Keeping your inbox safe: How to prevent business email compromise

Drew Robb
October 7, 2023 by
Drew Robb

Phishing is by far the most reported type of cybercrime, and of that, more than $2.7 billion in reported losses were attributed to business email compromise (BEC), according to the FBI’s 2022 Internet Crime ReportBEC is near the charts regarding cybercrime effectiveness. But it isn’t the only email-borne threat organizations must worry about.  

There are three primary vectors for an email attack, explained John Wilson, Senior Fellow, Threat Research at Fortra (formerly at Agari), on the Cyber Work Podcast

  • Malicious attachment: An email with an attachment that infects a computer if opened, installing unwanted software or stealing credentials. Examples include fake invoices and FBI crime reports that turn out to be malware. 
  • Link-based attack: A malicious link in a phishing email, such as a fake message from PayPal saying your account is blocked. Typically, the goal is to capture account credentials.
  • A response-based attack: BEC falls in this category. A bad actor wants the user to hit reply, leading to a conversation and facilitating the con. Romance scams also use response-based attacks.  

Business email compromise vs. phishing types 

Wilson explained the different types of phishing. Traditional phishing is just blasting out bulk emails pretending to be from a legitimate source to trick a user into clicking on a malicious attachment or link.   

Spearphishing is a more targeted attack directed at a particular individual or group. The attacker forms a profile of the target from social media and other research and creates an email designed to trick the person into responding or clicking.  

Whaling, said Wilson, is just an attacker being a little greedier than somebody doing spearphishing. It has a higher level of danger and a higher potential payoff as it tends to target those in the C-suite who can, say, authorize a bank transfer on a moment’s notice.  

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

What is business email spoofing? 

Business email spoofing is sometimes thought of as BEC, but it is a little different. Business email spoofing is the impersonation of an executive, a vendor or somebody else in a trusted ecosystem without actually using their email account. This attack vector typically involves research to craft an interesting lure.  

True BEC attacks require email compromise — someone successfully breaks into an account. This doesn’t necessarily become immediately apparent. It is common for emails to be hacked and their business conversations to be monitored by criminals.  

“When the time is right, they either inject themselves into the conversation directly from the compromised account, or they set up a lookalike domain or a Gmail account with the correct user name,” said Wilson. “As they’re armed with good intel and the history of this conversation, they jump in at just the right moment to do the most damage.”

Many attacks go one step further. As the FBI warned in its report, there is "an increasingly prevalent tactic by BEC bad actors of spoofing legitimate business phone numbers to confirm fraudulent banking details with victims."

Business email compromise examples 

There has been a definite upward trajectory in the effectiveness of cybercrime over the last few years. With it came the desire to go after bigger targets; hence, BEC is becoming more common.  

The attacker needs a compromised account and a feasible scam scenario, often mirroring something expected to happen soon in the real world.  

“It’s been increasing year over year as more people realize there’s good money to be had if you’re successful at BEC,” said Wilson.  

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Fake financial transaction BEC scam 

Say the boss has a deal being negotiated with someone in Hong Kong — perhaps an acquisition or a major order. If someone is spying on the conversation, they may hijack the boss’s email, interject some fake urgency about the deal and ask someone in finance to send millions of dollars immediately to a certain account.  

An unwitting insider then helps the assailant complete a transaction they believe to be genuine. By the time anyone verifies the details, the money has vanished.

W-2 request BEC scam 

Another example is somebody impersonating a CEO or other executive and sending an email requesting a copy of all employee W-2s.  

Someone in HR complied, leading to identity theft committed on several employees, fake filings for tax refunds and the IRS sending their refund checks to other parties. 

Real estate BEC scams 

Most real estate agents are independent brokers. Many use personal Gmail or Yahoo accounts. They generally lack the protection afforded by corporate email security layers. Once their credentials are compromised, a criminal can read a copy of every message to and from the person.  

For example, a young couple is buying their first home. They’re supposed to show up with a down payment check at closing the next morning. The scammer waits till the real estate agent has signed off for the day, and sends an email:  

“Hey, make sure you wire your down payment funds to this bank account before you come to closing on Friday.”  

You end up with a BEC-victimized couple on the hook for a home loan, but without a home — and their down payment has disappeared.  

Business email compromise prevention  

Wilson’s advice to organizations wondering how to prevent business email compromise is to take a layered approach to security. That might include: 

  • Multifactor authentication 
  • Implementation of good spam filters 
  • Deploying intelligent systems that can spot potential BEC activity and anomalous patterns 

He is also a strong advocate of regular security awareness training for employees. 

“Train your employees thoroughly and use phishing simulation emails to find out who is most susceptible to scamming,” said Wilson. “Good internal security policies should also be used to enforce best practices among IT and employees as a whole.”  

Drew Robb
Drew Robb

Drew Robb has been writing about IT, engineering and cybersecurity for more than 25 years. He's been published in numerous outlets and resides in Florida.