As the digital era evolves, businesses around the world are increasingly digitally connected, faster paced and more so than ever before, reliant on digital communications. Unfortunately, this interconnectedness also exposes organisations to rapidly, ever-evolving cyber threats, with Business Email Compromise (BEC) emerging as the most sinister and damaging forms of attack. Unlike many other cyber threats, BEC relies heavily on exploiting the human psychology and trust to gain unauthorised access to your emails and your inbox as well as your saved contacts etc which is then used to trick someone into either sending sensitive data or sending money, making it a formidable challenge for even the most security-conscious organisations. Session hijacking of genuinely authenticated connections to the likes of Google Workspace or Microsoft 365 is difficult to detect and prevent and requires a defence-in-depth approach to security that is layered with technical controls to ensure access to your inbox is constantly validated using conditional access policies.
In 2024, Business Email Compromise attacks continue to target companies of all sizes, across various sectors, causing significant financial, operational and reputational damages. In this blog we explore what BEC is, why it remains a top cyber threat, review a recent case study demonstrating the real-life implications of business email compromise and discuss strategies an organisation can implement to better protect themselves from this threat.
Business email compromise is a sophisticated type of phishing scam in which cyber criminals will often try to impersonate a trusted individual inside an organisation, this is often a CEO or CFO, an executive or a supply chain vendor. The outcome is typically that the attacker attempts to trick individuals into divulging sensitive information or transferring funds to the attackers. Unlike other phishing campaigns that rely on the use of malicious links and software that take you to malicious websites or resources, BEC uses your own email platform and your own email address to perform an attack on your trusted colleagues, friends, family, and associates, through manipulation and deceit. Because this tactic uses your own inbox to communicate or to change the integrity of business communications, it is much harder to detect and prevent with traditional security tools and organisations especially in the financial sector are seeking out new ways to protect themselves from this type of attack, worried that bank details may be manipulated or intercepted in their communications.
Many attackers will have done their due diligence with their initial reconnaissance and social engineering phases of their attack, and they may include specific or familiar keywords, names or other information that relate to the victim organisation or individual to increase the “authenticity” of the email they send from your mailbox. Attackers may also use urgency and scarcity tactics to make the victim feel under pressure which can cause a user to prioritise immediate action without thinking rationally.
According to a 2024 report by Coalition a leading cyber insurance organisation, BEC accounts for almost one third of all cyber insurance claims with the average financial loss per year standing at almost £100,000. The frequency and severity of this attack tactic has increased year-on-year revealing a growing sophistication within criminal cyber groups who use tailored tactics to succeed.
1. Reconnaissance: Cyber criminals can sometimes spend months researching a target organisation and monitoring or redirecting communications without your knowledge, in order to gather information on key employees, business partners, suppliers and frequently used terms and phrases as well as patterns and trends such as when in the month your organisation emails out invoices or statements to your customers, to evade being detected when they perform their attack. The reconnaissance phase can include viewing social media accounts, publicly accessible information on search engines such as Google etc and the company website, and of course any information that is on the dark web, so it is important to consider your digital footprint and keeping yourself safe online.
2. Initial Contact: The attackers have now likely gathered enough information to create a sophisticated email campaign or interject into your existing communications with your trusting contacts. They may even have redirected your emails to another inbox outside of your control, exfiltrating communications. They will have found a likely target and will pose as yourself or a trusted individual within or related to the company. They might even consider setting up a new domain name that is very similar to your own, and configure email services that imitate your business identity through typosquatting where they can continue the conversation with your contacts through other email platforms you have no control or influence over but that impersonate your email address and display name, further deceiving your contacts to continue to engage in malicious activity when your contact thinks they are speaking to you, but instead they are engaged with a cyber criminal.
3. Urgency and Emotional Manipulation: Attackers will create a sense of urgency or secrecy, often mimicking the communications style of the key employee or supplier they are impersonating. As discussed previously, a sense of urgency can make people act out of character which may allow the attackers to convince the employee to bypass traditional processes and security measures, exploiting the human nature to trust.
