted by it is sheer in size, says the FBI, which estimated $1.6 billion in losses to U.S. businesses from 2013 to 2016. Since 2016, the global total exceeded $26 billion, according to a report released by the FBI in 2019.
From 2013 to 2018, the FBI marked a loss of $12.5 billion globally and $2.3 billion from 2013 to 2016, which puts total losses from 2016 to 2018 at $10.2 billion. It means losses suffered from 2018 to 2019 are close to $16 billion–meaning 62% of losses from 2016 on was inflicted in 2018 alone.
According to a report issued by insurance giant AIG in 2019, BEC accounts for 23% of cyber breach claims in 2018, up from 11% in 2017. Also that the claims from BEC damages–such as breaches caused by hackers, data breaches caused by employees, impersonation fraud, virus or malware infections, system failures or outages, physical loss of assets–surpassed loss by ransomware.
According to a report released by the Association of Financial Professionals (AFP) in spring 2019, 81% of companies received fraudulent emails from their senior executives impersonated; 44% got emails purporting to be from vendors; 33% claimed to receive emails from third parties requesting payment or updating payment information.
Compared to small- and middle-sized businesses, larger companies faced colossal loss from BEC. The survey conducted by AFP revealed 25% of organisations with more than $1 billion bearing losses over $1 million.
Real world examples of Financial Damages by BEC
We would like to share some of the real world BEC scams that caused the victim millions of dollars in financial damages:
- $17.2 Million Acquisition Scam (2014)
Our first example shows how fraudsters can play on a target’s trust and exploit interpersonal relationships.
in June 2014, Keith McMurty, a Scoular employee, received an email supposedly from his boss, CEO Chuck Elsea. The email informed McMurty that Scoular was said to acquire Chinese company. Elsa instructed McMurty to contact the lawyer at accounting firm KPMG. The lawyer would help facilitate a transfer of funds and close the deal. McMurty obeyed and he soon found himself transferring $17.2 million to a Shanghai bank account in the name of “Dadi Co”. The amount was transferred in total of three transactions in the name of Dadi Co at Shanghai Pudong Development Bank as per the affidavit filed by FBI in the Nebraska Court.
The CEOs email as you might have guessed, was fraudulent. These scammers had used email impersonation to create accounts imitating both Elsa and the KPMG lawyer.
Scoular is a124 years old US company in grain trading and storage with a revenue of $5.9 billion USD.
- Ubiquity Networks, USA defrauded of $47 million USD (2015)
In August 2015, the US networking firm Ubiquity Networks, disclosed that the cyber attackers stole USD $46.7 million using a business email compromise attack in which attackers pretended to be the executives at the victim company to initiate
unauthorised international wire transfers to bank accounts controlled by the attackers.
The company were originally alerted to the potential fraud by the by the Federal Bureau of investigation who had been monitoring suspicious, large transactions out of the company’s subsidiaries bank accounts in Hong Kong.
The company in its statement said that it was the victim of “criminal fraud” involving “employee impersonation” and fraudulent request from an outside entity targeting the company’s finances department. This scam led to the transfer of USD $46.7 million held by a Ubiquity subsidiary incorporated in Hong Kong to other overseas accounts held by 3rd party.
However, with the help of FBI some of the misappropriated funds were recovered and the final loss was to the tune of USD $39.1 million.
Employee Impersonation is done with the help of email spoofing and phishing attacks and are an integral part of BEC attacks.
- Google and Facebook conned of USD $123 million(2013-2015)
Not even the two of the biggest US technology firms are safe from fraud emanating from BEC attacks as the search company and the social network were named in one of the biggest cyber fraud through BEC.
The court records from the Southern District of New York reveal that Google and Facebook transferred USD $123 million to the account of Lithuanian man after he hit both companies through a BEC scam.
Lithuanian man named Evaldas Rimasauskas aged 50 years has pleaded guilty tricking Google and Facebook transferring over USD $123 million into a bank account under his control after posing as a company that provided the Internet giants with hardware for their data centers. The wire transfer of amount by both the companies against forged invoice continued from 2013 till 2015.
He registered and incorporated a company in Latvia with the same name as Quanta Computer, a Taiwan based electronics manufacturing giant which has been operating since the 1980s.
Knowing fully well that Facebook and Google use Qantas technology in their data centers. Evaldas sent emails to the firm claiming to be from quanta with forged invoices and fraudulent contracts. Facebook and Google transferred amount close to USD $123 million against these forced invoices into the accused account.
Evaldas Rimasauskas has pleaded guilty and faces up to 30 years in prison. He was indicted in December 2016 and then arrested in Lithuania in March 2017 and extradited to the United States.
