BEC: The $1.7 billion scheme your customers can’t afford to ignore

Best practices for identifying and combatting business email compromise

By Chris Crellin, Senior Director of Product Management, Barracuda MSP

Chris Crellin, senior director of product management, Barracuda MSP

Phishing attacks are evolving into a wide variety of complex schemes that are increasingly difficult to guard against using traditional email security approaches. For example, a small but growing number of cybercriminals use business email compromise (BEC) attacks to steal data and money.

In a BEC attack, cybercriminals impersonate an employee in an organization to scam other employees, customers, or partners. Often, these attacks are focused on employees who can perform wire transfers or have access to sensitive information. Unlike more generalized phishing schemes, these attacks rely on social engineering and compromised accounts rather than malicious attachments or links. 

Criminals first gain access to a legitimate business email account or create a false account that is nearly identical to a real one. While these attacks comprise just 7 percent of spear-phishing schemes, the FBI reports that BEC attacks resulted in more than $1.7 billion in losses in 2019.

When well-executed, these attacks can be lucrative and almost impossible to detect until it’s too late. As Barracuda recently outlined in a blog post about the Norwegian company Norfund, the attacks themselves can also be quite complicated. In that case, criminals stole $10 million by first gaining network access and then spending several months gathering information before creating a fake Norfund email address and impersonating an employee who was authorized to disperse funds through a partner bank.

Common BEC Attack Tactics

To properly defend against these attacks, it’s vital to know the most common methods to launch them. After gaining access to a network, the attacker bides their time studying the organization to understand better the billing processes, vendors, and communication patterns used by employees. 

From there, the attacker uses a bogus email to try to trick someone in the finance department to transfer funds to their account. It’s nearly impossible to retrieve funds once they’ve been transferred unless the mistake is spotted quickly.

There are few variations of these attacks. In some cases, attackers impersonate foreign suppliers and issue phony invoices. They may pose as a high-ranking executive and ask for a funds transfer to a false account, for example. 

In other instances, attackers gain access to a real executive email account and request invoice payments to an actual vendor but using a fraudulent bank account. Attackers may also steal sensitive information by impersonating an attorney or tricking HR or bookkeeping employees into sharing information.

Defending Against BEC

As with most phishing attacks, the best defense begins at the email inbox. Traditional gateway solutions are little help against BEC, as there are rarely malicious attachments or links involved, and communications may originate from real business email accounts.

For VARs and MSPs who want to protect their clients from this type of costly attack, it’s essential to take a holistic approach that combines training, technology, and business policies.

Best practices, therefore, should include:

  • Invest in email security that leverages artificial intelligence (AI) to help spot unusual email activity, requests, or other communications types. These solutions can study the organization’s common communication patterns and quickly identify and flag any unusual activity. 
  • Train your clients to spot targeted phishing attacks. User training is vital to guard against all types of email-based attacks, particularly those that rely on social engineering. Ensure users are aware of the types of attacks currently being used by cybercriminals and clear reporting guidelines when they spot a suspicious email.
  • Establish multi-level policies that can help prevent inadvertent wire and data transfers to fraudulent accounts. Common approaches include having multiple employees sign off on such requests or using in-person or telephone confirmations. Transfer requests via email should always require additional scrutiny.

With the right technology and policies in place, it is much easier to spot — and prevent — BEC attacks. To learn more about common email-based cyberattacks and how to defend against them, download the eBook, 13 Email Threats You Need to Know About Right Now.

Chris Crellin is Senior Director of Product Management for Barracuda MSP, a provider of security and data protection solutions for managed services providers, where he is responsible for leading product strategy and management.