4. Execution and Loss: once the victim has divulged sensitive information or transferred funds, the attacker will quickly move the stolen assets and might even delete their tracks and remove all traces of malicious emails making recovery from these situations difficult. Once the organisation realises what has happened the money has likely been laundered through multiple accounts and moved internationally, in a way that even authorities struggle to recover.
In Q3 2024, cybersecurity firm VIPRE had noticed an alarming spike in business email compromise cases in the manufacturing industry. According to their report, BEC incidents in manufacturing rose from 2% in Q1 to 10 in Q3. This report includes a particular case study relating to a large UK-based manufacturing company that lost millions to a BEC scam that cleverly exploited routine supplier communications.
The attackers infiltrated the email account of a key employee using a mix of phishing and brute force tactics. Once they had access, they patiently monitored the communications between the employee and observed the trends and patterns of genuine communications. Once a large transaction had been scheduled the attackers seized the opportunity and decided to contact the company requesting urgent payment due to a “billing error”. They included past invoices and other key information including illegitimate bank details, to orchestrate the attack successfully.
Having no initial reasons to doubt the legitimacy of the email, the recipient finance team transferred millions of pounds into the attacker’s bank account. By the time the company had realised what had happened, the attackers had already transferred the money and disappeared without a trace. This not only caused significant financial loss it seriously affected the company’s reputation, causing tension amongst key stakeholders and investors. The case underlines how BEC continues to grow in sophistication, and that even well-prepared organisations can fall victims to such a scam.
The VIPRE case study highlighted several reasons why BEC remains challenging to detect and prevent:
1. Reliance on Social Engineering Tactics: instead of relying on obvious malicious elements like links or attachments, BEC attacks often rely entirely on tailored, convincing messages that are entirely text-based to establish access to communication systems in a BEC attack. An attacker will spend weeks or months monitoring the victim organisation, learning their language style and trends, finding key employees and observing communication tones and patterns. This allows BEC messages to blend seamlessly into regular correspondence, bypassing traditional security measures.
2. Trust and Psychological Manipulation: Rather than attacking system weaknesses, BEC attacks exploit the human nature and the vulnerability this presents to organisations. Employees are usually trained to respond promptly to requests from executives, attackers will exploit this by using authority, urgency and confidentiality tactics to manipulate the employee’s sense of responsibility and trust. Compelling emails used in these attacks are more difficult to spot and users are deceived into taking action to what they believe is a genuine request, with attackers leveraging AI and their extensive social engineering to perfect their communications.
3. High Levels of Detail: due to the extensive reconnaissance usually carried out by the attackers, there is a high degree of accurate information included in the emails to create a sense of legitimacy. In the VIPRE case reference, the attackers even included previous invoice history and specific order details to gain the trust of their victim. Typically, it is only a small amount of data that is manipulated in order to execute an attack such as bank details being altered or an email address given to exfiltrate information.
4. Clever Spoofing and Account takeover: attackers will either spoof emails addresses to look almost identical to trusted contacts or gain access to real accounts through credential theft. In VIPRE’s Study, one third of BEC incidents in 2024 involved account takeover (ATO), a trend that experts expect to grow as attackers evolve and become more adept and compromising accounts. Toro has seen an increasing number of attacks that also include typo squatting.
According to Schauer Group Insurance’s 2024 report on cyber risk, business email compromise accounts for almost 75% of all funds transfer fraud claims, with large businesses bearing the brunt of the losses. Direct financial loss is not the only implication of these types of attacks, they also drain valuable resource, diminish trust between partners and clients and sometimes even cause irrecoverable reputational damage depending on the nature of the organisation. Understanding the potential effects of BEC and implementing robust preventive measures are imperative for organisations seeking to safeguard their assets, reputation, and sensitive information. With new regulation coming into force, organisations risk fines and penalties where there are significant breaches that could have been reasonably prevented through good Governance Risk and Compliance measures coupled with sound technical controls to prevent such incidents.
