Business Email Compromise: A Growing Threat

Article Phishing
Business Email Compromise


It is fairly simple to identify a fraudulent email, right? Poorly worded messages, misspelled words, or requests for cash to be mailed to your long, lost cousin in some far away land are generally easy to spot. Unfortunately, cyber criminals are getting smarter and are increasingly targeting businesses with sophisticated, well-planned email attack strategies that are much more difficult to catch.

In fact, the FBI reported that losses from Business Email Compromise (BEC) have tripled over the last year to over $3.1 billion. These common attacks involve a cyber hacker impersonating key personnel within an organization and emailing an employee with a request for specific information or action. Last year, one Australian manufacturer lost $47 million through large wire transfers initiated from their CEO’s spoofed account.

Sometimes hackers can gain control of actual company email accounts using login credentials stolen through phishing schemes. Once they are in, they study the organization’s processes and email communications, and learn what types of activities occur daily, what relationships exist between employees, and how to phrase email messages so as not to raise any suspicions. When the timing is right, say when the executive happens to have a business trip scheduled on their calendar, the criminals will send a fake invoice or request from a real employee’s account for a wire transfer.

If they do not have direct account access, the hackers may email employees from a look-alike domain; that is a website where the name is one or two letters off from the organization’s true domain. For example, john.doe@university.ed (instead of .edu). The “From” address may even be correct, but the “Reply to” address is the spoofed domain, and any replies are sent directly to the hacker.

One of the major reasons criminals are able to successfully plan and initiate these types of attacks is the amount of information readily available online. Many websites and blogs are designed to showcase the executive team and staff members. With social networking sites, like LinkedIn, just a few clicks reveals an organization’s entire IT or networking staff. This lets the attackers know exactly who has the information they are targeting, and who, on the management team, a spoofed email request might come from.

What do you and your staff need to know to proactively identify potential BEC scams? While there are multiple scanning and intrusion detection products that can help, below are some actions you can take now:

Engage your employees as your first line of defense.

Continued, ongoing information security awareness training is key. Ensure employees are verifying internal requests before responding. Train employees to always double check the reply address. Better yet, forward the message and manually type in the correct reply-to email address. Be suspicious of urgent requests. Quite frankly, pause and analyze all requests. Criminals are compromising data in ways that are often not expected. For example, maybe your employees know not to send financial or personal information via unsecured e-mail. However, what if they receive an email that appears to be from your Marketing team requesting specific IP addresses, or a message from IT asking for your training login ID? Once criminals get their foot in the door, it is easier to maneuver into other systems or networks.

Analyze your current business processes.

Do you allow funds to be transferred solely based on an email? By building in a way to authenticate payment requests, something as simple as confirming all major transactions by phone, you can potentially save your organization thousands or millions of dollars.

Limit the information available online.

Be careful what is posted to social media and company websites regarding job descriptions, organizational charts, specific business processes, and out of office notices. The less information that is available to cyber criminals, the harder it will be for them to misrepresent themselves within your organization.

Contact our RedLens InfoSec team to design actionable steps that help safeguard your organization and strengthen its security posture.


About the Author
Katie Johnson

Katie Johnson


Manager, Operations Support

As the manager of Operations Support, Katie leads the team responsible for supporting and delivering CampusGuard services including online training, vulnerability scanning, and the CampusGuard Central® portal. With over 15 years of experience in information security awareness training, Katie is also the Product Lead for CampusGuard’s online training services. As a Senior Customer Relationship Manager for a limited number of customers, Katie assists organizations with their information security and compliance programs and is responsible for coordinating the various teams involved.