- BEC Scam leads to theft of USD $18.6 million from Indian Unit of Italian Firm (2019)
In a classic case of Business Email Compromise, Chinese hackers stole USD $18.6 million from the Indian arm of Technimont SpA, an Italian engineering company, through an elaborate cyber fraud by impersonating the firm’s CEO.
The cybercriminals sent multiple emails requesting funds to the Indian head of Technimont, part of the publicly traded Maire Technimont. It was sent from an account that looked deceptively similar to one used by the Italian group’s CEO. They also organized conference calls to discuss a possible “Confidential” acquisition in China.
The scammers requested that the India head transfer the amount for an acquisition in China, convincing him that the money could not be transferred from Italy due to legal
and regulatory issues. The Indian head then transferred the amount in three batches during the week of November. The money that was transferred in USD $5.6 million, USD $9.4 million and USD $3.6 million respectively. The amount was transferred from a bank in India to banks in Hong Kong and were withdrawn immediately.
The scam came to light when the Technimont SpA Chairman visited India.
The cyber fraud case has been lodged with the Mumbai Police Cyber Crime Division.
The incident highlights the lack of awareness of business email compromise attacks. But defending against a sophisticated BEC scams is more than difficult than spotting a phishing mail.
Safeguards against BEC Attacks
Business email compromises occur for insufficient security protocols, social engineering and lack of employee awareness. Protection against these factors comes in many forms. The following techniques are most commonly employed:
Internet is not designed to offer security. It was first designed to exchange messages. However, as time progressed, many applications were launched over internet including mail.
The transfer and receive of mail over internet is highly vulnerable to theft by hackers which they later exploit to launch phishing attacks or ransomware attacks.
The solutions to this problem is to use encryption for sending the mail which are encrypted with private keys and the recipient of the mail has code to unlock the private keys as generated through the encryption software.
Ransomware is a type of malicious software bracket start malware bracket closed that threatens to publish or block blocks access to data or a computer system, usually by encrypting it, until the victim phase a ransom fee to the attacker to get the decryption key. In many cases, the ransom demand comes with a deadline . If the victim does not pay in time , the data is gone forever. Normally the fees paid in crypto currency so that it cannot be traced back to the cyber criminals who initiated the ransomware attack.
Some of the largest ransomware attacks are WannaCry, CryptoLocker, NotPetya, Bad Rabbit etc.
Part of IT security, MFA requires presenting two or more pieces of evidence to unlock into one’s profile. In a company, keeping MFA strict for C-level executives and employees with authority to initiate payments reduces the risk of BEC.
Verification by call
In today’s remote-working culture, it makes sense to verify payment and invoice requests in person to validate the legitimacy of the email. While conversing, make sure it’s the same old account number and mode of payment, or if any changes have been made since the last time.
Be wary of payment- or sensitive data-involving emails asking for quick action. Carefully scrutinise the wire transfer requests asking for a hasty completion of payment. Train employees on identifying fraudulent emails and ask them not to hesitate but to investigate should a situation of doubt arise.
Double-checking language & style
Official emails seldom contain typos and offbeat tone and style. Knowing your customer and vendor habits is key. For example, if there’s such a hint that sparks sudden change in business practice, BEC is nearby.
Email security establishment
G Suite and Office 365 are becoming mainstream nowadays. No matter they offer better anti-spam and anti-malware protection, their built-in security should not form the entirety of a company’s email security, but its base. A company should learn about its pros and cons and should invest in security, building upon the baseline protection.
By sharing data online like a pet name, birthday, university one attended, a person exposes himself more to BEC scams. This information sets the base to password guessing by scammers who can play with openly available sensitive data to hack into personal or professional accounts.
According to the AFP survey, 76% of companies are now prohibiting payments requested by emails, 76% conduct anti-phishing training, 68% have installed some sort of verification mechanism in place, and 65% abide by two or multi-factor authentication.
Compromised email systems can adversely impact legitimate business interests inflicting losses to the tune of millions of dollars and loss of reputational damage as well. Organisations and employees need to transform and adapt their mindset, internal and external processes including data protection, privacy and security measures to stay abreast of evolving business compromise threats. Safeguarding a company’s privacy and data security comes with perks like emboldened employees’ confidence in the company and business longevity.
We at Data Secure have partnered with Trustifi Inc, US (www.trustifi.com) for offering world class Secure Email Solutions that are encrypted with 256 bit military grade encryption and provide complete safeguard from BEC attacks and scams including Phishing, Ransomware and malware infections. Trustifi Inc solutions also offer 2 factor authentication.
Kindly watch how to stay protected from BEC attacks from Hackers at :
For any demo/presentation of solutions on BEC attacks and Secure Email transmission, kindly write to us at
For downloading the various Global Privacy Laws kindly visit the Resources page in