Guarding Against Business Email Compromise (BEC): Protecting Your Business in an Evolving Threat Landscape

This blog was provided by John Hewie, National Security Officer, Microsoft Canada.

Have you ever received a suspicious email from your colleague asking for urgent help – but something about the tone or language is not quite right? Or clicked on an invoice from a repair company that seems unfamiliar and claims to be overdue?  If so, you’re likely one of the hundreds of thousands of people and organizations targeted daily by Business Email Compromise (BEC) attacks.

While ransomware often gets the most of the attention in the news, Business Email Compromise contributes up to 100 times more in financial losses vs ransomware payments according to the FBI 2022 Internet Crime Report. Individuals and companies of any size using email for communication could be at risk for BEC. If a business email compromise attack is successful, your business could lose hundreds of thousands of dollars, face widespread identity theft or accidentally leak confidential data like intellectual property or personal information. In 2020, the Canadian Anti-Fraud Centre (CAFC) recorded a total of nearly $30 million in reported losses due to BEC scams, while the first six months of 2021 alone saw over $26 million in reported losses.

Find out how this growing threat is impacting Canadian businesses and what you can do to protect your assets.

Understanding Business Email Compromise

Business email compromise (BEC) is a type of cybercrime where the scammer uses email to trick someone into sending money or divulging confidential company information. The culprit poses as a trusted figure, like a boss or vendor, then asks for a fake bill to be paid or for sensitive data they can use in another scam.

With the increase of hybrid work environments in recent years, communicating and collaborating primarily by email has become the norm, leaving more organizations vulnerable to BEC attacks. In the past year, the frequency of BEC attacks has skyrocketed globally. Between April 2022 and April 2023, 35 million business email compromise attempts were detected and investigated by Microsoft Threat Intelligence, for an average of 156,000 daily attempts.

As new technologies and innovations are introduced, threat actors work quickly to adapt their techniques and evolve their use of technology to carry out more sophisticated and costly BEC attacks. The success of these attacks is largely due to the growing targeting of organizations of all sizes, including small businesses, the exploitation of trusted business relationships and development of more specialized skills by the threat actors.

Common Business Email Compromise Attacks

Here are the most common types of compromised email.

Data theft: Sometimes cybercriminals start by targeting the HR department and stealing company information, like a schedule or personal phone number. Then it’s easier to carry out one of the other BEC scams and make it seem more believable.

False invoice scheme: Posing as a legitimate vendor your company works with, the scammer emails a fake bill—often closely resembling a real one. The account number might only be one digit off. Or they may ask you to pay a different bank, claiming your bank is being audited.

CEO fraud: Scammers either spoof or hack into a CEO’s email account, then email employees instructions to make a purchase or send money via wire transfer.  They might even ask an employee to purchase gift cards, then request photos of serial numbers. Gift cards don’t offer the same protections as other payment methods, like credit or debit cards – once the scammer has used up the funds, there is no getting it back. Pausing to verify urgent requests from a boss by reaching out with a trusted email address or phone number is a simple way to foil these scams.

Account compromise: Scammers use phishing or malware to get access to a finance employee’s email account, such as an accounts receivable manager. Then the scammer emails the company’s suppliers fake invoices that request payment to a fraudulent bank account.

Tips to Prevent Business Email Compromise

Follow these five best practices to stop business email compromise:

Use a secure email solution: Email apps like Office 365 automatically flag and delete suspicious emails or alert you that the sender isn’t verified. Then you can block certain senders and report emails as spam. Defender for Office 365 adds even more BEC prevention features like advanced phishing protection and suspicious forwarding detection.

Set up multifactor authentication (MFA): Make your email harder to compromise by turning on multifactor authentication, which requires a code, PIN, or fingerprint to log in as well as your password.

Teach employees to spot warning signs: Make sure everyone knows how to spot phishing links, a domain and email address mismatch, and other red flags. Simulate a BEC scam so people recognize one when it happens.

Set security defaults: Administrators can tighten security requirements across the entire organization by requiring everyone to use MFA, challenging new or risky access with authentication and forcing password resets if info is leaked.

Use email authentication tools: Make your email harder to spoof by authenticating senders using Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Reduce your attack surface: Ensure email forwarding and use of legacy protocols like POP/IMAP is disabled at the organization level.

Adopt a secure payment platform: Consider switching from emailed invoices to a system specifically designed to authenticate payments.

If you’re organization has fallen victim to BEC, you’re not alone. Contact your local police as soon as possible. The Royal Canadian Mounted Police guidance on BEC and reporting is here.

The ever-evolving cyber threat landscape presents growing challenges to all businesses. By understanding the evolving nature of BEC and taking proactive measures, you can protect your business from these sophisticated threats. Joining forces in the fight against cybercrime is essential – it’s a collective responsibility to improve cyber resilience and ensure the safety of your business and its data. To boost your cybersecurity knowledge visit Microsoft Security 101 for free training resources.