Business Email Compromise (BEC) attacks are a type of Cyberattack where cybercriminals pretend to be someone you know or trust to deceive you into sharing login credentials or financial information.
These BEC attacks are getting more common, too. Reports show a 42% increase in the first half of 2024 compared to the same period in 2023.
Now, BEC attacks make up 21% of all email attacks, up from 15% in early 2023.1 This jump shows just how serious these scams are becoming, and it’s important to know how they work to protect yourself and your business from being targeted and suffering losses.
How Do BEC Attacks Work?
BEC attacks are usually done through emails that look like they’re from a trusted person, like a company executive, supplier, or colleague. For example, you might get an email that looks like it’s from a coworker asking you to transfer money to a different account. But in reality, it’s a scammer trying to steal your company’s money.
Attackers are getting more skilled at making these emails seem real, and they often use social engineering, which means they play on emotions like trust or urgency to get you to act without thinking too hard.
According to a report from Barracuda Networks, BEC attacks made up about 10.6% of all social engineering attacks in 2023. This shows a steady rise, with BEC attacks at 8% in 2022 and 9% in 2021. This increase shows how BEC attacks are becoming a more common threat.
New Tools Make BEC Attacks Harder to Detect
BEC attacks are getting harder to spot because attackers are using new tools like generative AI. This technology helps them create more realistic messages and makes it easier to impersonate people within your organization. With AI, attackers can scale their attacks, reaching more people with more customized messages, which makes them even more convincing.
Attackers are also using techniques like QR codes and shortened URLs in their messages. These techniques make it harder for you to recognize a fake message because they can hide the actual destination link and bypass some security filters.
With shortened URLs, you can’t see where a link will take you. QR codes also create additional complications especially since many people scan them without thinking twice. On top of that, using a phone for QR code scans means you’re at a higher risk for such attacks since phones have little to no prevention tools.
Who Is Targeted in BEC Attacks?
BEC attacks don’t just target anyone—attackers focus on specific sectors and roles, especially in industries like finance and public administration. These sectors handle large financial transactions and sensitive information, making them prime targets. Since BEC scams rely on impersonating trusted contacts, they often focus on employees who can approve payments, access sensitive data, or handle high-stakes financial tasks.
One major reason these attacks are so successful is that people often open up and respond to them. According to an H1 2023 threat report from Abnormal Security, the median open rate for text-based BEC attacks is nearly 28%. Once opened, about 15% of these malicious emails are replied to, which means attackers often get the response they need to move the scam forward. Yet, only about 2.1% of BEC attacks are actually reported to a security team by employees.
This underreporting makes it harder for organizations to assess and manage the true scope of the threat. Many organizations are also reluctant to report BEC incidents, which means statistics often underestimate the real number of attacks and losses.
High-Profile BEC Scams & Their Costly Impact
According to the FBI’s Internet Crime Complaint Center (IC3) report, BEC attacks accounted for approximately $2.9 billion in losses in 2023, with a total of 21,489 reported cases. This represents a huge increase in losses attributed to BEC since its inclusion in the IC3 reports, totaling over $14.3 billion since 2015.
Some BEC attacks have led to huge financial losses. The largest known BEC scam targeted tech giants Facebook and Google, costing them around $121 million. Between 2013 and 2015, Evaldas Rimasauskas, the scam’s mastermind, posed as a supplier and convinced both companies to transfer large sums of money. He was eventually caught and sentenced to five years in prison in 2019.
Nonprofit organizations have also suffered from these scams. In June 2021, a San Francisco-based charity, Treasure Island, lost $625,000 after attackers hacked into the email of the organization’s bookkeeper. The scammers used their access for a month to steal money that was meant to help the city’s homeless community.
Government agencies aren’t immune either. In early 2020, while responding to a 6.4-magnitude earthquake, Puerto Rico’s government discovered that it had fallen victim to a BEC scam. Rubén Rivera, the finance director of Puerto Rico’s Industrial Development Company, mistakenly transferred over $2.6 million to a fake bank account.
How to Defend Against BEC Attacks
Defending your business against BEC attacks takes awareness and strong security habits. Here’s how you can protect your business:
1. Train Employees To Spot Signs Of BEC Attacks
They should be cautious with emails asking for money transfers, login details, or other sensitive information—especially if the message seems urgent or unusual. Remind everyone to double-check these requests by contacting the sender directly, using a known phone number, not by replying to the email.
2. Use Multi-Factor Authentication (MFA)
MFA is a layer of security that protects your business accounts and systems. When logging into email or financial accounts, MFA requires several forms of verification, like a code sent to a phone or facial recognition. This makes it harder for attackers to access accounts, even if they manage to steal a password.
3. Set Up Clear Processes For Approving Payments
For example, require a second person to review or approve any large transaction. If you receive an unexpected request for money, especially from a high-level executive or supplier, verify it with a phone call or in person.
4. Watch Out for Suspicious Links & Attachments
Attackers often use links, app downloads, or attachments to mislead you into revealing information. Look closely at email links—hover over them to see if the address matches the sender’s usual contact information.
5. Use Strong Email Security Tools
These tools can catch known phishing and BEC scams before they reach employees. Many email security programs also have features that help detect unusual requests, which could prevent attacks from going further.
6. Make It Easy For Employees To Report Suspicious Emails Or Security Issues
Let them know that quick reporting can protect the entire organization. Many people hesitate to report things because they don’t want to sound paranoid or slow down work, but reporting could stop an attack in its tracks.
7. Regularly Review Account Settings
Attackers sometimes gain access by changing email settings, like setting up forwarding rules that send a copy of all emails to them. Check these settings, especially for executives and finance employees, to make sure nothing suspicious is going on.
BEC attacks are designed to slip through the cracks, so being alert and following these steps can make a big difference. With the right precautions, you can reduce the chances of falling victim to a costly scam.
FAQ
What Type Of Attack Is BEC?
BEC, or Business Email Compromise, is a scam where attackers deceive you through email. They pretend to be someone you trust—like a boss or supplier—and ask for money or sensitive information. This attack relies on social engineering, meaning the attacker manipulates you into believing the request is real.
What Is The Difference Between BEC & Phishing?
BEC is when attackers pretend to be someone you trust, like a boss, to trick you into sending money or information. Phishing, on the other hand, is a broader scam where attackers send fake emails, downloadable apps, or links to steal personal details or infect your device. BEC is more targeted, while phishing is often general.
How Can A Business Avoid BEC Attacks?
To avoid BEC attacks, you need strong email security, along with backup and recovery tools. 2Secure Corp uses these tools to help prevent attacks, reduce their impact, and restore any lost data. Also, train employees to pin down suspicious emails, double-check requests for money or information, and always confirm unexpected messages from “trusted” contacts.
Source:
- 2024 H1 Report: Cybersecurity Trends & Insights. (2024, August 29). Perception Point. https://perception-point.io/resources/report/2024-h1-report/
