What is business email compromise (BEC)?

Hacking of business email addresses

Business email compromise (BEC) is a form of phishing in which the login credentials of a corporate email account are stolen. In the past, corporate emails were typically hosted on the premises of the corresponding organization. Nowadays, more and more online services like Office 365 or G-suite are being used.

BEC primarily occurs between businesses and organizations. This type of phishing is rarely seen between companies and consumers. The reason behind this is that cybercriminals invest a lot of time and effort into this form of phishing. For a few hundred euros invoice between businesses and consumers, it's not worth the effort. That's also why significant sums of money are often involved in business email compromise.

Besides ransomware, business email compromise is considered the most significant financial threat in the realm of cybersecurity. Every year, the FBI reports the total economic damages caused by various cyberattacks. According to FBI statistics, losses due to BEC fraud amounted to over 43 billion dollars between 2016 and 2021.

How does business email compromise work?

When a phisher gains access to your inbox after phishing your credentials, they start reading your emails. By monitoring the conversations taking place, they can determine when, for example, an invoice needs to be sent to a customer. The phisher will then send a fake invoice or a genuine invoice with the altered bank account number from your inbox to your customer.

The customer pays the invoice they received from you. However, the money doesn't go to your organization but to the criminals' bank account. The tricky part is that the customer has indeed received an email from you and paid the received invoice, but you don't see this money in your account.

It can happen that your customer becomes suspicious of the invoice, for instance, if there's a sudden change in the bank account number for the payment. The customer emails you with questions about it, but the phisher intercepts the email. The phisher provides a convincing reply to the email, and the customer ends up paying the invoice anyway. Often, it comes to light later what happened with the BEC. When you contact your customer to inquire about when they will pay the invoice, they will naturally say that they have already paid it.

There have been cases where cybercriminals have stolen more than a million euros through business email compromise, and this also happens in the Netherlands. Because the emails appear so credible, people fall for it.

Always be extremely cautious and vigilant when receiving invoices and payment requests via email.

Who is the victim in business email compromise?

Determining the victim in a BEC situation is complex. The company that transferred money to the criminals is a victim because they won't get their money back. Additionally, the company that was hacked by the phisher and didn't receive payment for the genuine invoice is also a victim. The customer won't pay your invoice again, as they believe they've already done so.

Criminal proceedings are often initiated against the perpetrators. However, there is also a civil problem between the customer and the supplier; they hold each other responsible. The supplier didn't receive their payment, and the customer paid but didn't receive the product/service in their view. BEC is difficult to prove, especially if you lack a good understanding of how this attack scenario works. The customer and supplier blame each other, while it's actually the hacker lurking somewhere in an inbox.

Therefore, you can say that business email compromise is a form of phishing with significant consequences. BEC occurs almost daily. However, it doesn't make headlines often because both parties aren't inclined to make it public. Just because you don't hear about it doesn't mean it's not a massive problem.

When in doubt, always make a call

BEC is a relatively new attack scenario. Both parties have an obligation to make an effort to verify the authenticity of the invoice. If you receive an invoice that raises doubts, and you send an email asking if it's correct, and your contact person replies that everything is in order, then you can argue that you have fulfilled your obligation to make an effort.

If you receive a suspicious invoice, it's best to call your contact person to verify it instead of emailing. This way, the phisher cannot intercept your communication.

Want to learn more about this topic? Read cybersecurity expert Erik Biemans' blog on how to prevent your organization from falling victim to phishing or BEC attacks.