Business email compromise, or BEC, is a spear phishing email scam that attempts to steal money or sensitive data from a business.
In a BEC attack, a cybercriminal (or cybercriminal gang) sends employees of the target organization emails that appear to be from a fellow employee, or from a vendor, partner, customer or other associate. The emails are written to trick the employees into paying fraudulent invoices, making wire transfers to bogus bank accounts, or divulging sensitive information such as customer data, intellectual property or corporate financials.
In rarer cases, BEC scammers may try to spread ransomware or malware by asking victims to open an attachment or click a malicious link.
To make their emails appear legitimate, BEC attackers carefully research the employees they target and the identities they impersonate. They use social engineering techniques, such as email address spoofing and pretexting, to craft attack emails that look and read as if they were sent by the impersonated sender. In some cases, scammers actually hack into and hijack the sender’s email account, making the attack emails even more believable, if not virtually indistinguishable from legitimate email messages.
Business email compromise attacks are some of the costliest cyberattacks. According to the IBM Cost of a Data Breach 2022 report, BEC scams are the second most expensive type of breach, costing an average of USD 4.89 million. According to the FBI Internet Crime Complaint Center’s Internet Crime Report (PDF, link resides outside ibm.com) BEC scams cost US victims a total of USD 2.7 billion in 2022.
Cybersecurity experts and the FBI identify six main types of BEC attacks.
The BEC attacker pretends to be a vendor the company works with, and sends the target employee an email with a fake invoice attached; when the company pays the invoice, the money goes straight to the attacker. To make these attacks convincing, the attacker may intercept actual vendor invoices, and modify them to direct payments to their own bank accounts.
Notably, courts have ruled (link resides outside ibm.com) that companies that fall for fake invoices are still on the hook for their real counterparts.
One of the biggest fake invoice scams was carried out against Facebook and Google. From 2013 through 2015 scammer posed as Quanta Computer, a real hardware manufacturer both companies work with, and stole USD 98 million from Facebook and USD 23 million from Google. While the scammer was caught and both companies recovered most of their money, this outcome is rare for BEC scams.
Scammers pretend to be an executive, usually a CEO, and ask an employee to wire money somewhere, often under the guise of closing a deal, paying an overdue invoice, or even purchasing gift cards for fellow employees.
CEO fraud schemes frequently create a sense of urgency, so the target to act quickly and rashly, (e.g., This invoice is overdue, and we’re going to lose service if we don’t pay it immediately) or secrecy, so the target won’t consult coworkers (e.g., This deal is confidential, so don’t tell anyone about it).
In 2016, a scammer posing as CEO of the aerospace manufacturer FACC used a fake acquisition to trick an employee into transferring USD 47 million (link resides outside ibm.com). As a result of the scam, the company’s board fired both the CFO and the CEO for “violating” their duties.
Scammers take over a non-executive employee’s email account. They may use it to send fake invoices to other companies or trick other employees into sharing confidential information. Scammers often use EAC to phish the credentials of higher-level accounts they can use for CEO fraud.
Scammers pose as a lawyer and ask the victim to pay an invoice or share sensitive information. Attorney impersonation scams bank on the fact that many people will cooperate with lawyers, and it’s not odd if a lawyer asks for confidentiality.
Members of the Russian BEC gang Cosmic Lynx often pose as lawyers as part of a dual impersonation attack (link resides outside ibm.com). First, the target company’s CEO receives an email introducing the CEO to a ‘lawyer’ assisting the company with an acquisition or other business deal. Then the fake lawyer emails the CEO requesting wire a payment to close the deal. On average, Cosmic Lynx attacks steal USD 1.27 million from each target.
Many BEC attacks target HR and finance employees to steal personally identifiable information (PII) and other sensitive data they can use to commit identity theft or carry out future attacks.
For example, In 2017, the IRS warned (link resides outside ibm.com) of a BEC scam that stole employee data—scammers posed as a company executive and ask a payroll employee to send copies of employees’ W-2s (which include employees’ Social Security numbers and other sensitive information). Some the same payroll employees received ‘follow up’ emails requesting wire transfers be made to a fraudulent account. The scammers assumed that targets who found the request for W2’s to be credible were excellent targets for a wire transfer request.
In early 2023, the FBI warned (link resides outside of ibm.com) of a new type of attack, in which scammers pose as corporate customers to steal products from the target company. Using fake financial information and posing as employees in another company’s purchasing department, the scammers negotiate a large purchase on credit. The target company ships the order—usually construction materials or computer hardware—but the scammers never pay.
Technically, BEC is a type of spear phishing—a phishing attack that targets a specific individual or group of individuals. What makes BEC unique among spear phishing attacks is that the target is the employee or associate of a business or organization, and that the scammer pretends to be another employee or associate the target knows or in inclined to trust.
While some BEC attacks are the work of lone scammers, others (see above) are launched by BEC gangs. These gangs operate like legitimate businesses, employing specialists such as lead generation specialists who hunt for targets, hackers who break into email accounts, and professional writers who ensure phishing emails are error-free and convincing.
Once the scammer or gang has chosen a business to rob, a BEC attack typically follows the same pattern.
Almost any business, non-profit or government is a suitable target for BEC attacks. Large organizations with lots of money and customers—and enough transactions that BEC exploits might go unnoticed among them—are obvious targets.
