IT Security

Business Email Compromise

What is Business Email Compromise?

The Cybersecurity and Infrastructure Security Agency (CISA) explains a social engineering attack as an incident where “…an attacker uses human interaction (social skills) to obtain or compromise information about an organization or its computer systems.”1 An attacker may seem innocuous or even charming, and may claim to be a new hire, a contractor, or a researcher, and could even provide credentials such as business cards or badges to confirm that identity. To add to their credibility, the attacker may contact multiple people within an organization, relying on information obtained through those other interactions to reassure the potential victim about their identity and purpose.  

Business email compromise (BEC) is a social engineering technique. BEC relies on winning the trust of the email recipient, most often with the goal of conducting fraudulent business transactions. In 2019, a rising trend in BEC attacks was for cyber-attackers to conduct fraudulent business transactions by hijacking or imitating (‘spoofing’) a legitimate email account. BEC has been prevalent across businesses of all sizes and sectors, with the FBI reporting that BEC attacks resulted in USD 1.7 billion in financial losses in 2019- making it the highest grossing form of internet crime.2 While some of these attacks have resulted in losses in the millions from a single attack, many focus on economies of scale- eliciting smaller amounts from many targets in many campaigns.3

How is business email hacked?

Some BEC or email hacking tactics, techniques, and procedures (TTPs) include:  

Display name deception. The “From” header shows a legitimate sender with an executive name of an organization. The email could request sensitive information and/or money. 

DNS spoofing/DNS cache poisoning. Altered DNS records are used to redirect online traffic to a fraudulent website that resembles the intended destination. Once there, victims log-in, giving cyber-attackers the opportunity to steal their credentials and other sensitive data. The cyber-attacker could also use the opportunity to install malicious software, giving them long-term access to the victim’s data. 

Vendor email compromise (VEC). Also known as supply chain takeover, a VEC attack typically involves a cyber-attacker posing as an executive, manager, or vendor who sends an email to employees requesting that funds be transferred or that W-2s or payment information. The cyber-attacker then routes payments to their own account.  

Person-in-the-middle (PITM) techniques. Intercepts communications between users and a DNS server in order to reroute users to a malicious IP address. 

An effective BEC defense will require organizations to secure all of the channels that cyber-attackers exploit, such as corporate email, personal webmail, business partners’ email, cloud applications, web domains, and users’ behaviors. BEC attacks rely on a victim taking an action, so cybersecurity awareness is an essential element of a defense. Beyond cybersecurity training, organizations can protect themselves through domain authentication, robust email security, account protection, and surveillance.

Is your business email network at risk?

The short answer is: always. Contact Exisor to secure your business email network and reduce risk of exploitation.

1 Cybersecurity and Infrastructure Security Agency (CISA), 2009/2020, “Avoiding Social Engineering and Phishing Attacks” 

2 FBI, 2020, “2019 Internet Crime Report” 

3 Carter, LogRhythm, 2021, “The Remote Workforce Will Lead to More Ransomware Incidents in 2021”