Business email compromise (BEC) is when email traffic is infiltrated, compromised or manipulated.
BEC also includes when someone impersonates a person in the company in order to get the recipient to share confidential information, carry out financial transactions or perform other actions that endanger the company’s security in the long term.
How do cybercriminals operate?
Cybercriminals use different approaches to successfully carry out business email compromise attacks. On the one hand, social engineering tactics are used to carry out the fraud, and on the other hand, concrete, real compromises of email accounts and systems can be carried out.
1. Fraud with social engineering
In cases where the attackers trick their victims into certain actions through targeted social engineering, the threat actor has no real access to internal systems. The affected persons are contacted from external e-mail addresses. To increase the attack’s chances of success, criminal hackers invest time and effort to make their deceptive attacks look as realistic as possible.
In doing so, they try to find out how the company is structured and set up, who the relevant people are and what competences and responsibilities prevail. After gathering information, the criminals write emails in the name of an employee, the CEO or even a service provider or business partner and contact their target persons. In order to better deceive the potential victims, real email addresses are imitated or only minimally changed so that the persons concerned cannot easily recognise the fraud. A typical example would be CEO fraud.
2. Compromise of email accounts or systems
While in the above case the attacker only pretends to be part of the organisation but has no real access to any system, in the second type of BEC attack he has real access to the email server or email account of the victim or the person he pretends to be. This means the attacker has access to the real-existing email account and is able, for example, to send emails from the compromised email address or to read along with forwarding rules.
It is also possible for the criminal hacker to intercept and manipulate emails. Criminal hackers gain access to email accounts or systems through phishing attacks, the use of malware or through security vulnerabilities in applications, among other things.
A case from practice to illustrate this:
New windows were installed in a company. After the work was completed, the final invoice was sent to the company. The accounting department complied with the request and paid the outstanding amount. Some time later, the company was contacted by the window fitter and informed that the invoice was still outstanding.
When the facts were clarified, it turned out that the invoice the company had received had been manipulated and the payment information had been changed. Suspecting a cyber attack, cyber forensics investigated the systems, emails, email servers and the invoice PDF. It turned out that the company’s email server had been compromised, allowing the email to be intercepted and manipulated by the attacker.
How do you protect yourself?
As an employee:
With regard to the attack patterns mentioned above:
- Check whether the sender’s e-mail address is actually the corresponding e-mail or whether it contains unusual elements (extra letters or numbers, wrong domain name, etc.).
- Pay attention to address, phrasing and idioms.
- Keep a cool head even in stressful situations and don’t let yourself get flustered.
- Trust your instincts. If something seems strange to you, there is usually something to it.
- Get a second opinion or reassure yourself better once too often than once too little.
With regard to other attack patterns, including phishing attacks:
- Always treat email attachments and links with suspicion.
- Do not click on links or download attachments in e-mails that do not seem trustworthy to you.
- Only visit reputable websites.
- Do not click on pop-ups or banner ads indiscriminately.
- Only download and install programmes or software applications from trustworthy sources.
As a managing director:
To protect against cyber attacks, such as phishing attacks or various social engineering attacks, technical protection measures like an active firewall and spam filters are not enough. You need to focus on your employees and engage them.
- Enable your employees to have a comprehensive and sustainable cyber security awareness.
- Offer regular education and training to the workforce on current attack patterns or types of attacks. Alternatively, you can also commission external service providers – such as Perseus – to train employees.
- Promote a corporate culture where employees are encouraged to ask questions and get a second opinion when in doubt.