What is BEC Attack and How to Prevent against it in 2023?

BEC attacks are a type of cyber attack that is carried out with financial motivation. Threat actors, often targeting a business’s finance department or business partners, use fraudulent e-mails to defraud managers or employees to get them paid.

Threat actors, who prefer corporate e-mail addresses or addresses very similar to real accounts, obtained by various methods such as malware or social engineering attacks, start the chain of raids by pretending to be a corporate executive, finance employee, or lawyer.

What Are the Types of BEC Attacks?

CEO Fraud

Threat actors pretending to be the top executives of a business attempt to manipulate the organization’s financial transactions using pretexts such as emergency or confidential transactions to the victim.

In 2016, two major tech firms, Facebook and Google, faced a BEC attack that cost them $121 million. Threat actors set up a fake company called “Quanta Computer” with the same name as an actual hardware supplier. They sent bogus invoices and payment requests to corporate personnel via e-mail addresses that seemed to belong to real company executives. The attackers also forged lawyer letters and contracts to get their banks to accept wire transfers.

Data Theft

Attackers sometimes target the HR department and try to obtain critical information such as the victim’s work schedule and phone number. This method is preferred to increase the credibility of BEC attacks.

Impersonating a Lawyer

Threat actors gain unauthorized access to a law firm’s e-mail account, forwarding customers an invoice to pay them online or a fake link to obtain personal information.

In 2019, a law firm in New York was exposed to a fraudulent attempt by an attacker posing as a lawyer. The attacker sends an e-mail to the business’s finance department with a fake e-mail address posing as a business’s attorney, stating that an invoice is due in a legal case and that the invoice amount must be paid urgently. Thereupon, the finance department made the payment by fulfilling the request of the fake lawyer, who introduced herself as the business lawyer.

This incident demonstrates how serious a threat can be created by swindling attackers using a false attorney ID. To protect themselves from such attacks, businesses must verify payment requests to their finance department and confirm the attorney’s identity before directly contacting anyone pretending to be the business’s attorney.

False Invoice Scam

In this type of attack, the attacker pretends to be a vendor demanding payment for services performed for the company.

How Do BEC Attacks Work?

Identifying a Target

For the threat actors to create the attack scenario, they must conduct targeted research. Information about employees’ names, job titles, payment processes, supply chain, and workflow is obtained by scanning open sources such as the corporate website, social media accounts, and media news.

Obtaining the E-mail Address

At this stage, threat actors try to capture e-mail addresses they can use with the methods listed below.

  • Phishing Attacks
  • Malware Attacks
  • Using a Similar E-Mail Address

Payment Request

Fake e-mails that appear to come from an employee or manager often include an order to make an urgent payment or any financial transaction. Threat actors try to pressure the target by emphasizing the urgency or confidentiality of the payment to avoid detection.

A BEC Attack Example

A BEC attack scenario has been detected recently, which has been observed to affect many organizations.

bec attacks business compromise emails
Figure 1: Beginning of the BEC attack with an e-mail. It looks like a legal mail address.

When we researched the address “CONTACT@saintbonnetdemure.com” that sent the relevant e-mail, it was understood that the e-mail extension belonged to an institution.

However, this e-mail account may contain malware, leak data, etc. It has been observed that it is used to spread phishing e-mails by being captured by threat actors as a result of situations, and it is called a BEC attack (Business E-mail Compromise).

Although the threat actor claiming to have bought account access in the e-mail claimed to have accessed your network in this way, the text content of this fraudulent e-mail that has been distributed for years has not been changed, and only the BTC wallet address under the control of the sending threat actor has been added to the e-mail.

In this sense, it is thought that the relevant e-mail is a spam e-mail connected to the social engineering scenario, and the statements in the content are not real.[

Warning Signs of BEC Attack

Instant Money Transfer Requests

Attackers demand payment from the victim with definitions such as urgent, confidential, and debt in the fake e-mail messages sent. These requests are often backed by an apparent reason, such as a crisis, and a prompt response is sought.

Presence of Unknown/Unusual Email Accounts

E-mail addresses created by threat actors impersonating corporate or individual e-mail accounts may contain spelling and grammatical errors. A sense of urgency is used to avoid noticing these mistakes. For this reason, it is necessary to read the e-mail contents and verify the source carefully.

Unusual Requests

Attackers can send a fake email requesting the victim’s company information or employee information.

Sudden Password Changes

Attackers can change the password after gaining access to the victim’s account. Additionally, abnormal activity in reports can be a clue to the attack.

What is the Difference Between BEC Attacks and Phishing Attacks?

Although BEC attacks look similar to phishing attacks, they are considered different types of attacks.

Phishing attacks are a type of social engineering attack in which attackers try to gather information from a legitimate institution, person, or organization using a false identity. Attackers often aim to obtain victims’ data using email, SMS, or fake websites, such as usernames, passwords, or banking information.

BEC attacks, on the other hand, are generally more sophisticated and require serious preparation for the target. An attempt is made to persuade other employees or suppliers to make payments through a false e-mail address or communication channel by impersonating an employee or senior manager in an institution or organization.

How to Prevent BEC Attacks

  • As much as possible, 2FA features should be activated. The implementation of multi-factor identity protection makes it difficult for attackers to access e-mail addresses.
  • The source of the content transmitted with themes such as urgent payment and requesting personal information must be verified.
  • Untrusted e-mails, attachments, and links should not be respected. Files and applications should be obtained from reliable sources.
  • The probability of success of BEC attacks is directly proportional to the data collected by the attacker about the target. For this reason, it is essential not to share personal information openly.
  • Configuring e-mail solutions (SPF, DKIM, DMARC, and SID) is recommended to prevent sending harmful e-mails from unknown or suspicious sources, phishing (phishing), and spam content.


Brandefense’s Solutions

Attackers gather information about their targets before carrying out BEC Attacks. In addition to resources such as social media and news pages, the Dark Web is also frequently used by attackers to gather information.

Compromised third-party applications are accessible to anonymous individuals on various Underground forums. Through such data leaks, critical data such as name, surname, phone number, e-mail, and password of the personnel of the institution may be disclosed.

In addition, the Dark web is the first place cyber threat actors sell the data obtained due to their attacks. It is essential to access the leaked data quickly with properly conducted research to take action promptly.

At this point, Brandefense keeps track of all customer posts on Deep&Dark Web and informs you of critical data that the attacker can use.

Another method used in BEC Attacks was the capture of e-mail addresses belonging to senior executives. With the Brandefense VIP Security module, all information that attackers can access, such as personal information, phone number, and e-mail address leaked to the internet, is determined by searching the VIP person belonging to your institution.

Phishing e-mails forwarded to you and fake websites that appear to belong to a legitimate source are other methods used to snatch e-mail addresses.

With the Phishing Monitoring module, Brandefense can detect applications that may be of interest to your domain and imitate your institution. If deemed necessary, it provides a “Takedown” service and supports the closing of the fake application as soon as possible. In addition, suspicious-looking e-mail addresses, file attachments, and links are analyzed by the Brandefense team so that you can take action.

BEC attacks pose severe risks to businesses of all sizes. These attacks can cause significant financial and reputational losses. However, businesses can significantly reduce the risk of BEC attacks by implementing simple but effective steps such as training staff on social engineering attacks and proper verification procedures.

Organizations must stay alert and up-to-date on the latest security measures to protect themselves against this growing threat. Businesses can protect their finances and ensure the safety of their customers and stakeholders by prioritizing cybersecurity and taking proactive steps to prevent BEC attacks.

Share This: