What are BEC Attacks
Business Email Compromise (BEC) is a type of phishing attack that impersonates a trusted source to ask the recipient to share sensitive corporate information.
BEC attacks appear to come from a trusted source. But, in reality, they come from malicious accounts.
BEC attacks have high success rates with the FBI reporting that companies have lost at least $26 billion to BEC scams in the last three years.
The high success rates of BEC attacks arise from the targeted nature of these attacks. Unlike a spam email which casts a wide net, BEC attacks target a specific person within an organization.
This means that a hacker takes time to research the recipient and to understand them and their company. An attacker then creates a spoofing email designed to appear as a legitimate request. An email address also appears to come from a trusted source. Without carefully looking at the sender’s email, the recipient is most likely to respond to the request.
For example, their email might look like this:
jondoe@company.co.uk when trying to impersonate an executive whose email address is johndoe@company.co.uk
Such variations are easy to miss. Thus it makes these email attacks highly effective.
Other common types of BEC attacks include:
CEO Impersonation: these attacks will impersonate a CEO of an organization, usually targeting finance and accounting departments to request fund transfers.
Legal personnel impersonation: an attacker targets low-level employees pretending to be from the legal department, then requests sensitive information or money. For instance, in 2014, attackers impersonating Scoular’s CEO and the KPMG legal team tricked an employee into transferring $1.72 million to the attackers.
Data theft attacks target HR personnel where they ask for information about executive officials or employees. An example is the 2016 attack where attackers impersonated Snapchat’s CEO, requesting payroll information of current and former employees.
What is EAC Attacks
Email Account Compromise or EAC attacks take BEC attacks to the next level.
These attacks don’t impersonate a legitimate account. They take over a legitimate account and use that to further their malicious intent.
EAC attacks are more targeted than BEC attacks, and the losses from these attacks are higher. They target high-level executives and personnel with purchasing power in an organization.
EAC Attacks take several steps. The first step is either malware, social engineering, or brute force attacks. After the first step, if the target for example falls for a social engineering attack, they are likely to provide their email credentials.
With these details, a hacker has access to an account and can send messages to contacts this way. They can set up automatic email forwarding to their accounts for emails containing the type of information they want. For example, they can use keywords related to financial transactions if it's money they are after.
Once the malicious actor finds an email chain that reflects their keywords, they will remove their legitimate account owner from an email chain and spoof that email, as would happen in a BEC attack.
Once they have access to the recipients, they can request fund transfers to their accounts.
Cyberattacks can also intercept communication between a business and a client.
Some common types of EAC attacks include:
Puerto Rico lost more than $4 million in an EAC attack when the attackers took over the email account of a worker and proceeded to request changes to bank account details.
Rijksmuseum Twenthe, a Dutch bank, lost $3.1 million in an EAC attack where the attacker posed as a reputable London art dealer.
Both BEC and EAC attacks are highly targeted. The key differences between them include the following facts:
BEC attacks impersonate a trusted source’s email while EAC attacks come from the actual email of a trusted source.
EAC attacks are stealthy and less likely to be discovered since they use the compromised legitimate email of a person within an organization. They take advantage of the established trust to gather more information or request fund transfers.
BEC attacks can be prevented through most email security methods, but EAC attacks are more sophisticated since they use legitimate emails to steal data or for financial gain.
BEC and EAC attacks do not compromise on who to attack – they target small and large businesses alike.
Due to the undetected nature of these attacks, once they happen, the best defense an organization has is to prevent the attack before it happens. Here are several ways to prevent BEC and EAC attacks:
Use email encryption software to enhance the in-built email security features by introducing additional encryption capabilities.
Adopt Domain-Based Message Authentication, Reporting, and Conformance (DMARC). DMARC is an email authentication protocol that uses domain verification to prevent spoofing emails from ever reaching your employee inboxes.
Include employee training in your cybersecurity plan.
Evaluate your BEC and EAC attack risks by identifying the most at-risk people in your organization. Set up measures your business can take to prevent attacks.
Enable multi-factor authentication.
Key Takeaways
Both BEC and EAC attacks are highly targeted email attacks that use social engineering to bypass an organization’s security measures. Fortunately, by understanding the key differences between these two, you can identify ways to prevent them.
BEC attacks require employees to be vigilant and skeptical when they receive emails asking for sensitive data.
EAC attacks require more sophisticated protection that begins with preventing account takeover from happening in the first place and then using measures like email encryption for additional protection.