But global or local events may lead BEC attackers to more specific opportunities—some more obvious than others. For example, during in the COVID-19 pandemic the FBI warned that BEC scammers posing as medical equipment and supply vendors were invoicing hospitals and health care agencies. At the other (but no less lucrative) end of the spectrum, in 2021 BEC scammers took advantage of well publicized education and construction projects in Peterborough, NH and diverted USD 2.3 million in town funds to fraudulent bank accounts (link resides outside ibm.com).
Next, scammers start researching the target organization and its activities to determine the employees who will receive the phishing emails, and the identities of the senders the scammers will spoof (impersonate).
BEC scams typically target mid-level employees—e.g., finance department or human resource (HR) managers—who have authority to issue payments or have access sensitive data, and who are inclined to comply with a request to do either from a senior manager or executive. Some BEC attacks may target new employees who may have little or no security awareness training and limited understanding of proper payment or data sharing procedures and approvals.
For a sender identity, scammers choose coworker or associate who can credibly request or influence the action the scammer wants the target employee to take. Coworker identities are typically high-level managers, executives or lawyers within the organization. Outside identities may be executives from vendor or partner organizations, but they might also be peers or colleagues of the employee target—e.g., a vendor the employee target works with regularly, a lawyer advising a transaction, or an existing or new customer.
Many scammers use the same lead-generation tools that legitimate marketing and sales professionals use—LinkedIn and other social media networks, business and industry news sources, prospecting and list-building software—to find potential employee targets and matching sender identities.
Not all BEC attackers take the step of hacking into the target and sender organizations’ networks. But those who do behave like malware, observing targets and senders and accumulating information and access privileges for weeks in advance of the actual attack. This may enable attackers to:
Choose the very best employee targets and sender identities based on observed behaviors and access privileges
Learn more details about how invoices are submitted and how payments or sensitive data requests are handled, so they better impersonate requests in their attack emails
Determine due dates for specific payments to vendors, lawyers, etc.
Intercept a legitimate vendor invoice or purchase order and alter it to specify payment to the attacker’s bank account
Take control of the sender’s actual email account (see email account compromise, above), enabling the scammer to send attack emails directly from the account, and sometimes even insert them into ongoing legitimate email conversations, for the ultimate in authenticity.
A convincing impersonation is key to BEC success, and scammers craft their attack emails for maximum authenticity and credibility.
If they haven’t hacked into the sender’s email, the scammers will create a fake email account that spoofs the sender’s email address to appear legitimate. (For example, they might use creative name or domain name misspellings, such as [email protected] or [email protected] for [email protected]). They may add other visual cues, such as an signature with the sender’s company logo or a detailed (and fake) privacy statement.
A key component of the attack email is the pretext—a false but plausible story written to gain the target’s trust and convince or pressure the target into doing what the attacker wants them to do. The most effective pretexts combine a recognizable situation with a sense of urgency and implication of consequences. A message from a manager or CEO that reads, I’m about to get on a plane—can you help me out by processing this invoice (attached) to avoid late fees? is a classic example of a BEC pretext.
Depending on the request, scammers may also set up fake websites, register fake companies, or even staff a fake phone number the target can call for confirmation
BEC scams are among of the most difficult cybercrimes to prevent because they rarely use malware that security tools can detect. Instead, scammers rely on deception and manipulation. Scammers don’t even need to breach their target company; they can fleece victims out of massive sums by breaching, or even just impersonating, a vendor or customer. As a result, BEC attacks take an average of 308 days to identify and contain, according to the Cost of a Data Breach report—the second-longest resolution time of all breach types.
That said, companies may take the following steps to defend against these scams:
Cybersecurity awareness training can help employees understand the dangers of oversharing on the social media platforms and apps that scammers use to find and research their targets. Training can also help employees spot BEC attempts and adopt best practices like verifying large payment requests before complying.
Email security tools may not catch every BEC email, particularly those coming from compromised accounts. However, they can help spot spoofed email addresses. Some tools can also flag suspicious email content that could signal a BEC attempt.
Two-factor or multi-factor authentication can make it more difficult for BEC attackers to hack into email accounts.
Enterprise security tools such as security orchestration, automation and response (SOAR), security information and event management (SIEM), endpoint detection and response (EDR) and extended detection and response (XDR) can help security teams identify and stop BEC attacks faster by identifying attempts to exploit network vulnerabilities, and flagging activity on endpoints, in email accounts, and elsewhere that may point to hackers doing reconnaissance.
Catch advanced threats that others simply miss. QRadar SIEM leverages analytics and AI to monitor threat intel, network and user behavior anomalies and to prioritize where immediate attention and remediation are needed.
IBM Trusteer Rapport helps financial institutions detect and prevent malware infections and phishing attacks by protecting their retail and business customers.
Secure endpoints from cyberattacks, detect anomalous behavior and remediate in near real time with this sophisticated yet easy-to-use endpoint detection and response (EDR) solution.
Keep current on BEC news, trends and prevention techniques at Security Intelligence, the thought leadership blog hosted by IBM Security.
Ransomware is malware that holds victims' devices and data hostage, until a ransom is paid.
Now in its 17th year, this report shares the latest insights into the expanding threat landscape, and offers recommendations for saving time and limiting losses.