As we consider the question “what is business email compromise” (BEC) and strategize ways the threat can be prevented, it’s important to understand the scope and severity of the issue.

According to data provided to the Internet Crime Complaint Center (IC3), the total number of BEC victims from Oct 2013 – May 2018 hit 78,617 worldwide. That’s huge by any fraud trend standard, and especially frightening due to the fact that the affected companies never saw it coming. They were normal, everyday organizations minding their own business when all of a sudden, the foundation of what they knew to be normal was turned upside down in the knowledge that they’d been duped – and subsequently bilked – by a fraudster, even though they had security measures in place.

Despite its growing reputation, BEC isn’t new. The FBI started tracking it as an emerging threat in 2013. At its core, its actually one of the oldest cons in the book, relying on simple deception and a victim’s gullible desire to do the right thing — and it’s working frighteningly well, spreading to more than 115 countries (including the U.S) with losses totaling $12.5 billion.

So why is it such a successful attack vector, generating headlines at a rate far greater than most any other fraud type?

BEC chart

It’s tempting to think that the explosion of BEC is due to its simplicity. While it is fair to say that the flow of a standard BEC attack is undoubtedly straightforward, what goes into executing such an attack is anything but simple.

What is Business Email Compromise?

The act of fooling victims, tricking them into making fraudulent payments by pretending to be an authorized representative of the company, is only the basic building block of a successful BEC scam. It’s all the work that happens before where the magic happens, with perpetrators first gaining access to a company’s network through an advance spear phishing campaign. They then deploy malware that enables them to spend weeks or months in the network undetected, studying every aspect of the business and collecting the information needed for the imposter phase of the campaign to be effective.

These are not the random acts of casual criminals looking to make a quick buck. On the contrary, they are stealth attacks executed with military precision. Calculated efforts designed by criminal organizations structured just like your business.

It’s true. The syndicates responsible for the vast majority of BEC attacks are armed with a full staff of lawyers, linguists, hackers and social engineers. Entire teams of professionals with a decided unwillingness to accept anything short of success. No wonder they can so easily infiltrate organizations who are powerless to keep them out! It’s like Mario Puzo wrote in The Godfather, “The lawyer with a briefcase can steal more money than a man with a gun.” Theft no longer takes a weapon…just a computer and a little creativity.

While it might seem as though it would be infinitely easier to defend your organization against a fraudster that can be seen, the fact that BEC scams are a seemingly invisible threat that strikes from out of nowhere is neither cause for resignation nor of alarm.

There are huge red flags apparent in any BEC attack that companies should be on the lookout for. Examples include, but not limited to:

  • Unusual transfer amounts (higher or lower than normal)
  • Payments to new beneficiaries, or beneficiaries outside of where the business typically operates, or even international transfers
  • Transfers to known vendors with new payment details
  • Changes in established vendor payment cadence

And this isn’t all. Just like any good business, criminals are continually improving their techniques to find new ways to victimize businesses into BEC. CEO scams might have spiked in popularity due to their success rates, but wily fraudsters, happy to diversify, have also been reverting back to old types of attacks such as the “supplier swindle,” an attack in which criminals spoof a company related to their target, rather than the target themselves

The good news is, it’s not necessary to rely on the diligence of employees to catch the red flags of BEC (although employee education is a key component of any comprehensive security plan.). Just as the fraudsters have a clearly documented plan of attack, so should you – and it should be solidly rooted in the use of proactive user behavior analytics and monitoring.

Just as the fraudsters have a clearly documented plan of attack, so should you-and it should solidly rooted in the use of proactive user behavior analytics and monitoring.

While most organizations focus their efforts on deploying cyber security solutions designed to keep intruders out, user behavior analytics and monitoring makes the somewhat counterintuitive assumption that hackers will get in (and they will get in, so might as well adopt an honest acceptance of that upfront). It then profiles the behavior of users, including business customers, employees, etc. so that a baseline of what is considered typical for the organization can be established. It then uses that data to detect anomalies and prevent fraud in real time, stopping fraudulent payments before they can happen.

There’s no question that fraud is rising aggressively. According to the 2018 Treasury Fraud and Controls Survey Report by Strategic Treasurer, 2016 – 2018 has seen a 40% increase in the number of organizations experiencing fraud. As new technologies emerge, fraudsters are redoubling their efforts to take advantage of every opportunity. They have mobilized, they’re organized, and they probably even have health plans. To defend yourself, it’s time to have a better plan than the criminals, one that comes down to being proactive, rather than reactive

Posted by Boaz Krelbaum

As the General Manager of Cyber Fraud & Risk Management for Bottomline Technologies, Boaz Krelbaum helps organizations reduce risk, prevent fraud and meet regulatory compliance requirements.