How to Spot BEC Attacks and Best Limit Their Success


Thought Leadership

How to Spot BEC Attacks and Best Limit Their Success

Guest Blogger Michael Osterman

CEO Fraud, Business Email Compromise (BEC) and whaling are all synonyms for a particularly damaging type of security threat that can cost a company millions of dollars in a very short period of time. BEC attacks are perhaps the most insidious type of threat not only because they can cost an organization millions of dollars in losses, but these losses are the result of senior company officials being tricked and unwittingly and freely cooperating with the cyber criminals who are stealing from them.

The Basics of a BEC Attack

Here’s how a typical BEC attack works, although as discussed below, there are several variants:
  • A cyber criminal will identify a high value target in an organization, such as the CFO, and send him or her one or more emails pretending to be the CEO or some other senior official within the organization. The email comes either from the compromised account of the sender, or from an account with a domain name very similar to the real one. While impersonated CEO-to-CFO communications are the “traditional” mode of BEC attack, the target may be a human resources department, accounts payable manager or some other entity that has access either to corporate financial accounts or sensitive information.
  • The emails sent by the cyber criminal may use the target’s public information on a Facebook profile, their public tweets or their LinkedIn profile to make them more believable. In some cases, information on the target may also be derived from cyber criminals’ previous hack of a corporate network weeks or months before, allowing them to poke around corporate systems to gather intelligence on their potential victims and the workflows in the organization. These previous hacks can enable a cyber criminal to know when the impersonated CEO or other company official will be traveling or on vacation, making it more difficult to contact them to verify the request. 
  • At some point, the cyber criminal, pretending to be the CEO or another trusted official, will request that the target conduct a business transaction of some sort, such as wiring funds to an offshore supplier or sending W-2 information on employees. Quite often, the target is instructed to keep the transaction a secret because it’s tied to a pending merger, acquisition or some other confidential activity. If cyber criminals have had access to corporate systems for some time before the BEC attack, they may be able to study the size and timing of regular wire transfers, such as from the target company to a foreign supplier, allowing the cyber criminal to send a request to a CFO that fits a normal pattern of funds transfer.
  • In many cases, the target will not question the request and will then send the funds or the information to the cyber criminal, not realizing the error until it’s too late.

Variants on BEC Attacks

While the more common method of BEC attack involves the impersonation of a corporate CEO or some other senior official within an organization contacting the target within the same organization, there are some interesting variants of the BEC attack. For example, the cyber criminal may impersonate the target company’s law firm and request confidential information from various groups within an organization, cyber criminals may use a compromised account to send invoices to customers who will then pay the cyber criminals directly, or the target organization may receive fake invoices from known suppliers.

Steps to prevent BEC Attacks

There are several things that an organization can do to protect itself from BEC and related types of attacks:
  • Implement appropriate email and other security solutions that will make it more difficult to spoof emails. For example, impersonation filtering helps to identify and protect against emails from attackers who manipulate email addresses by simply adding a letter or altering a character. It can also analyze the source against an authenticated database directory. Both capabilities help to spot bogus senders before their content reaches potential victims. A data loss prevention system can identify outbound content that is unusual or suspicious. 
  • Implement appropriate password protocols so that the likelihood of account compromise is reduced. These protocols can include requiring employees to change passwords on a regular schedule and the use of passphrases instead of passwords, since the former are much more difficult to hack.
  • Implement a good security awareness training program for all employees that will help them to make better judgments about the emails they receive. The goal of this training is to enable users to be more skeptical about requests for wire transfers, information requests and the like. While security awareness training alone will not completely address an organization’s cyber security problems, it will make users more aware of cyber security issues and enable the organization to be less susceptible to BEC attacks. While all employees should receive security awareness training on a regular basis, senior executives should have additional training to deal with BEC attacks, since they are higher value targets to cyber criminals and the consequences of their mistakes can be much greater.
  • Establish reliable communication backchannels so that high value, confidential or sensitive requests can be verified. For example, ensure that the CFO can verify any request for a wire transfer from the CEO via a mobile voice call or text message regardless of where the CEO might be.
BEC attacks may not be completely preventable, but by implementing appropriate technology and training – and by helping users to be a bit more careful – cyber criminals’ chance of success in a BEC attack can be reduced dramatically.
Michael Osterman is a President of Osterman Research, Inc., which helps vendors, IT departments and other organizations make better decisions through the acquisition and application of relevant, accurate and timely data on markets, market trends, products and technologies.
To learn how ZixProtect helps defend your organization against BEC attacks, please visit or register for our solutions demo.