How to Avoid Business E-mail Compromise and Spear Phishing Attempts #CyberAware #HITSecurity

Business E-mail Compromise (BEC) is a scam that has been around for the past five years. This scam exploits people—generally, people are the weakest link within any organization.  BEC uses spear phishing to target people within an organization.  The spear phishing e-mail may appear to be from someone you may know or want to know (i.e., a prospective client wanting to do business).  

Impact of BEC

According to the Federal Bureau of Investigation, the scammers tend to originate from Eurasia, and BEC is now a global, transnational problem.

It’s important to know that BEC

  • Resulted in combined exposed dollar loss exceeding $3 billion since January 2015 with tens of thousands of victims worldwide. 
  • Targets many different kinds of organizations and is not sector-specific.
  • May be enabled by malicious insiders, who are part of the BEC scam and motivated by the profit gained from a successful BEC compromise.

Additionally, unlike a breach that may have to be reported (and potentially publicized), this may not necessarily be the case of BEC.  BEC is a significant threat to organizations—a threat not  widely publicized, but should be.  Every organization needs to include BEC in their awareness programs.

How BEC Happens in General Terms

In essence, BEC is carried out by compromising legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds. 

  • Social engineering exploits human targets and their vulnerabilities.
  • Computer intrusion techniques include e-mails with malware payloads. 

Once the malware is installed on a computer, it may perform actions such as, but not limited to, stealing user credentials, stealing file transfer protocol credentials (FTP), obtaining information about system configurations and networks, and taking screen shots to see what the user is seeing. 

As a result, the computer intrusion technique can be a high-velocity means for obtaining sensitive information, whereas the social engineering technique can take some time, patience and persistence on the part of the scammer.

Anatomy of BEC

The scammers generally employ four steps:

  1.  Observe
  2.  Research
  3.  Learn
  4.  Groom 

Using this methodology, scammers gather as much intelligence as possible about the target. If an individual has a web presence and/or social media account, much can be learned about who that individual is, who he or she is connected to, and insight may be gleaned as to how the victim may be exploited.  The larger the Internet footprint, the more intelligence can be gleaned by the scammer. 

Further, from the scammer’s perspective, soft targets are good targets.  These targets are the ones that can be groomed—and ultimately persuaded to provide the requested assistance to the scammer.  The end goal is usually money—with a requested wire transfer or even a check.  Businesses with foreign suppliers and/or businesses that regularly perform wire transfer payments (which include banks and law firms) are usually targeted.

Example of a BEC

Company XYZ is entrusted with a vast amount of sensitive customer information.  Company XYZ regularly works with foreign suppliers.  Domestic and international wire transfers are performed everyday—this is just a regular part of the day-to-day business, serving a broad range of customers. 

Because customers are the lifeblood of Company XYZ, many employees of Company XYZ are incentivized to get new clients—as well as maintain existing customer relationships.  As a result, Company XYZ employees have web presence, social media presence, and tend to have a large Internet footprint.  Such employees are appealing to BEC scammers.

The BEC scammer send an e-mail to Person A, a mid-level employee.  The e-mail appears to originate from an established company within the United States and from an actual employee of that company (for the purpose of this hypothetical, “John Doe”).  John Doe says that he needs Person A’s assistance in a merger and acquisition transaction and says that it is a highly lucrative one. 

Person A is thrilled at first upon receiving the e-mail, but then suddenly realizes that this may be a scam.  Person A previously received awareness training on phishing and decides to delete the offending e-mail.  (It turns out that Person A was right—the BEC scammer ultimately wanted to request thousands of dollars via wire transfer.) 

BEC Prevention

Every organization and employee needs to know about BEC, including what it is, how to spot it, and how to avoid it.  Raise the level of awareness by incorporating BEC into education and training of employees—not just one time (such as during orientation), but on a regular basis.  If an employee receives a suspicious e-mail (or series of e-mails), encourage him or her to report it to management. 

Also, if the e-mail requests an unusual sum via wire transfer (or check) that appears to come from someone you know (or someone you can reach across to)—do the due diligence and investigate it further (before transmitting the funds).  Additional assistance is available from the Internet Crime Complaint Center.


HIMSS; cybersecurity; privacy and security