1. Implement Multi-factor Authentication (MFA) on Email Accounts: MFA adds an extra layer of security by requiring account login verification using a second factor, such as SMS or biometric data or the use of an authenticator application. This can aid in the prevention of account takeovers as it requires more than just a password to log in. MFA should be a mandatory commodity in every organisation, for every user and mailbox in the business.
2. Comprehensive and Regular End User Training: by providing end users with tailored and regular training, organisations can ensure that staff are aware of the latest trends attackers are using for BEC attacks including how to verify sender identities, detect spoofed email addresses, and to feel confident in reporting suspicious messages and behaviours.
3. Advanced Email Filtering and Detection Tools: the use of traditional email filters is not always effective against BEC attacks due the lack of malicious links and attachments. There are advanced email security tools that incorporate AI to analyse and look for differences in communication patterns and other anomalies that can be considered, but this has to be carefully considered, as attackers also exploit AI to perfect their scams.
4. Verification Policies for Financial Transactions: establishing a clear and consistent policy or process for verifying financial transactions can significantly reduce the risk of BEC, having finance teams corroborate bank details and use out of band communication to verify information with recipients. Organisations should require all large transactions to be verified by telephone or in person, especially when dealing with requests from external entities / vendors. In VIPRE’s case study, a simple phone call might have prevented the multimillion-pound loss by confirming the authenticity of the request, though Toro is aware voice impersonation is also on the rise and this can make verification by telephone unreliable too, but it is another line of enquiry to validate integrity of bank details for example.
5. Limiting Public Access to Employee Information: Limiting the amount of publicly accessible information on places like LinkedIn or the organisation’s website can make it harder for attackers to impersonate employees. Attackers will use this publicly available information to create highly targeted and detailed emails that in turns increases their authenticity.
6. Establish a Strong Incident Response strategy: Even with all best defences, organisations aren’t immune to BEC. Therefore, having a strong incident response strategy in paramount. This should include isolation of effected endpoints, alerting relevant authorities and financial institutions. Having a quick response strategy can help reduce the damage and recover data or funds where possible.
7. Make use of emerging technologies: A well-orchestrated Secure Access Service Edge (SASE) implementation acts as a smart VPN with conditional access tooling that limits access to your data and assets including your emails. This can help prevent attackers gaining access to your inbox, stopping BEC attacks, by removing exposure of the likes of Microsoft 365 and Google Workspace to the public internet from unauthorised devices that an attacker may use. SASE introduces another complex layer of security that makes your organisation far less susceptible to this type of attack. Emerging technologies can really help by layering sophisticated technical controls that constantly monitor your account and device posture and make it impossible for attackers to reach your mailbox from a device that is not company owned or managed. Simply put, the least exposed your business is to the public internet, the less risk there is of a successful Business Email Compromise attack.
In conclusion, Business Email Compromise (BEC) continues to be a huge threat to organisations today, and the attack tactics leverage trust, psychological manipulation and comprehensive reconnaissance work to bypass traditional technical defences. As highlighted previously, these tasks are becoming more sophisticated and more common, targeting organisations with highly detailed, realistic scams that evade technical controls and exploit human vulnerabilities.
To protect against BEC, organisations must adopt a comprehensive defence strategy that combines advanced security technologies, end-user awareness training and verification processes. Measures like multi-factor authentication (MFA), advanced email filters that embed Data Loss Prevention (DLP) capabilities, coupled with strict protocols for the processing of financial transactions are essential for in reducing the risk of BEC. Perhaps, most crucially, adopting aa security aware culture within the workspace can empower employees to detect, prevent & report potential attacks.
While technology provides robust barriers, the human nature to trust is a considerable vulnerability that presents a real challenge in the fight against business email compromise. With vigilance, layered security protocols and ongoing awareness training, companies can better protect themselves against the serious, financial and reputational damages that originate from a Business Email Compromise attack. By preparing for the increasingly sophisticated tactics of cyber criminals, organisations can ensure they remain resilient and responsive to this enduring threat.
If you are concerned about Business Email Compromise attacks, and you’re not sure how to protect your organisation or are concerned about email integrity, reach out to Toro for a complimentary discussion with our Subject Matter Experts and find out how Toro can protect your data assets and integrity.