BEC – business email compromise

Business email compromise (BEC) is a type of corporate financial scam that specifically targets organizations conducting business abroad. This scam relies upon the attacker’s ability to successfully impersonate communications from a company stakeholder that would be tasked with instructing other high-level employees in conducting business transactions and using wire transfers to pay manufacturers and suppliers. Spoofing or compromising these specific corporate employee email accounts can result in fraudulent transfers.

Often in BEC security scenarios, the attacker will impersonate the high level employee and provide instructions for employees to share information or conduct transfers with a fictitious supplier. In other reported crimes, the attacker creates fake documents and invoices to impersonate the foreign manufacturer or supplier.

It has also been noted that attackers may initiate the BEC scam by targeting employees in HR to obtain personally identifiable information (PII) of stakeholders and other key employees to be used in future attacks.

Note: Business email compromise (BEC) is also called business email spoofing (BES)

The Five Common Types of BEC Attacks

According to security firm Trend Mico there are five types of BEC attacks to be aware of:

  1. Bogus Invoice: Attackers pretend to be the suppliers requesting fund transfers for payments to an account owned by fraudsters.
  2. CEO Fraud: Attackers pose as the CEO or any executive and send an email to employees in finance, requesting them to transfer money to the account they control.
  3. Account Compromise: A high-level employee’s email account is hacked and used to request invoice payments to vendors listed in their email contacts. Payments are sent to fraudulent accounts.
  4. Attorney Impersonation: Attackers pretend to be a lawyer or from the law firm supposedly in charge of crucial and confidential matters.
  5. Data Theft: Employees under HR or bookkeeping are targeted to obtain personally identifiable information (PII) of employees and executives to be used for future attacks. (Source)

While business email compromise attacks use email and other forms of technology and digital communications to be successful, the scam does not use technical security exploits, making it difficult for organizations to detect. Most security firms recommend employee education and additional security awareness training to identify and avoid BEC scams.

Operation WireWire

In June 2017, an FBI operation managed to bring down an international criminal organization whose main activity was business email compromise (BEC). The operation, known as WireWire, led to 74 arrests in seven countries, and the retrieval of 16.2 million dollars. (Source: Panda Security)

Vangie Beal
Vangie Beal
Vangie Beal is a freelance business and technology writer covering Internet technologies and online business since the late '90s.

Related Articles

Infographic

An infographic is a visual representation of information or data. It combines the words information and graphic and includes a collection of imagery, charts,...

Phishing

What is phishing? Phishing is a type of cybercrime in which victims are contacted by email, telephone, or text message by an attacker posing as...

Photo Editing Software

Photo editing software is used to manipulate or enhance digital images. This category of software ranges from basic apps, which are able to apply...

SOHO Business Solutions: Free Email Marketing Services

Just like big businesses, SOHO (small office/home office) owners can leverage email marketing systems to communicate with customers, partners and employees. Just like big businesses,...

ScalaHosting

ScalaHosting is a leading managed hosting provider that offers secure, scalable, and affordable...

HRIS

Human resources information system (HRIS) solutions help businesses manage multiple facets of their...

Best Managed Service Providers...

In today's business world, managed services are more critical than ever. They can...