Business Email scam (BEC): Definition and Reasons for Concern

Business Email Compromise (BEC) is a type of fraud that has become a significant threat to businesses worldwide. This cyberattack utilizes legitimate or stolen email accounts to fraudulently acquire money, personal information, financial details, payments, credit card numbers, and other sensitive data from another business.

The attacks often take various forms, such as phishing emails impersonating chambers of commerce to request data updates with threats of fines, spear-phishing targeting specific employees, whaling attacks aimed at high-level executives, and vishing (phone-based phishing). Other related methods include SMS phishing (smishing), social-media phishing, and pharming, where victims are redirected to fake websites despite entering legitimate URLs.

One of the most common vectors for a BEC attack on an organization is a phishing message. Anti-phishing technology can help prevent BEC attacks. However, automated email security like Graphus offers stronger protection against phishing-based threats like BEC and is more effective than conventional security or a Secure Email Gateway (SEG).

Graphus' triple-layered protection, including TrustGraph, EmployeeShield, and Phish911, can effectively stop BEC threats. For instance, TrustGraph uses machine learning and AI to identify patterns of malicious behaviour, while EmployeeShield provides real-time alerts for suspicious emails and Phish911 offers automated phishing response workflows.

An estimated 62% of BEC scams involve the cybercriminal asking for payment to be transferred to them via wire transfer, cash app, or gift card. Messages requesting funds to be sent to unusual addresses or in unusual ways, such as via cash app or gift card, should raise red flags. Other signs of a potential BEC attack include requests for urgent payment and requests for credentials or access to business accounts or systems.

BEC leads to both financial and reputational losses, and can be devastating to a business's present and future revenue, as well as damaging its brand and business relationships. Fake invoice scams are the most common BEC variation, where someone with the authority to pay vendors is sent a legitimate-looking invoice demanding immediate payment to avoid loss of goods or services.

In the credential compromise scam variant of BEC, fraudsters will ask for the victim to provide credentials for a business account or access to a company's systems or data, often on the pretense that they've misplaced credentials or weren't given the right ones to complete a task.

In 2020, BEC schemes were the costliest cybercrime reported to the Federal Bureau of Investigation Internet Crime Complaint Center (FBI IC3), with 19,369 complaints and an adjusted loss of approximately $1.8 billion.

To avoid falling victim to BEC attacks, be cautious of messages that look different than usual from a sender, or that come from an unexpected domain. Messages with poor grammar, punctuation, spelling, and usage are likely phishing messages that could be BEC attempts. Additionally, messages that do not come from a company's official email address or domain may be BEC attacks.

Attempts to communicate with the sender outside of email may be rebuffed in a BEC attack. If you receive a suspicious email, it's always best to verify the request by contacting the sender directly through a known, verified method, such as a phone call or an in-person meeting.

Staying vigilant and educating employees about the risks of BEC attacks is crucial in preventing these scams. By understanding the various forms BEC can take and the signs to look out for, businesses can significantly reduce their risk of falling victim to these costly and damaging attacks.