Cybersecurity In-Depth: Feature articles on security strategy, latest trends, and people to know.

BECs and EACs: What's the Difference?

Email accounts are common targets for attack. Understanding how attack types differ is critical for successful defense.

(Image: <a href="" target="new">chinnarach</a> via Adobe Stock)

Email can be awful. From all varieties of spam that sneak through your filters to "reply all" conversations that trap you into finding meaningful comments buried 17 layers deep in a message, email is the business scourge that not even a pandemic can erase. And it only gets worse: Email is also a vector for a variety of attacks that can open the door for theft, fraud, ransomware, and more.

According to the FBI, business email compromise (BEC) attacks were responsible for more than $26 billion in global damages between 2016 and 2019. BEC is a broad description, used by some organizations (like the FBI) to cover virtually all attacks that use a trusted email address as part of the campaign. Others, however, use BEC as a more specific term and email account compromise (EAC) to describe a different type of attack.

It's important to know the difference between the two even if you ultimately decide that one label is enough when it comes to email-based cyberattacks.

BEC: The Narrow Definition
In the "classic" BEC, one are more techniques are used to convince an email recipient that a message is coming from a legitimate, trusted source when, in fact, it's coming from an entirely nefarious account. The now-trusted message could request the recipient do any number of things, none of which are good for an enterprise.

The key point to remember about a classic BEC is its success is based on messages pretending to be from a trusted source. The more convincing the mimicry (or naive the victim), the more successful the attack.

EAC: The Takeover
Whereas a BEC is based on messages that appear to come from a trusted source, in an EAC the messages actually do come from a trusted source. "Attackers use various tactics, such as password spray, phishing, malware, to compromise victims' email accounts, gaining access to legitimate mailboxes," Proofpoint explains

Once an attacker has gained access to the email accounts, they can do many evil things: exfiltrate data associated with the account, change forwarding and aliasing rules to hide future campaigns, and launch fraud or theft campaigns. And all of those are before tactics like malware, spyware, and other "-ware" that promise bad things for the victim are ever brought into the picture.

One of the reasons an EAC can be so dangerous is the attacker is "inside the building." Once the account is compromised, many security mechanisms, including basics like DMARC (Domain-based Message Authentication, Reporting, and Conformance), never come into play.

Now What?
BEC and EAC are related, but different, threats. Enterprise security staff should protect user email accounts from both and build systems that will identify, isolate, and remediate each as soon as a compromise is spotted. 

And while all of this is undoubtedly interesting, why does it matter? The short answer is that the differences in the attack must be mirrored by differences in the way defenders protect systems against them. Defenses against BECs begin as employee exercises in professional skepticism: If an email message requests something unusual or even extraordinary in terms of information or action, make a call to back it up. EACs defense, on the other hand, begins with protecting email accounts against takeover by any method and then, since you know those protections won't always work, extending defenses against malicious external email messages to those messages that originate within the corporate walls.

About the Author(s)

Curtis Franklin, Principal Analyst, Omdia

Curtis Franklin Jr. is Principal Analyst at Omdia, focusing on enterprise security management. Previously, he was senior editor of Dark Reading, editor of Light Reading's Security Now, and executive editor, technology, at InformationWeek, where he was also executive producer of InformationWeek's online radio and podcast episodes

Curtis has been writing about technologies and products in computing and networking since the early 1980s. He has been on staff and contributed to technology-industry publications including BYTE, ComputerWorld, CEO, Enterprise Efficiency, ChannelWeb, Network Computing, InfoWorld, PCWorld, Dark Reading, and on subjects ranging from mobile enterprise computing to enterprise security and wireless networking.

Curtis is the author of thousands of articles, the co-author of five books, and has been a frequent speaker at computer and networking industry conferences across North America and Europe. His most recent books, Cloud Computing: Technologies and Strategies of the Ubiquitous Data Center, and Securing the Cloud: Security Strategies for the Ubiquitous Data Center, with co-author Brian Chee, are published by Taylor and Francis.

When he's not writing, Curtis is a painter, photographer, cook, and multi-instrumentalist musician. He is active in running, amateur radio (KG4GWA), the MakerFX maker space in Orlando, FL, and is a certified Florida Master Naturalist.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights