Business Email Compromise is Big Business

The FBI’s 2021 Internet Crime Report named business email compromise (BEC) as the most effective weapon in the cybercrime arsenal. It accounted for third of the country’s $6.9 billion in cyber losses that year and is expected to rake in even more cash in 2022.  

BEC can be categorized as a response-based attack. A bad actor requires a user to reply to a message and engage in a conversation that eventually leads to the execution of an elaborate scam. It all begins with someone successfully breaking into an email account. Phishing might be the gateway to BEC. It usually is: A user is tricked into clicking on a malicious URL or attachment, has their password cracked using brute force techniques, or a criminal buys those credentials (that had previously been exposed) on the dark web.  

But in most BEC cases, the con doesn’t take place at once. Cybercriminals are keen to gain access to prized email accounts such as those of a CEO, CFO, or other finance personnel with purchasing or bill-paying authorization or who have access to bank accounts. A common trick is for a bad guy to lay in wait, carefully monitoring traffic on the exposed email account, and hoping for the best opportunity. The victim in these cases has no idea that anyone else is monitoring their conversations.  

A bad actor waits for the right moment. Perhaps a deal is going through that involves millions. It might be the company is sending a big order to a new supplier or finalizing negotiations for a merger. Ideally, the CEO, CFO, or person whose account has been hacked is traveling as part of the deal. The criminal knows when they log off for the day. At that point, they can take over the email, send a message to someone at headquarters saying that something has come up and they need that person to immediately send $XTZ millions to an account number. Urgency is injected such as the fact that the deal will fail or business will be lost to a competitor if they don’t transfer the money right away. As the message came from the exec’s actual email account – and clever BEC scammers even use the same language, the same greetings, the same complimentary close the boss always uses – everything looks indistinguishable from normal traffic apart from the unexpected need to act now and send the cash immediately. If the person complies and sends the cash that night, it is usually not until the next morning that suspicion emerges. By that time, it is too late. The money has been transferred from account to account to account and is usually beyond retrieval.  

Bigger Targets and Better Defenses  

Modern scammers now look for the most lucrative targets. Hence the upward trajectory on the effectiveness of BEC. FBI numbers put annual takings at around $2.4 billion from BEC.  

Further data from the FBI added up all the damage from BEC. Between July 2019 and December 2021, there was a 65% increase in identified global exposed losses. The BEC scam has been reported in all 50 states and 177 countries, with over 140 countries receiving fraudulent transfers. Banks located in Thailand and Hong Kong were the primary international destinations of fraudulent funds. China, which ranked in the top two destinations in previous years, ranked third in 2021 followed by Mexico and Singapore. Between June 2016 and December 2021, the total haul internationally from BEC-related incidents came to $43 billion.  

Accordingly, the agency made the following suggestions to protect against BEC:  

  • Use secondary channels or two-factor authentication to verify requests for changes in account information. 
  • Ensure the URL in emails is associated with the business/individual it claims to be from. 
  • Be alert to hyperlinks that may contain misspellings of the actual domain name. 
  • Refrain from supplying login credentials or sensitive personal information of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate. 
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from. 
  • Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed. 
  • Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added to this list in a Shields Up alert earlier this year with the following key guidelines:  

  • Ensure that software is up to date, prioritizing updates that address known exploited vulnerabilities identified by CISA. 
  • Confirm that the organization’s IT personnel have disabled all ports and protocols that are not essential for business purposes.  

No one wants to experience a cyberattack. That is why it is so important to scan constantly for vulnerabilities and keep patches up to date. Syxsense is the only product that combines automated patching, vulnerability scanning, remediation, and IT management.

For more information visit