What is business email compromise (BEC)?

Business email compromise (BEC) is an email-based social engineering attack that aims to defraud its victims. BEC attack campaigns often bypass traditional email filters.

Learning Objectives

After reading this article you will be able to:

  • Define business email compromise (BEC)
  • List some of the common features of BEC emails
  • Describe methods for stopping BEC campaigns

Copy article link

What is business email compromise (BEC)?

Business email compromise (BEC) is a type of social engineering attack that takes place over email. In a BEC attack, an attacker falsifies an email message to trick the victim into performing some action — most often, transferring money to an account or location the attacker controls. BEC attacks differ from other types of email-based attacks in a couple of key areas:

  1. They do not contain malware, malicious links, or email attachments
  2. They target specific individuals within organizations
  3. They are personalized to the intended victim and often involve advance research of the organization in question

BEC attacks are particularly dangerous because they do not contain malware, malicious links, dangerous email attachments, or other elements an email security filter might identify. Emails used in a BEC attack typically contain nothing but text, which helps attackers camouflage them within normal email traffic.

In addition to bypassing email security filters, BEC emails are specifically designed to trick the recipient into opening them and taking action based on the message they contain. Attackers use personalization to tailor the email to the targeted organization. The attacker might impersonate someone the intended victim corresponds with regularly over email. Some BEC attacks even take place in the middle of an already-existing email thread.

Usually, an attacker will impersonate someone higher up in the organization to motivate the victim into carrying out the malicious request.

Why are BEC attacks so hard to detect?

Other reasons BEC attacks are difficult to pinpoint may include the following:

  • They are low-volume: Unusual spikes in email traffic can alert email security filters to an attack in progress. But BEC attacks are extremely low-volume, often consisting of only one or two emails. They can be carried out without generating a spike in email traffic. This low volume enables a BEC campaign to regularly change its source IP address as well, making it harder to block the campaign.
  • They use a legitimate source or domain: Large-scale phishing attacks often come from IP addresses that are quickly blocklisted. BEC attacks, because they are low volume, can use IP addresses that have a neutral or good reputation as their source. They also use email domain spoofing to make it seem as if the emails come from a real person.
  • They may actually come from a legitimate email account: BEC attacks may use a previously compromised email inbox to send their malicious messages on a person's behalf without their knowledge, so the email may actually be coming from a legitimate email address. (This requires significantly more effort on the part of the attacker, but such an expenditure of focused effort is characteristic of BEC campaigns.)
  • They pass DMARC checks: Domain-based Message Authentication, Reporting and Conformance (DMARC) is a protocol for identifying emails that are sent from a domain without authorization. It helps prevent impersonation of a domain. BEC campaigns can pass DMARC for a couple of reasons: 1) organizations may not have configured DMARC to strictly block emails; 2) attackers may send emails from a legitimate source.

What do BEC emails usually contain?

Usually, BEC emails contain a few lines of text and do not include links, attachments, or images. In those few lines, they aim to get the target to take the action they desire, whether that is transferring funds to a specific account or granting unauthorized access to protected data or systems.

Other common elements of a BEC email may include:

  • Time sensitivity: Words like "urgent," "quick," "reminder," "important," and "soon" often appear in BEC emails, especially in the subject line, to get the recipient to act as quickly as possible — before they realize they may be the target of a scam.
  • Authoritative sender: BEC attackers pose as someone important in the organization: the CFO or CEO, for example.
  • Thorough impersonation of sender: BEC emails may impersonate legitimate senders (e.g. an organization's CFO) by spoofing their email address, imitating the individual's writing style, or using other tactics to trick their victim.
  • Providing a reason for the request: Sometimes, to add legitimacy to what may be an unusual request, a BEC email will provide some reason for why the action is necessary. This also adds urgency to the request.
  • Specific instructions: Attackers provide clear instructions such as where the money is going and how much should be sent — a specific amount is more likely to sound legitimate. Attackers may include this information in the initial email, or in a follow-up email if the victim replies.
  • Directions not to contact the purported sender: If the intended victim can reach the supposed source of the BEC email over another communications channel, they may be able to identify the email as fake. To prevent this, attackers often instruct the victim not to contact the sender or confirm the request with anyone else, perhaps in the name of acting quickly.

Do secure email gateways (SEGs) block BEC campaigns?

A secure email gateway (SEG) is an email security service that sits in between email providers and email users. They identify and filter out potentially malicious emails, just as a firewall removes malicious network traffic. SEGs offer additional protection on top of the built-in security measures that most email providers already offer (Gmail and Microsoft Outlook, for instance, have some basic protections already in place).

However, traditional SEGs struggle to detect well-constructed BEC campaigns for the reasons described above: low volume, lack of obviously malicious content, a seemingly legitimate source for the email, and so on.

For this reason, user training and additional email security measures are highly important for thwarting business email compromise.

What should users do when they suspect a BEC campaign?

Unusual, unexpected, or sudden requests are a sign of a potential BEC attack. Users should report potential BEC messages to security operations teams. They can also double-check with the purported source of the email.

Imagine Accountant Bob receives an email from CFO Alice:


Bob,

I need to send a customer some gift cards to their favorite pizza restaurant. Please purchase $10,000 in pizza gift cards and transfer them to this customer's email address: customer@example.com

Please do this quickly. This is HIGHLY time-sensitive. We do not want to lose this customer.

I am boarding a plane and will be out of reach for the next several hours.

-Alice

This request strikes Bob as unusual: delivering pizza gift cards to customers is not typically the job of the accounting department. He calls Alice, just in case she has not yet "boarded a plane." She picks up the phone and is unaware of the request she has supposedly just sent to him. Neither is she boarding a plane. Bob has just detected a BEC attack.

What other technical measures can detect and block BEC attacks?

Advance phishing infrastructure detection

Some email security providers crawl the web in advance to detect command and control (C&C) servers, fake websites, and other elements attackers will use in a BEC campaign or phishing attack. This requires using web crawler bots to scan large swaths of the Internet (search engines also use web crawler bots, but for different purposes). Identifying attack infrastructure in advance enables the provider to block the illegitimate emails right when they are sent, even if they might otherwise make it through security filters.

Machine-learning analysis

Machine learning is a way to automate the process of predicting outcomes based on a large data set. It can be used to detect out-of-the-ordinary activity — for example, Cloudflare Bot Management uses machine learning as one method for identifying bot activity. For stopping BEC attacks, machine learning can help identify unusual requests, atypical email traffic patterns, and other anomalies.

Analyzing email threads

Since BEC attackers often try to reply to an existing thread to add legitimacy to their emails, some email security providers monitor threads to see if the "from" or "to" emails within a thread are changed suddenly.

Natural language processing

This means looking for key phrases within emails to learn what topics a given set of email contacts typically correspond about. For instance, it could be possible to track who a given person in an organization corresponds with about money transfers, customer relations, or any other topic. If Bob's received emails (from the example above) rarely deal with customer relations, the inclusion of phrases like "a customer" and "lose this customer" in the email from "Alice" could be a signal that the email is part of a BEC attack.

How does Cloudflare Area 1 Email Security detect BEC?

Cloudflare Area 1 Email Security is designed to catch BEC attacks that most SEGs cannot detect. It does so using many of the methods described above: crawling the Internet for attack infrastructure, employing machine learning analysis, analyzing email threads, analyzing email content, and so on.

Email remains one of the biggest attack vectors, making email security ever more crucial for organizations today. Learn more about how Cloudflare Area 1 Email Security works.