Business Email Compromise—How It Works and How to Stop It


Devin Partida


July 21, 2021

Staying on top of cybersecurity means remaining aware of common attack methods. Business email compromise (BEC) has become more prominent recently. Here’s a breakdown of what it is and how to prevent it.

What Is Business Email Compromise?

A business email compromise scam typically involves requests for financial details or payments that seem to come from legitimate sources. For example, a personal assistant may get an email from someone posing as their boss, asking them to wire money immediately.

Alternatively, someone in the accounting department may get an email from a trusted vendor that instructs them to immediately send payments to a different address or account than usual. Sometimes, BEC attacks occur when the requestor asks someone to purchase gift cards and send them the details by email, presumably to send to employees as thank-yous.

How Do Hackers Cause Business Email Compromise Attacks?

Some BEC attacks stem from traditional phishing attacks. For example, the FBI reported that cybercriminals often target people who use cloud-based email services. The organization indicated that this type of BEC resulted in more than $2.1 billion in losses between January2014 and October 2019, with attacks centered on two popular cloud-based email providers.

Many hackers also rely on spear-phishing when orchestrating BEC attacks. These differ from conventional phishing efforts because they target one or a few people rather than featuring messages for mass distribution.

Social engineering also typically plays a significant role in BEC attempts. That’s because hackers often perform extensive research before targeting their victims. They hope recipients will see the correspondences as so authentic they never question them. The goal is to build trust. Thus, BEC content could appear as an email thread rather than a single message. Some hackers don’t actually hack into a company inbox when running a BEC attack. Instead, they might mimic a genuine email address by creating a similar one with a tiny difference. That’s often a successful tactic since many people don’t scrutinize addresses, especially if the messages apparently come from senders they know and trust.

What Can Companies Do to Minimize BEC Attacks?

Minimizing BEC attacks is part of an overarching cybersecurity strategy. One of the trends for this year is an increased business emphasis on cybersecurity by company owners. They know that an effective cybersecurity strategy enhances the brand and could facilitate new relationships with customers. Thus, leaders should always view BEC minimization as a part of amore extensive approach to online safety.

Teaching employees to view email messages skeptically is an excellent proactive measure. It’s especially important to do that when the content demands urgent action. Getting workers in the habit of verifying requests instead of immediately acting is a best practice. For example, recipients should contact the supposed sender through other means to check a request’s legitimacy.

Another minimization strategy is to activate multifactor authentication (MFA) for all email accounts. If a hacker does gain access to a person’s company email account, it’s less likely they’ll get far enough to do any damage.

Company leaders can also blend high-and low-tech fraud strategies at the workplace. Artificial intelligence-based tools can screen for possible BEC attacks, but they’re not foolproof.

Broader employee awareness of BEC tactics beyond email skepticism is another essential element—particularly if people work from home. It may not be as easy for remote workers to verify the legitimacy of a suspicious email. While on-site, a person can probably walk to someone’s office or refer to a phone number list to ask about a strange email. However, access to colleagues is different when working at home.

Knowledge Brings Reduced Risk

The people who orchestrate business email compromise attacks aim to become so familiar to and trusted by their targets that those individuals follow their requests without much or any hesitation. However, when everyone at a company becomes aware of how BEC scams work, it’s less likely people will fall for them. Updating everyone about what they need to know is an excellent starting point.

Cigent D3E protects your files in a way that's never been done before.

Learn More

Explore more articles.

Protect your organization's most valuable asset—your data.

Contact Us