What is business email compromise?

What is business email compromise?

If you Google for business e-mail compromise you get a lot of sketchy information, a lot of company websites that are in similar domain like us and they have some bits and pieces of information.

Here at SpamCheetah we take every threat seriously and e-mail is still the most viable medium to effect really damaging and serious threats.

This article hopes to clear most of your apprehensions about this topic and we shall end with how SpamCheetah along with other things helps protect you from this problem in an effective manner.

Before we start let us take a look at how a BEC attack works.

BEC schematic

In general phishing and BEC look similar. But there are plenty of fine points that differ.

  • phishing is one form of BEC but lot more sophisticated

  • Always be suspicious of unexpected e-mails or urgent requests

  • Always better to call your boss before proceeding

  • These attacks are targeted unlike phishing

Business E-mail compromise is a large family of attacks engineered to steal money or employee information and they also can damage the reputation of your brand or standing.

People can get fired by falling prey to such scams. So one must always exercise caution when you act on an email that looks odd.

In general trying to guess how someone goes about their job is a good way to spot anomalies and a fair bit of healthy scepticism and awareness of such scams on the Internet will make a big difference.

Does business e-mail compromise target everybody?

Yes and no.

In general BEC works like a very sophisticated and targeted form of phishing or fraud/scam in which anyone can be targeted.

But going by past data on the table , from whatever has happened across the globe we can safely say that people with authority are likely to be targeted.

At least they can cough up money much easier and quicker than any lay employee.

The sort of techniques employed for scamming may sound familiar to all those that are clued into how things work in the day of Internet.

With the COVID situation putting various businesses and individuals under pressure and with the burgeoning remote worker situation, such attacks are only bound to increase even after COVID leaves us.

In general, any form of cyber attack follows a general script. Employ urgency and use authority to defraud you. If you have authority to send funds then you are likely a target.

And the e-mail header is a good place to look for possible tell tale signs of scam. The smoking gun could be a simple domain mis spelling or even spoofing of the from address itself.

E-mail existed in a trusted world when Internet was born and today with SPF, DKIM, ARC and even encryption and signing still e-mail is pretty easy to spoof and use to fool people.

The main thing to remember about BEC is that unlike typical spam that products like SpamCheetah are designed to protect, any backend or server side technology cannot save you unless the e-mail has a link that SpamCheetah detects as a phishing like by way of the SURBL check.

In most cases you are on your own and never act under pressure or impulsively no matter how urgent the email sounds.

How BEC differs from spearphishing?

You can say that regardless of what wikipedia or anybody calls something,there is a fair bit of confusion with all the e-mail related attacks that exist in Internet in 2021.

Spearphishing is a targeted form of attack that is commonly known as phishing.

Phishing usually involves a URL and bank accounts and attempt to steal your money or the company funds.

In business e-mail compromise as is obvious from the English name, the family of attacks are much larger.

It is not just money that is at stake. If your company website content is modified in a negative way by an e-mail then that could cause loss of face and branding and impact your company’s reputation which has indirect hidden financial damages.

In general any form of abuse is wrong. Cyber or otherwise.

But humans are humans and greed and Narcissism have always existed and shall continue to exist.

And as long as computers and Internet and the mobile phone make things easy for attackers to spam you using email they shall continue to do so.

It is for us to behave sensibly and make sure our interests are not compromised in any manner.

Can technology prevent BEC?

In general any form of cyber crime whether or not email related technology can only do so much to help you.

It rests on your shoulders how you deal with cyber criminals, of course this is a big headache for organizations like the FBI , the cops and law enforcement in general.

Of course technology does exist to protect you from threats but what if the threat is targeted at you as an individual? No technology can ever help you in case the attacker uses a human generated mail addressed to you knowing who you are and what authority you possess.

Usually high powered executives once they grow into the role of power learn to distrust the lower level employees that lack adequate authority since they are used to being taken advantage of , and they are always bothered for favors that they have to refuse.

However the attacks that cyber criminals employ are of a different kind. They usually come from the top, or are made to appear a coming from higher ups.

If that is so, then you tend to drop your guard and be more compliant or obedient or act with a sense of urgency and alacrity.

But this is a problem since attackers tend to use this mentality to their advantage. So the buck stops with you, always remember that technology can only help you so much and the rest is in your judgement and assessment of the situation at hand.

What does SpamCheetah do to prevent BEC?

In general SpamCheetah or any abuse prevention software at e-mail level will have mechanisms to guard against common forms of e-mail related abuse including BEC.

But unless the e-mail body contains some known malware of a malicious link or URL SpamCheetah cannot detect and stop the target attack.

However that said, you can testify in court that despite using a spam control technology you were the target of attack the judge may grant you a pardon.

Ok jokes aside, the real trouble with BEC is the targeted nature and that will likely never change even with AI and ML powered software to detect such a behavior based on learning.

Ultimately all social engineering attacks are subject to humans and you must give credit to the human ingenuity of the attacker. And the law of nature applies that as long as there are gullible fools there shall be fraudsters.

This applies to age old Ponzi schemes or modern day scams preying on the greed fear and impulsive nature of humans.

This will likely never change what with all the technologies around us.

Anti-BEC software

I can’t think of any offering specifically targeted at BEC though there are some companies like Abnormal security that claim to do the same.

Every product including SpamCheetah are going to help you equally well.

It is not appropriate to make judgements without data. But logically speaking targeted attacks need the human element.

No software can prevent it.

Future of BEC and other attacks

The situation pertaining to CEO fraud and various other scams involving abuse of power by fraudsters and spoofing names and e-mail addresses are likely going to remain static.

The ways and means for scams have always existed and no amount of counter measure are going to help.

But it is always prudent to be aware of what all goes on in the big bad world of Internet, the wilderness where nobody is safe.

In such a risk ridden world we must constantly be vigilant and learn to watch our step every step of the way.

Are there more BEC reports in 2021 as compared to 2016?

Will things change by 2023?

Nobody can tell.

We believe that e-mail as a medium for scam will always exist and nothing will change that.

As long as e-mail exists scams also will.

And the only way to solve the problem is by being hypervigilant and always using a protocol of using out of band methods to cross check.

Always remember.

Never act in haste to regret later.