Business Email Compromise

Compromised email accounts can cause massive damage to organisations. Cyber criminals compromised an email account by using social engineering techniques to gain access to your networks or accounts and then start their attack.

What is Business Email Compromise

This is a term that is becoming more common, Business Email Compromise (BEC) refers to a type of phishing attack which is aimed at a targeted business and involves impersonating employees. The difference between BEC type emails and normal phishing emails are that they are targeted to specific individuals, whereas normal phishing emails are sent out to hundreds or thousands of people. The purpose of BEC emails is steal money, personal information or critical data from organisations by impersonating someone known to the organisation.

BEC emails are addressed to a specific individual and typically request that bank details are altered to a fraudulent account owned by the cyber criminals. This method is referred to as mandate of invoice fraud. Some examples of this method of attack are:

  • The Scammers ‘spoof’ a senior managers name to make the email seem important due to who it appears to come from. They then claim that the task is of urgent priority and needs to be actioned quickly but will also mention that there are unavailable to take a call due to how quickly this task needs to be done. The email will often try and trick the person into buying gift cards or making a money transfer.
  • Similar to the above example, scammers will also impersonate suppliers, clients and customers by using an email that has been stolen. The scammer will forward an old email but will change the bank details or add a gift card request. As the email was forwarded it will seem genuine to the recipient as they will believe the same person is emailing them.

These are just two examples but BEC type attacks can take many forms. However, BEC type attacks will always come from a scammer utilising a compromised email account or a new account that looks very similar to the original email address, so much so that the recipient doesn’t notice that the account is fake.

The difference between BEC emails and normal phishing emails is that they don’t usually contain malicious links, attachments or any of the other usual indicators of phishing emails. This means that they can easily evade security measures in place such as anti-virus & spam filters.  

Red Flags

Some of the indicators of BEC emails are:

Receiving an email from a Senior Manager asking for a task to be actioned, however;

  • The email is vague
  • They may mention that they cannot take a call
  • Receiving an email from a supplier, client, customer which you were not expecting and is making an unusual request
  • The email address doesn’t make that of the usual email address
  • You are being asked to buy gift cards, pay invoices or change financial details
  • You may have been contacted on your personal email rather than your work email
  • There may be a request to move the conversation away form email to another form of communication
  • The language of the email doesn’t match how the person would normally write their emails

What should you do if you think you received a BEC type email?

If you think you have received a BEC type email, you should take the following steps:

  • Ignore the request
  • Ask someone else to check the email as well
  • Report it to your IT Team or Managed Service Provider if you have one
  • Report it to report@phishing.gov.uk
  • If a payment has already been made, contact your bank immediately
    • IF this has happened keep all emails as the Police and Investigators may require them

How can I reduce the risk of BEC type emails on my organisation?

There are a number of steps and processes you can have in place to reduce the risk of BEC type attacks on your organisation. Some of which could include:

  • Have a policy in place to ignore any emails that mention purchasing gift cards
  • Always double check the email and check that the email address matches the one you have on your records.
  • Have procedures in place for making payments. E.g. have multi-layer authorisation for making payments.
  • If an email asked you about changing bank details always follow up by phoning the sender using the contact details you have on file, not by the details provided in the email.
  • Make sure your finance team regularly check your bank statements and report any suspicious activity to the bank immediately.
  • Ensure all employees are aware of your security policies and are regularly trained in how to spot a fraudulent email.
  • Register with the National Cyber Security Centre’s (NCSC) free Check your email security online tool. This tool can help prevent criminals exploiting your email domain in phishing attacks.