How to deal with Business Email Compromise?

An essential communication channel for professionals and individuals alike, corporate messaging remains an attack vector favored by cybercriminals. According to a report by the PhishMe company, 91% of cyberattacks would use email as the first attack vector. While spam (sending unwanted emails) and phishing campaigns rely on mass mailings, other techniques such as Business Email Compromise (BEC) implement targeted attacks. What could be the consequences of these attacks? How to recognize this threat and protect yourself from it? In this article we share an overview and analysis of this phenomenon.

Business Email Compromise: definition

Business Email Compromise is a modus operandi that consists of using a company's email to encourage employees to carry out malicious operations (banking transactions, dissemination of sensitive information). The modus operandi consists of either compromising the email account of a company employee in order to circumvent email protection solutions, or to usurp his identity through a domain name similar to that of the business victim.

In many cases, the Business Email Compromise is used with the aim of obtaining financial transfers by impersonating of the CEO of the victim company or that of a member of the executive.

The modus operandi of these targeted attacks is generally organized into 4 phases.

1. Identification of victims: from information accessible online (we call it social engineering here), cybercriminals identify key people within the company. They reconstruct the organization chart of the company and identify the employee on whom they will rely to request the completion of financial transactions.
2. Launching the attack: cybercriminals impersonate one of the company's directors or another executive (sometimes having had access to their email) and request a transfer of funds by playing on the urgency of the request. The presumed hierarchical character here plays its full role in manipulation.
3. Exploitation: the targeted employee receives the request, which he considers legitimate, and under pressure performs the financial transaction.
4. Financial gain: cybercriminals get the amount of money and disappear. Companies sometimes do not have time to detect this type of operation.

Different forms of BEC

Business Email Compromise attacks can take different forms. Here are some of the most common.

• CEO scam: Cybercriminals impersonate the CEO or senior executive of the company in order to gain the trust of employees. They ask them by e-mail to transfer funds to fraudulent accounts or to share sensitive information.
• Compromise of accounting, sending false invoices, scamming the supplier: cybercriminals obtain access to the mailbox of one of the employees, which reinforces their credibility when they address other members of the company. For example, they can more easily send false invoices to their accounting department. During the period of shortage of FFP2 masks at the start of the Covid-19 pandemic, several supplier scams using this modus operandi were revealed.

What is the scale of the phenomenon?

Business Email Compromise hits European companies. In 2018, the management team of Pathé Netherlands was the victim of a BEC type email . Appearing to come from the CEO of Pathé France, the email referred to a so-called deal to acquire an entity in Dubai. The cybercriminals managed to convince the team to make several payments, for a total loss of nearly $21 million.

In its 2022 Internet Crime Report, the FBI points out that losses from Business Email Compromise attacks cost US businesses $2.4 billion in 2021 (a 28% increase over the year 2020). The FBI even considers it to be the most lucrative type of attack, far ahead of the highly publicized ransomware. And the trend is clearly on the rise. The Global Business Email Compromise Industry Could Reach $3.3 Billion in Revenue by 2028.

While the financial impact is the most obvious, companies that fall victim to this modus operandi can also damage their reputation or expose themselves to more advanced cyberattacks, such as the deployment of malware in the company after obtaining initial access.

Some key recommendations

To deal with the BEC, the recommended security policies include strict password management (compulsory use of complex passwords, renewed regularly), multi-factor authentication and systematic verification of the relevance of a request and its sender as soon as the e-mail seems suspicious.

On the side of cybersecurity tools, fraudulent email detection mechanisms should be used to block emails from suspicious domains or unknown recipients. The DKIM and SPF e-mail authentication protocols make it possible to check whether the received e-mail has indeed been sent from a legitimate server. Finally, cybersecurity awareness programs have every interest in integrating examples of Business Email Compromise and dissecting their operating methods in order to raise the level of knowledge and vigilance of employees on the subject.

Artificial Intelligence and Heuristic Analysis for Email Fraud Detection Tools

Although they constitute a first line of defence, traditional detection tools are no longer sufficient today to fight against increasingly sophisticated attacks. The use of artificial intelligence and heuristic analysis can improve content inspection: analysis of suspicious activity patterns, real-time phishing detection, detection of fake e-mails, logo spoofing brand, analysis of links etc. Integrated into the Microsoft 365 and Google Workspace environments, these technical solutions improve the ability to detect Business Email Compromise while alerting the user by most often displaying a banner in the email in case of doubt about the identity of the sender.

Less publicized and less spectacular than ransomware, attacks of the Business Email Compromise type are nevertheless devastating from a financial point of view, and can cause substantial losses. To protect against this, companies need to strengthen their verification processes around payment requests. At the same time, prevention and employee awareness work would make it possible to raise awareness of the threats linked to Business Email Compromise, and therefore to improve reflexes.