Business Email Compromise BEC Attacks: Inside a $26 Billion Scam

A new Osterman Research study explores why Business Email Compromise (BEC) attacks are more financially devastating than ransomware — and how they can be stopped.

Why would cybercriminals employ obfuscation tools, launch multi-stage cyberattacks, encrypt endpoints and haggle over ransom amounts … when they could just ask for the money? This is the concept behind Business Email Compromise (BEC) attacks — a type of cyberattack that has grown dramatically over the past few years.

The U.S. federal government’s Internet Complaint Center (IC3), which has been tracking these attacks since 2013, has dubbed BEC attacks the “$26 billion scam” — though this moniker is likely out of date due to escalating attack volumes and increased reliance on email throughout the pandemic.

And though high-profile ransomware attacks continue to dominate headlines, far more money is lost to BEC attacks. For example, in 2020, BEC attacks accounted for $1.8 billion in the U.S. alone, and an estimated 40% of cybercrime losses globally.

The Anatomy of a BEC Attack

While they’re considered a type of phishing attack, BEC attacks don’t rely on malicious code or links. Instead, they let social engineering do the heavy lifting. These attacks specifically target organizations that perform legitimate transfer-of-funds requests, and almost exclusively appeal to seniority to secure compliance.

According to the Osterman white paper sponsored by SonicWall, “How to Deal with Business Email Compromise,” BEC threat actors create email addresses that mimic those used by senior executives, use free services such as Gmail to create email addresses that appear to be an executive’s personal account, or, less commonly, gain access to executives’ actual corporate email accounts using phishing attacks or other means.

Image describing phishing

Above is a BEC email I’ve received. Note the appeal to authority — the message appears to come from SonicWall’s CEO, despite originating from an outside address — as well as the sense of urgency throughout. This is a rather clunky example; many of these emails are much more sophisticated in both language and execution.

Once the attacker has a plausible email account from which to operate, they use social engineering tactics to request the target either divert payment on a valid invoice to the criminal’s bank account, solicit payment via fake invoice or divert company payroll to a fraudulent bank account.

Since these attacks appeal to a sense of urgency and appear to come from a CEO, CFO or someone else in charge, many targets are eager to comply with the requests as quickly as possible. Once they do, the company is out a large sum of money, and the cybercriminal celebrates another payday.

How Common are BEC attacks?

BEC attacks have been recorded in every state in the U.S., as well as 177 countries around the world. Based on the latest report from IC3, nearly 20,000 of these attacks were reported in 2020 alone — likely an undercount, given that Osterman’s research found that four out of five organizations were targeted by at least one BEC attack in 2021. For mid-sized businesses (those with 500-2,500 email users), that number rose to nine out of 10.

Worse, almost 60% of the organizations surveyed reported being the victims of a successful or almost successful BEC attack. For those who were successfully targeted, the costs were significant: a combination of direct costs and indirect costs brought the total financial impact of a successful BEC incident to $114,762. Unfortunately, the direct costs, while significant for an individual organization, are often too small to trigger help from law enforcement agencies and insurance companies.

BEC Attacks Can Be Stopped (But Probably Not in the Way You Think.)

Many other attacks rely on malicious links and code, which can be spotted by anti-malware solutions and secure email gateways. But the sort of social engineering tactics used in BEC attacks — particularly those from a legitimate email address — often cannot be caught by these solutions.

Even so, while three-quarters of respondents say that protecting against these attacks is important to them, many are still depending primarily on technologies that were never designed to stop BEC attacks.

There’s not a lot you can do to prevent being among the 80% (and growing) of companies targeted by BEC attacks each year, but there’s plenty of other things you can do to safeguard your organization’s finances. But they all fall under three primary pillars: People, Process and Technology.

Technology is your first line of defense against BEC attacks. Many solutions claim the ability to combat BEC attacks, but their effectiveness varies widely. For best protection, look for one that will both block BEC attacks and guide employees.

Notice in the example above how there’s an alert warning that the email originated from outside the organization? While simple, these sorts of alerts can make the difference between a BEC attempt that’s ultimately successful, and one that’s scrutinized and deleted upon receipt.

Particularly in companies that are still relying on traditional technology protections, employee training an indispensable backup protection. Employees should be coached to look for spoofed email addresses, uncharacteristic grammar and syntax, and an unusual sense of urgency.

In the case of particularly sophisticated attempts, processes should be in place in case a BEC attempt makes it into the inbox and isn’t identified by the recipient as suspect. Policies such as a multi-person review of requests to change bank account details or mandated out-of-band confirmations are often successful as a last line of defense against BEC.

Source :