Cybersecurity In-Depth

The Edge

BECs and EACs: What's the Difference?

Email accounts are common targets for attack. Understanding how attack types differ is critical for successful defense.

Email can be awful. From all varieties of spam that sneak through your filters to "reply all" conversations that trap you into finding meaningful comments buried 17 layers deep in a message, email is the business scourge that not even a pandemic can erase. And it only gets worse: Email is also a vector for a variety of attacks that can open the door for theft, fraud, ransomware, and more.

According to the FBI, business email compromise (BEC) attacks were responsible for more than $26 billion in global damages between 2016 and 2019. BEC is a broad description, used by some organizations (like the FBI) to cover virtually all attacks that use a trusted email address as part of the campaign. Others, however, use BEC as a more specific term and email account compromise (EAC) to describe a different type of attack.

It's important to know the difference between the two even if you ultimately decide that one label is enough when it comes to email-based cyberattacks.

Related Content:

Business Email Compromise Attacks Involving MFA Bypass Increase

The Changing Face of Threat Intelligence

New on The Edge: Loyal Employee ... or Cybercriminal Accomplice?

BEC: The Narrow Definition
In the "classic" BEC, one are more techniques are used to convince an email recipient that a message is coming from a legitimate, trusted source when, in fact, it's coming from an entirely nefarious account. The now-trusted message could request the recipient do any number of things, none of which are good for an enterprise.

The key point to remember about a classic BEC is its success is based on messages pretending to be from a trusted source. The more convincing the mimicry (or naive the victim), the more successful the attack.

EAC: The Takeover
Whereas a BEC is based on messages that appear to come from a trusted source, in an EAC the messages actually do come from a trusted source. "Attackers use various tactics, such as password spray, phishing, malware, to compromise victims' email accounts, gaining access to legitimate mailboxes," Proofpoint explains

Once an attacker has gained access to the email accounts, they can do many evil things: exfiltrate data associated with the account, change forwarding and aliasing rules to hide future campaigns, and launch fraud or theft campaigns. And all of those are before tactics like malware, spyware, and other "-ware" that promise bad things for the victim are ever brought into the picture.

One of the reasons an EAC can be so dangerous is the attacker is "inside the building." Once the account is compromised, many security mechanisms, including basics like DMARC (Domain-based Message Authentication, Reporting, and Conformance), never come into play.

Now What?
BEC and EAC are related, but different, threats. Enterprise security staff should protect user email accounts from both and build systems that will identify, isolate, and remediate each as soon as a compromise is spotted. 

And while all of this is undoubtedly interesting, why does it matter? The short answer is that the differences in the attack must be mirrored by differences in the way defenders protect systems against them. Defenses against BECs begin as employee exercises in professional skepticism: If an email message requests something unusual or even extraordinary in terms of information or action, make a call to back it up. EACs defense, on the other hand, begins with protecting email accounts against takeover by any method and then, since you know those protections won't always work, extending defenses against malicious external email messages to those messages that originate within the corporate walls.