What is a business email compromise attack?

Business email compromise (or BEC) attacks are a threat to organisations of any size. Here’s everything you need to know to protect your business.

How does a business email compromise attack work? 

A BEC scam is a form of social engineering attack. It usually involves an attacker impersonating the top dog (such as the CEO or founder) in a business to defraud the company and its employees, partners and customers. 

The bad guys achieve this by creating an email account with a very similar address to the real thing. For example, say your CEO’s email address is ‘john.smith@cybersmart.co.uk’, the hacker’s impersonation might be something like ‘js@cybersmart.gmail.com’. 

It’s just plausible enough that, were you in a hurry or unfamiliar with the real email address, you might share sensitive information or fulfil a request without giving it too much thought.

Like all social engineering scams, BEC attacks rely on creating a sense of urgency and implied trust in an email that comes from a seemingly legitimate source. A sense of urgency because employees are likely to hop to it pretty quickly if a CEO requests something. And, trust because of the assumed gravitas an email from an important person within a company carries.

What do business email compromise attacks seek to gain?

Cybercriminals use BEC attacks for all sorts of nefarious ends. It might be that they want to steal sensitive data, gain access to company systems, set up a ransomware attack or dupe the victim into paying for something. 

Sadly, BEC attacks lend themselves to just about any purpose, making them a highly versatile weapon for cybercriminals. 

Want to know more about the cyber threats small businesses face? Check out our guide.

Are there any famous examples?

As they often lead to huge losses for the victim, you’ve likely seen the results of successful BEC scams in the media – even if they weren’t necessarily reported using the term. 

Facebook and Google

Undoubtedly the most famous of all time was the Facebook and Google scam, carried out between 2013 and 2015. A Lithuanian cybercriminal called Evaldas Rimasauskas set up a spoof company named ‘Quanta Computer’ (which also happened to be the name of a real supplier).

Rimasauskas then emailed convincing fake invoices to both tech giants. Both duly paid, again, again and again, until they’d been defrauded out of $121 million. Rimasauskas was eventually caught in 2019 and sentenced to 5 years in prison for wire fraud. 

Toyota Boshoku Corporation

In 2019, cybercriminals contacted the finance department of a company in Toyota’s supply chain posing as a legitimate business partner. They used the classic social engineering tactic of creating a sense of urgency, claiming that the transaction needed to be paid quickly to avoid slowing the manufacturing process. 

Unfortunately, someone at the company took the bait. The subsidiary transferred more than $37 million in parts orders to the fake company. It remains one of the biggest losses to a BEC scam ever recorded. 

Reading these examples, it’s easy to form the impression that BEC scams are usually targeted at large companies. However, this isn’t the case.

Although Cybercriminals’ final target is often a big corporate, they’ve become more and more inventive about how they get there. As with many other forms of attack, many BEC scams now originate in the supply chain. Even if you’re a smaller business, it’s no guarantee that cybercriminals won’t try to use you as a backdoor into a larger organisation in your supply chain.

So, how can your business protect itself?

How can you protect your business?

Secure your supply chain

As we mentioned earlier, a large proportion of BEC attacks begin in the supply chain. So the best form of defence is to secure the links in your supply chain

How that looks in practice will depend on your business and who it works with. However, a great place to start is by ensuring your cybersecurity is up to scratch. Once that’s the case, talk to your suppliers and partners about their cybersecurity practices and share experiences and advice. Many a breach could’ve been avoided with better communication across a supply chain.

Finally, aim to work with businesses that have Cyber Essentials certification as a minimum. This will give you confidence the suppliers and partners you work with take cybersecurity just as seriously as you.

To find out more about securing your supply chain, check out this blog.

Educate your staff

Like all social engineering attacks, BEC scams rely on human error. If your people can recognise the signs of a BEC scam, your business is less likely to be breached. The best way to achieve this is through security training.

Training can help your employees recognise the tactics typically used in BEC attacks such as posing as a supplier, creating a sense of urgency, or requesting suspiciously large amounts of money. The most important way to counter a BEC scam is simply pausing to think about the request and whether it’s legitimate, Training can help this become a habit. 

Create clear cybersecurity policies

To ensure your people know what good cybersecurity practices look like,  you need a clear, easy-to-follow cybersecurity policy. And make sure they know where to find it. A cybersecurity policy is only as effective as the number of staff who’ve read and followed it. 

Create a positive cybersecurity culture

The most formidable opponent of good cybersecurity isn’t the bad guys, it’s poor communication. Your employees need to feel comfortable raising concerns or reporting anything that doesn’t seem right. Without such a culture in place, you risk security threats being raised or discovered far too late. 

Encourage everyone in your organisation to ask questions, report anything that concerns them and learn as they go.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights into the risks small businesses face and what can be done to counter them. Get your copy here.

State of SME cybersecurity