With more than 305,000 incidents and counting over the past decade, Business Email Compromise (BEC) is a problem that has cost businesses more than $55B during this time. What makes BEC so successful as a phishing tactic, and as attackers become increasingly sophisticated, how can organizations protect themselves earlier to reduce risk? This blog examines everything security teams need to know. 

What is Business Email Compromise (BEC)? 

In a BEC attack, individuals are manipulated into transferring money or sensitive information, usually via email but also through SMS, and even voice and video calls. The common thread across BEC scams is that they typically impersonate executives, employees, vendors, or partners, and by tricking people into thinking they are corresponding with a legitimate third party, victims then agree to make unauthorized payments or disclose confidential data. I mean, who are you more likely to agree to send money for — a Nigerian prince, or your boss? 

Common BEC attack types include CEO fraud (impersonating a company executive to request payments), vendor email compromise (posing as a supplier to redirect funds or gain network access), and payroll fraud (diverting employee salaries). Since these emails and calls mimic authentic communication patterns and lack obvious malicious links or attachments, they can be more difficult to detect than your everyday phishing attack. 

How Do Attackers Get Information to Launch a BEC Scam? 

For a BEC scam to be successful, attackers need to be able to mimic a trusted contact without raising suspicion. Like any good impersonation, that means reconnaissance is key, and there are many ways to access the information that fraudsters need in order to get into character. 

In some cases, BEC scams are the second part of an existing attack, where attackers have already gained access to a company’s email system through phishing or security vulnerabilities, and have been monitoring conversations for some time. By tracking communications, attackers can then identify key decision makers or identify regular financial transactions so that they can mimic behaviors that wouldn’t cause as much as a raised eyebrow — let alone a raised security alert. 

Another example of a multi-stage BEC attack can be seen by this recent example that mimics Microsoft Teams IT support to gain trust. First, the attackers send huge amounts of spam to the user — as many as 3,000 emails in 45 minutes. Then, posing as an account named Help Desk Manager, threat actors call the user through Microsoft Teams, encouraging them to accept a remote control session to help them to solve the issue, where in reality they can use that access to deliver their malware. A combination of the stress of so much spam arriving in a short period, and the relief of IT support promising to fix the issue makes it much more likely that the user in question will agree to the remote access. 

In other situations, attackers can complete their reconnaissance entirely outside of your network. By tracking company behavior on social media, your website, and other public channels — threat actors can get all the information they need to launch a BEC attack. Social media profiles include names, job titles, company affiliations, contact information and even personal interests or quirks in writing style, all of which can be used to craft a personalized message that feels legitimate. 

With the rise of AI deepfakes, BEC attacks can be even easier to fall for, as British Engineering group Arup found when an employee mistakenly sent $25M to scammers impersonating the company’s CFO with false voice and image techniques. High-profile employees like the C-suite are increasingly encouraged to post video content on public social platforms such as LinkedIn to help with brand recognition — but unfortunately in the wrong hands, this content can be used to craft the perfect crime. 

How Can Organizations Protect Themselves from BEC? 

Enough doom and gloom…how can you beat the threat of BEC? Most techniques to protect against BEC attacks start when the communication arrives in your inbox. Examples include: 

Employee education: When employees understand the risk of BEC, they are less likely to fall for a phishing or social engineering attack. Security awareness training can include simulations or regular mandatory online training, and employees should always be encouraged to verify requests independently before making a transaction or sharing confidential data. 

Email security: Email authentication protocols and advanced email filtering can make a real difference to the success or failure of BEC campaigns, and block suspicious emails before they reach an employee inbox. However, remember that BEC scams can arrive by social media, SMS, WhatsApp, and in today’s AI-enhanced world, even voice and video. 

Payment verification processes: Take a look at how payments are verified on request, and consider strengthening these processes. You could implement dual approval requirements so that two people need to verify a transaction, or multi-factor authentication procedures where wire transfers need to be verified by a trusted phone number. As a rule of thumb, if the whole process can be approved via email,  you’re at risk. 

Protecting Early with KELA Brand Control

The truth is, many of these solutions simply come in too late, and are leaving just a single layer of protection between the attacker and your network. If the email filter fails, or the employee makes a mistake,  it’s a fraudster’s lucky day. Protecting against BEC scams should start long before a suspicious email arrives in an employee inbox. For true vigilance, organizations need to be two steps ahead, uncovering the attack at the reconnaissance stage. But how? 

This is where KELA’s Brand Control solution changes the risk landscape for BEC scams. KELA continuously monitors and alerts misuse of your brand, whether that’s email domains registered, social media accounts created in executive names, or misuse of brand assets such as logos or screenshots. We track technical information from sources such as DMARC forensic reports, monitor suspicious brand activity on mobile app marketplaces, and even listen in to uncover conversations that mention your organization on the Dark Web. 

This vantage point allows you to proactively identify and stop BEC attacks at their inception, instead of after they have already been launched, taking the pressure off your employees to be the first (and only) line of defense. 

Learn more about KELA’s Brand Control, and reach out to take a proactive approach to BEC and brand protection.