Business email compromise (or BEC) attacks are a threat to organisations of any size. Here’s everything you need to know to protect your business.

How does a business email compromise attack work? 

A BEC scam is a form of social engineering attack. It usually involves an attacker impersonating the top dog (such as the CEO or founder) in a business to defraud the company and its employees, partners and customers. 

The bad guys achieve this by creating an email account with a very similar address to the real thing. For example, say your CEO’s email address is ‘john.smith@cybersmart.co.uk’, the hacker’s impersonation might be something like ‘js@cybersmart.gmail.com’. 

It’s just plausible enough that, were you in a hurry or unfamiliar with the real email address, you might share sensitive information or fulfil a request without giving it too much thought.

Like all social engineering scams, BEC attacks rely on creating a sense of urgency and implied trust in an email that comes from a seemingly legitimate source. A sense of urgency because employees are likely to hop to it pretty quickly if a CEO requests something. And, trust because of the assumed gravitas an email from an important person within a company carries.

What do business email compromise attacks seek to gain?

Cybercriminals use BEC attacks for all sorts of nefarious ends. It might be that they want to steal sensitive data, gain access to company systems, set up a ransomware attack or dupe the victim into paying for something. 

Sadly, BEC attacks lend themselves to just about any purpose, making them a highly versatile weapon for cybercriminals. 

Want to know more about the cyber threats small businesses face? Check out our guide.

Are there any famous examples?

As they often lead to huge losses for the victim, you’ve likely seen the results of successful BEC scams in the media – even if they weren’t necessarily reported using the term. 

Facebook and Google

Undoubtedly the most famous of all time was the Facebook and Google scam, carried out between 2013 and 2015. A Lithuanian cybercriminal called Evaldas Rimasauskas set up a spoof company named ‘Quanta Computer’ (which also happened to be the name of a real supplier).

Rimasauskas then emailed convincing fake invoices to both tech giants. Both duly paid, again, again and again, until they’d been defrauded out of $121 million. Rimasauskas was eventually caught in 2019 and sentenced to 5 years in prison for wire fraud. 

Toyota Boshoku Corporation

In 2019, cybercriminals contacted the finance department of a company in Toyota’s supply chain posing as a legitimate business partner. They used the classic social engineering tactic of creating a sense of urgency, claiming that the transaction needed to be paid quickly to avoid slowing the manufacturing process. 

Unfortunately, someone at the company took the bait. The subsidiary transferred more than $37 million in parts orders to the fake company. It remains one of the biggest losses to a BEC scam ever recorded. 

Reading these examples, it’s easy to form the impression that BEC scams are usually targeted at large companies. However, this isn’t the case.

Although Cybercriminals’ final target is often a big corporate, they’ve become more and more inventive about how they get there. As with many other forms of attack, many BEC scams now originate in the supply chain. Even if you’re a smaller business, it’s no guarantee that cybercriminals won’t try to use you as a backdoor into a larger organisation in your supply chain.

So, how can your business protect itself?

How can you protect your business?

Secure your supply chain

As we mentioned earlier, a large proportion of BEC attacks begin in the supply chain. So the best form of defence is to secure the links in your supply chain. 

How that looks in practice will depend on your business and who it works with. However, a great place to start is by ensuring your cybersecurity is up to scratch. Once that’s the case, talk to your suppliers and partners about their cybersecurity practices and share experiences and advice. Many a breach could’ve been avoided with better communication across a supply chain.

Finally, aim to work with businesses that have Cyber Essentials certification as a minimum. This will give you confidence the suppliers and partners you work with take cybersecurity just as seriously as you.

To find out more about securing your supply chain, check out this blog.

Educate your staff

Like all social engineering attacks, BEC scams rely on human error. If your people can recognise the signs of a BEC scam, your business is less likely to be breached. The best way to achieve this is through security training.

Training can help your employees recognise the tactics typically used in BEC attacks such as posing as a supplier, creating a sense of urgency, or requesting suspiciously large amounts of money. The most important way to counter a BEC scam is simply pausing to think about the request and whether it’s legitimate, Training can help this become a habit. 

Create clear cybersecurity policies

To ensure your people know what good cybersecurity practices look like,  you need a clear, easy-to-follow cybersecurity policy. And make sure they know where to find it. A cybersecurity policy is only as effective as the number of staff who’ve read and followed it. 

Create a positive cybersecurity culture

The most formidable opponent of good cybersecurity isn’t the bad guys, it’s poor communication. Your employees need to feel comfortable raising concerns or reporting anything that doesn’t seem right. Without such a culture in place, you risk security threats being raised or discovered far too late. 

Encourage everyone in your organisation to ask questions, report anything that concerns them and learn as they go.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights into the risks small businesses face and what can be done to counter them. Get your copy here.

We all know what a classic cyberattack looks like. It usually involves hackers with high levels of technical expertise and some form of a malicious tool like ransomware or malware. 

However, cybercriminals don’t always use the latest malware and cyberattacks don’t have to be highly technologically advanced. There’s a whole other class of threats that harness the most powerful weapon of all – our brains.

These cyberattacks are known as social engineering attacks. But how do they work? And how can your business protect itself? 

What is social engineering? 

