Business email compromise (BEC) is an email-based social engineering attack that aims to defraud its victims. BEC attack campaigns often bypass traditional email filters.
What is a business email compromise (BEC)?
Business email compromise (BEC) is a social engineering attack over email. In a BEC attack, an attacker falsifies an email message to trick the victim into performing some action — most often, transferring money to an account or location the attacker controls. BEC attacks differ from other types of email-based attacks in a couple of key areas:
- They do not contain malware, malicious links, or email attachments
- They target specific individuals within organizations
- They are personalized to the intended victim and often involve advanced research of the organization in question
BEC attacks are particularly dangerous because they do not contain malware, malicious links, dangerous email attachments, or other elements an email security filter might identify. Emails used in a BEC attack typically contain nothing but text, which helps attackers camouflage them within normal email traffic.
In addition to bypassing email security filters, BEC emails are specifically designed to trick the recipient into opening them and taking action based on the message they contain. Attackers use personalization to tailor the email to the targeted organization. The attacker might impersonate someone the intended victim corresponds with regularly over email. Some BEC attacks even take place in the middle of an already-existing email thread.
Usually, an attacker will impersonate someone higher up in the organization to motivate the victim into carrying out the malicious request.
Why are BEC attacks so hard to detect?
Other reasons BEC attacks are difficult to pinpoint may include the following:
- They are low-volume: Unusual spikes in email traffic can alert email security filters to an attack in progress. But BEC attacks are extremely low-volume, often consisting of only one or two emails. They can be carried out without generating a spike in email traffic. This low volume enables a BEC campaign to change its source IP address regularly, making it harder to block the campaign.
- They use a legitimate source or domain: Large-scale phishing attacks often come from IP addresses that are quickly blocklisted. Because BEC attacks are low volume, they can use IP addresses with a neutral or good reputation as their source. They also use email domain spoofing to make it seem as if the emails come from a real person.
- They may come from a legitimate email account: BEC attacks may use a previously compromised email inbox to send malicious messages on a person’s behalf without their knowledge so that the email may be coming from a legitimate email address. (This requires significantly more effort on the attacker’s part, but such an expenditure of focused effort is characteristic of BEC campaigns.)
- They pass DMARC checks: Domain-based Message Authentication, Reporting, and Conformance (DMARC) is a protocol for identifying emails sent from a domain without authorization. It helps prevent impersonation of a domain. BEC campaigns can pass DMARC for two reasons: 1) organizations may not have configured DMARC to block emails strictly; 2) attackers may send emails from a legitimate source.
What do BEC emails usually contain?
Usually, BEC emails contain a few lines of text and do not include links, attachments, or images. In those few lines, they aim to get the target to take the desired action, whether transferring funds to a specific account or granting unauthorized access to protected data or systems.
Other common elements of a BEC email may include:
- Time sensitivity: Words like “urgent,” “quick,” “reminder,” “important,” and “soon” often appear in BEC emails, especially in the subject line, to get the recipient to act as quickly as possible — before they realize they may be the target of a scam.
- Authoritative sender: BEC attackers pose as someone important to the organization: the CFO or CEO.
- Thorough impersonation of sender: BEC emails may impersonate legitimate senders (e.g., an organization’s CFO) by spoofing their email address, imitating the individual’s writing style, or using other tactics to trick their victim.
- Providing a reason for the request: Sometimes, to add legitimacy to an unusual request, a BEC email will provide some reason for why the action is necessary. This also adds urgency to the request.
- Specific instructions: Attackers provide clear instructions, such as where the money is going and how much should be sent — a specific amount is more likely to sound legitimate. Attackers may include this information in the initial or follow-up email if the victim replies.
- Directions not to contact the purported sender: If the intended victim can reach the supposed source of the BEC email over another communications channel, they may be able to identify the email as fake. To prevent this, attackers often instruct the victim not to contact the sender or confirm the request with anyone else, perhaps in the name of acting quickly.
Do secure email gateways (SEGs) block BEC campaigns?
A secure email gateway (SEG) is an email security service that sits in between email providers and email users. They identify and filter out potentially malicious emails, just as a firewall removes malicious network traffic. SEGs offer additional protection on top of the built-in security measures that most email providers already offer (Gmail and Microsoft Outlook, for instance, already have some basic protections).
However, traditional SEGs struggle to detect well-constructed BEC campaigns for the reasons described above: low volume, lack of obviously malicious content, a seemingly legitimate source for the email, and so on.
For this reason, user training and additional email security measures are highly important for thwarting business email compromise.
What should users do when they suspect a BEC campaign?
Unusual, unexpected, or sudden requests are a sign of a potential BEC attack. Users should report potential BEC messages to security operations teams. They can also double-check with the purported source of the email.
Imagine Accountant Bob receives an email from CFO Alice:
Bob,
I must send a customer some gift cards to their favorite pizza restaurant. Please purchase $10,000 in pizza gift cards and transfer them to this customer’s email address: [email protected]
Please do this quickly. This is HIGHLY time-sensitive. We do not want to lose this customer.
I am boarding a plane and will be out of reach for several hours.
-Alice
This request strikes Bob as unusual: delivering pizza gift cards to customers is not typically the accounting department’s job. He calls Alice if she has not yet “boarded a plane.” She picks up the phone and is unaware of the request she has supposedly just sent to him. Neither is she boarding a plane. Bob has just detected a BEC attack.
What other technical measures can detect and block BEC attacks?
Advanced phishing infrastructure detection
Some email security providers crawl the web in advance to detect command and control (C&C) servers, fake websites, and other elements attackers will use in a BEC campaign or phishing attack. This requires using web crawler bots to scan large swaths of the Internet (search engines also use web crawler bots for different purposes). Identifying attack infrastructure in advance enables the provider to block illegitimate emails right when they are sent, even if they might otherwise make it through security filters.
Machine-learning analysis
Machine learning is a way to automate predicting outcomes based on a large data set. It can be used to detect out-of-the-ordinary activity. For example, machine learning can help identify unusual requests, atypical email traffic patterns, and other anomalies to stop BEC attacks.
Analyzing email threads
Since BEC attackers often try to reply to an existing thread to add legitimacy to their emails, some email security providers monitor threads to see if the “from” or “to” emails within a thread are changed suddenly.
Natural language processing
This means looking for key phrases within emails to learn what topics a given set of email contacts typically correspond about. For instance, tracking who a given person in an organization corresponds with about money transfers, customer relations, or any other topic could be possible. If Bob’s received emails (from the example above) rarely deal with customer relations, the inclusion of phrases like “a customer” and “lose this customer” in the email from “Alice” could be a signal that the email is part of a BEC attack.