BEC, also known as business email compromise, is less well-known than ransomware. This is a hacker strategy where they spoof emails to appear to be from vendors or in command personnel at your company. These hackers will attempt to charge payments as soon as they have access to your company email, and because these communications appear to be extremely official, you will likely be tricked. However, this con has evolved, and it no longer even involves money. Instead, the same technique is used to obtain personal data about employees, including their tax and payroll records.


Business Email Compromise is “one of the fastest growing, most financially damaging internet-enabled crimes,” according the FBI’s 2022 Congressional Report on BEC and Real Estate Wire Fraud. According to the Internet Crime Complaint Center, alleged damages exceeded $2.4 billion in 2021, a 566% rise from 2016. (IC3). Given the increase in remote work and, consequently, the pervasiveness of digital communication channels like email, it is projected that BEC cases will increase.


The majority of BEC scams use the same methodology, however the targets and the attackers’ supposed identities may change.


So how do BEC scams work?


Stage 1: Identity Research

An experienced BEC hacker does extensive research about the person they want to manipulate and chooses an identity that corresponds to the behavior they want to motivate. For instance, if the scammer is looking for a quick payday, they may just set up an email account that looks remarkably like the CEO or another executive of the business and ask that the employee buy and send them several digital gift cards as a “bonus” for an internal team or a token of appreciation for a vendor. Even more sophisticated BEC frauds are possible. For instance, a hacker may impersonate a new vendor, such as a payroll provider, and offer a free trial for payroll services, only to steal the personal information of the employees or even reroute paychecks during the false trial.


Stage 2: Employee Research

The hacker must investigate their targets once they have decided on their attack strategy and assumed identity. This could entail searching the corporate website for contact information or figuring out the standard email address format. They could also use social networking sites like LinkedIn to look for the names and job titles of different team members as well as their duties. It is feasible that the attacker might target an individual who has dealt with similar, legitimate requests in the past or workers who might not be familiar with business processes and procedures with extensive investigation.


Stage 3: Preparing for the Attack

The attacker will then get ready for other attack elements once they have established their identity and target. This can entail building up a false corporate website, creating fake bank accounts, making fake invoices, or creating any other asset the attacker needs to prove their identity or the request, such as a faked email account.


Stage 4: Launching of the Attack

The attacker will execute their strategy in the last phase. BEC fraudsters will use their digital identities to exert pressure or manipulation on their target in order to get them to do what they want. They frequently create a false feeling of urgency in order to persuade their target to comply with the request without consulting with anyone else at work or giving it enough thought. If the attacker is successful, the hacker will receive the money, data, or other information that was the target of the attack.



What techniques do hackers use to carry out their attacks?


Domain Spoofing 

Domain spoofing is a type of phishing in which an attacker uses a fictitious website or email domain to pretend to be a reputable company or individual in order to gain the trust of their target audience. A closer check will typically show that a W is actually two Vs or a lowercase L is actually a capital I, even though the domain initially appears to be valid. Sensitive information, money, or harmful links are deceived into being sent by users who respond to the message or interact with the website.


Social Engineering

The practice of persuading others to carry out a desired activity, such as disclosing private information, is known as social engineering. Attacks using social engineering are successful because people can be persuaded to take action by strong motivations like money, love, or terror. By providing misleading opportunities to satisfy those impulses, adversaries prey on these traits.


Compromised Accounts

An email or system account that has been penetrated by an attacker is referred to as a compromised account. The hacker may use a number of techniques, such as malware, social engineering, or password-cracking software, to get access to the account. Once in charge, the attacker can pretend to be the user and perform any actions that the rightful owner is capable of.



How to protect your company from BEC attacks?



Don’t use free web-based email addresses


Instead of using free web-based accounts, register a company domain name and use it to create company email accounts. There are many web hosting sites online to acquire a company domain.

Make corporate email accounts multi-factor Authentication enabled


A password and a dynamic pin, code, or biometric are required for this sort of authentication in order to log in. By using multi-factor authentication, a cybercriminal will have a tougher time accessing employees’ email accounts and will have a harder time conducting a BEC attack.



Always verify the sender’s email address


A faked email address frequently shares the same extension as an actual email address. 



Business emails should only be “forwarded,” not “replied” 


The right email address must be manually entered or chosen from the address book in order to forward the email. By forwarding, you may be sure to utilize the correct email address for the intended recipient.



Always secure your domain


To trick BEC victims, domain spoofing exploits minor differences in real email addresses. By registering domain names that are similar to yours, you can significantly reduce the likelihood of successful assaults that use email spoofing.



Never open emails from unknown senders


In that case, you should avoid clicking on links or opening attachments because they frequently contain malware that can access your computer system. Think before you click.



Limit your internet sharing


Use caution when posting information on company websites and social media, particularly when it comes to job descriptions, organizational charts, and out-of-office times.

When sending money or data, always double-check

Establish a standard operating procedure requiring staff to confirm emails requesting confidential information or wire transfers. Instead of calling the phone numbers supplied in the email, confirm in person or over the phone using previously known numbers.



Know the customs of your vendors and customers


Be cautious if corporate procedures suddenly shift. For instance, the request might be deceptive if a business contact unexpectedly requests that you use their personal email account when all of your prior correspondence has been done via work email. Another source should be used to confirm the request.



It’s always a great thing to be cautious when it comes to emails. Your business is valuable so it should be a requirement to educate yourself and your employees about the damaging effects of BEC attacks and how to prevent them. Of course, you want to be confident about your cybersecurity posture. If you want to make sure you are thoroughly protected against BEC attacks, you can always consider hiring a cybersecurity partner to take care of your cybersecurity needs. 


Here at Intelecis, we always make sure that our response is fast when it comes to attacks like BEC. We know how valuable your time is as well as your business. We also provide cybersecurity training for your employees so that they will not fall victim to BEC attacks from hackers. If you want to discuss hiring a cybersecurity partner in preventing BEC attacks, talk to us today.