The term social engineering covers a broad range of malicious activities. What ties them together is that they all use human interactions to achieve their sinister ends. Broadly speaking, all social engineering attacks use psychological manipulation to trick us into making security mistakes or giving away sensitive information.

For more on how cybercriminals do this, we highly recommend our blog on how the internet encourages cybercrime. 

What does a social engineering attack look like? 

Now we know what a social engineering attack is, let’s look at how they work in practice. Although there are potentially endless types of social engineering attacks, there are four general categories most fit under. 

1. Phishing 

You’ve almost certainly heard of phishing attacks. They’re by far the most common form of social engineering, but that doesn’t make them less dangerous.

Most phishing attacks seek to do three things:

• Steal personal information such as names, addresses and banking details
• Redirect victims to malicious websites that contain phishing landing pages or malware
• Use threats, fear or a sense of urgency to manipulate the victim into acting quickly 

A lot of phishing attacks are poorly executed and easy to ignore. We’ve all had emails claiming to be from a well-known brand, only to notice the web address or logo is subtly wrong. However, plenty of phishing attacks do succeed.

For example, in May 2021 US fuel supplier Colonial Pipeline was subject to one of the largest ransomware attacks in history, triggering a fuel crisis in the process. It’s believed the attack began with a simple email phishing scam that managed to extract an employee password. 

So, even though they might be limited and often badly done, it’s unwise to underestimate the humble phishing scam. 

2. Piggybacking 

Also known as ‘tailgating’, piggybacking involves exactly what it sounds like (although not quite literally). In this type of attack, someone without the proper authentication follows a company employee into a restricted area. 

Here’s an example of how it might work:

1. The attacker waits outside the company’s office, posing as a delivery driver or plumber.
2. An employee enters using their keycard or other security accreditation.
3. The attacker asks the employee to hold the door.
4. They do, and suddenly the attacker has access to the building.

Once in, the attacker is one step closer to accessing confidential files, stealing company property, conducting corporate espionage, or physically attacking the business’s systems.

This might sound a bit ‘low-budget spy thriller’ but the danger is very real. And SMEs, who typically have fewer physical security checks in place, are particularly at risk.

3. Pretexting

Of all the four threat types on this list, pretexting is the hardest to counter. Why? Because it relies on plausibility. A good pretexting attack will create a fabricated, but completely reasonable, scenario to try and steal information from victims. 

A pretexting attack usually works something like this. The scammer poses as a supplier and claims to need information from the target to confirm their identity. They then pilfer this data and use it to steal company property, enter business systems, or launch a secondary attack. 

To give a real-world example, between 2013 and 2015 Facebook and Google were conned out of $100 million after falling for a fake invoice scam. A Lithuanian cybercriminal called Evaldas Rimasauskas realised both organisations used the infrastructure supplier Quanta Computer.

Sensing a vulnerability, he sent a series of fake multimillion-dollar invoices from Quanta Computer over two years. These invoices even included contracts and letters, apparently signed by the tech giants’ staff. 

The cybercriminal was eventually caught and Facebook and Google recovered some of the money. However, if two of the largest and most technologically advanced companies in the world can fall for such a simple scheme, so can anyone else. 

4. Quid pro quo 

Quid pro quo attacks promise a benefit in exchange for information. This benefit is usually some sort of service. 

For example, an attacker may call random phone extensions at a company, pretending to be returning a call from a technical support enquiry. Once they find someone who really has a problem, they pretend to help them but use it as an opportunity to plant malware or access important company data. 

What can you do to protect your business?

Education, education, education 

There’s a well-worn statistic that 95% of cybersecurity breaches are down to human error. But when it comes to social engineering attacks, that figure is much closer to 100%.

The best way to counter this is through security training. Training can help your employees recognise the tactics cybercriminals typically use such as impersonating a supplier, creating a sense of urgency, or offering bogus services. 

As we’ve said before, where many social engineering attacks fail is attention to detail – there’s usually something that isn’t quite right. And you can train your people to recognise these tells. Some examples include spelling mistakes, subtly different URLs, unsolicited communications and suspicious email attachments.

Create clear cybersecurity policies

If your people don’t know which behaviours are harmful, they can’t correct them. So, you need easy-to-follow cybersecurity policies to make it clear what behaviours are expected of them. On top of this, make sure everyone can find them. After all, there’s little point in an important policy document that spends its life languishing in a corner of the shared company drive. 

For more on why cybersecurity policies are so important and how CyberSmart can help, read this. 

Foster a positive cybersecurity culture 

If your business does fall foul of a social engineering attack, acting quickly could be the difference between a minor inconvenience and disaster. But for this to work, your employees need to feel comfortable asking for help, raising concerns or owning up to mistakes. 

All too often, security mistakes go unchecked and breaches become so much worse than they needed to be because staff are too afraid to report them. 

Check your cybersecurity measures

Alongside training your staff, it’s also worth checking (or implementing) your technological cybersecurity measures. These include firewalls, antivirus and anti-malware, patching and access management policies.

By having these measures in place and regularly checking them, you should be able to limit the number of attacks that ever reach your staff. 

Looking to improve your cybersecurity but not sure where to begin? Start by getting certified in Cyber Essentials, the UK government scheme that covers all the fundamentals of cyber hygiene.