Business email compromise (BEC) is an email-based social engineering attack that aims to defraud its victims. BEC attack campaigns often bypass traditional email filters.
After reading this article you will be able to:
Copy article link
Business email compromise (BEC) is a type of social engineering attack that takes place over email. In a BEC attack, an attacker falsifies an email message to trick the victim into performing some action — most often, transferring money to an account or location the attacker controls. BEC attacks differ from other types of email-based attacks in a couple of key areas:
BEC attacks are particularly dangerous because they do not contain malware, malicious links, dangerous email attachments, or other elements an email security filter might identify. Emails used in a BEC attack typically contain nothing but text, which helps attackers camouflage them within normal email traffic.
In addition to bypassing email security filters, BEC emails are specifically designed to trick the recipient into opening them and taking action based on the message they contain. Attackers use personalization to tailor the email to the targeted organization. The attacker might impersonate someone the intended victim corresponds with regularly over email. Some BEC attacks even take place in the middle of an already-existing email thread.
Usually, an attacker will impersonate someone higher up in the organization to motivate the victim into carrying out the malicious request.
Other reasons BEC attacks are difficult to pinpoint may include the following:
Usually, BEC emails contain a few lines of text and do not include links, attachments, or images. In those few lines, they aim to get the target to take the action they desire, whether that is transferring funds to a specific account or granting unauthorized access to protected data or systems.
Other common elements of a BEC email may include:
A secure email gateway (SEG) is an email security service that sits in between email providers and email users. They identify and filter out potentially malicious emails, just as a firewall removes malicious network traffic. SEGs offer additional protection on top of the built-in security measures that most email providers already offer (Gmail and Microsoft Outlook, for instance, have some basic protections already in place).
However, traditional SEGs struggle to detect well-constructed BEC campaigns for the reasons described above: low volume, lack of obviously malicious content, a seemingly legitimate source for the email, and so on.
For this reason, user training and additional email security measures are highly important for thwarting business email compromise.
Unusual, unexpected, or sudden requests are a sign of a potential BEC attack. Users should report potential BEC messages to security operations teams. They can also double-check with the purported source of the email.
Imagine Accountant Bob receives an email from CFO Alice:
Bob, I need to send a customer some gift cards to their favorite pizza restaurant. Please purchase $10,000 in pizza gift cards and transfer them to this customer's email address: firstname.lastname@example.org Please do this quickly. This is HIGHLY time-sensitive. We do not want to lose this customer. I am boarding a plane and will be out of reach for the next several hours. -Alice
This request strikes Bob as unusual: delivering pizza gift cards to customers is not typically the job of the accounting department. He calls Alice, just in case she has not yet "boarded a plane." She picks up the phone and is unaware of the request she has supposedly just sent to him. Neither is she boarding a plane. Bob has just detected a BEC attack.
Some email security providers crawl the web in advance to detect command and control (C&C) servers, fake websites, and other elements attackers will use in a BEC campaign or phishing attack. This requires using web crawler bots to scan large swaths of the Internet (search engines also use web crawler bots, but for different purposes). Identifying attack infrastructure in advance enables the provider to block the illegitimate emails right when they are sent, even if they might otherwise make it through security filters.
Machine learning is a way to automate the process of predicting outcomes based on a large data set. It can be used to detect out-of-the-ordinary activity — for example, Cloudflare Bot Management uses machine learning as one method for identifying bot activity. For stopping BEC attacks, machine learning can help identify unusual requests, atypical email traffic patterns, and other anomalies.
Since BEC attackers often try to reply to an existing thread to add legitimacy to their emails, some email security providers monitor threads to see if the "from" or "to" emails within a thread are changed suddenly.
This means looking for key phrases within emails to learn what topics a given set of email contacts typically correspond about. For instance, it could be possible to track who a given person in an organization corresponds with about money transfers, customer relations, or any other topic. If Bob's received emails (from the example above) rarely deal with customer relations, the inclusion of phrases like "a customer" and "lose this customer" in the email from "Alice" could be a signal that the email is part of a BEC attack.
Cloudflare Area 1 Email Security is designed to catch BEC attacks that most SEGs cannot detect. It does so using many of the methods described above: crawling the Internet for attack infrastructure, employing machine learning analysis, analyzing email threads, analyzing email content, and so on.
Email remains one of the biggest attack vectors, making email security ever more crucial for organizations today. Learn more about how Cloudflare Area 1 Email Security works.
Learning Center Navigation