Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

10:00 PM
Connect Directly

Hacking the Business Email Compromise

BEC attacks are on the rise, but plain-old spoofing of business executives' email accounts remains more prevalent.

Business email compromise (BEC) attacks are all the rage and on the rise. But it doesn't necessarily require a full-blown BEC attack to scam an organization out of money. Sometimes all it takes is an old-fashioned spoofed email address.

The FBI recently warned that BEC attacks worldwide have racked up some $3 billion in victim losses, with the average loss at $140,000 per incident.  BEC attacks - where cybercriminals get control of a business executive's email account credentials and use the account to steal money from the victim organization – are increasing, as are similar but more simplistic attacks that spoof executives' email accounts.

New data from email security provider Proofpoint shows a 45% jump in these types of scams overall. The firm studied some 45,000 attack attempts on its customers from October to December 2016 via email-account spoofing or full-blown email account compromises. Two-thirds of those attack attempts employed spoofed emails, and the other third, BECs.

Email spoofing is where an attacker creates or scrapes a real email domain with an email address that appears to come from the legitimate owner of the account. The spoofed email sometimes displays the legitimate email address, but the return address is actually different and masked behind the legitimate email account user's name or address, for example.

In a BEC attack, the cybercriminal steals a business exec's email account credentials in order to pose as that person to trick employees into wiring money or performing other actions on the "exec's" behalf.

"Attackers are understanding that more than anything" the best weapon is exploiting the human factor to fool companies into wiring money to the bad guy's accounts, says Patrick Wheeler, director of threat intelligence at Proofpoint. "It's identity deception at its best. These techniques work."

More than 70% of the spoofed and BEC emails Proofpoint found came with attention-grabbing subject lines like "Payment" (30%), "Request" (21%), and "Urgent" (21%). And the targets weren't all big execs from big companies. Some 15% went after small- to midsized businesses.

Of course these attacks are basically methods of social engineering and phishing, which long have been a popular initial attack vector for malware infections and data breaches.

Email spoofing is much easier to pull off and is often a precursor to a full-blown BEC attack. The two attack methods - spoofing and BEC - unfortunately sometimes get conflated, which can cause confusion. "If there's no compromise [of an email account], it's not BEC," says Joe Stewart, director of malware research at SecureWorks.

Stewart and his research team have infiltrated several BEC and other similar scam operations to peek inside their inner workings. They have watched cybercriminals in some groups teaching one another how to employ these scams. His team has seen BEC schemes that net the attackers anywhere from $30,000 to $250,000.

"BEC is really difficult to spot, versus business email spoofing, which is really easy," he explains. With a BEC, the email from the CEO to transfer funds actually comes from the real CEO's account, which makes it harder to discern, he notes.

These types of attacks are growing at a steady pace, he says. "It's easier to teach someone how to do business email spoofing than to do actual BEC. There are a lot more moving parts through BEC," Stewart says. "It's no surprise that there's a faster growth rate for attackers learning email-spoofing. But I don't think it's going to stop there. It's going to reach a peak … when spoofing is not as effective, and they will adapt" and learn BEC methods, he says.

Researchers from Trend Micro also have seen an increase in BEC activity in the past year. "At a very high level with BEC, we've seen an exponential lift in this type of attack," says Ed Cabrera, chief cybersecurity officer for Trend Micro.

[Trend Micro's Ed Cabrera will be speaking about ransomware during Interop ITX, May 15-19, at the MGM Grand in Las Vegas. To learn more about his presentation, other Interop security tracks, or to register click on the live links.]

BEC scams are an increasing weapon used by cybercriminals in West Africa, according to recently published data from INTERPOL and Trend Micro. Cybercriminals out of that region from 2013 to 2015 stole an average of $2.7 million from businesses and $422,000 on average from individuals via various scams including BEC.

Duping is Easy

It's a scenario that plays out far too easily: an employee in the finance department receives an email from the company executive instructing him or her to wire money in what appears to be a legitimate transaction request. By the time the victim organization realizes the transaction was a scam and the email didn't come from the employee's boss, the money is long gone, as well as the bad guys.

But there have been a few high-profile BEC busts in the past year. Just last week, the US Department of Justice announced that law enforcement has arrested a Lithuanian man for allegedly duping two US technology companies into wiring him $100 million over a two-year period. In this case, some of the stolen money was actually recovered in the wake of the arrest.

Last month, the DoJ announced indictments of 19 suspects in a global money-laundering scheme that included the use of BEC and led to $13 million in losses. And in December, Nigerian national David Adindu and several accomplices were charged in a BEC scam operation that targeted thousands of victims and involved some $3.1 billion. 

Chris Hadnagy, chief human hacker at Social-Engineer, LLC, says one of his firm's higher education clients lost $30,000 to a multi-layered and multi-stage attack that included email spoofing of the victim's CEO. An employee received an email with the CEO's spoofed email address ordering the victim to send the wire transfer ASAP. The attackers then followed up their phishing email with a voice call and posed as the CEO's assistant to confirm the email message and ensure that the user sent the money to their account.

Hadnagy, whose firm consults and trains companies on protecting against social engineering ploys and attacks, says BEC attacks often begin with a blend of online intel-gathering, phishing, vishing, and or phishing and vishing combos – all to ultimately infect the victim and then hijack the business email account. The caller says "hey, I've got this invoice with your name on it coming to you," and when it arrives, the victim then opens it and his or her system is infected with a keylogger or other malware.

"That [layered and combined] attack is what you're doing to start seeing" with BEC attacks, he says.

He says cybercriminals are setting up actual call centers in Russia, Greece, and Uzbekistan, to support their vishing and BEC operations. They hire dozens of people who get paid about $3 per day and man the phones for various scams, including one that poses as the Internal Revenue Service demanding back tax payments.  "As soon as they [the call center workers] get to the point where there are money transfers, they say 'I'll transfer you to my manager,'" and the call is handed off to another scammer who handles the money, Hadnagy explains.

BEC attacks don't require malware infections either: "Credential harvesting is becoming way more popular because it's so easy to cull web pages and make them look realistic," he says.

The social engineering expert warns that the next wave will involve vishing and mobile phone compromises. "With BYOD, it's just a gold mine for an attacker. They compromise your phone while you're at home and then you plug into the company network," he says, and the hijacked smartphone can be used as a rogue wireless access point, or its camera and microphone can be employed for spying purposes.

"SIP lines and a voice server are cheap," he says. "The risk/reward its way too high. We're going to see a massive increase" in these types of attacks."


Training users about social engineering, phishing, email spoofing, and BEC attacks should be part of the routine for businesses, experts say, as well as regular system patching and software updates.

But one of the key technologies that can help organizations prevent such attacks is DMARC, the Domain Message Authentication Reporting & Conformance (DMARC) standard that verifies the domain of an email message, and can kill phony messages upon arrival so that only DMARC-authenticated messages are delivered to recipients' inboxes.

Phil Reitinger, president and CEO of the Global Cyber Alliance, says DMARC basically helps make email trustworthy. "You can stop those spoofed email attacks with DMARC," he says.

But that doesn't mean DMARC stops all phishing attacks, he says. Just the ones that spoof a domain. "Attackers can still send an email from a lookalike domain." 

Related Content:


Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attri...
PUBLISHED: 2021-05-13
An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.
PUBLISHED: 2021-05-13
A local file inclusion vulnerability in ILIAS before 5.3.19, 5.4.10 and 6.0 allows remote authenticated attackers to execute arbitrary code via the import of personal data.
PUBLISHED: 2021-05-13
Pydantic is a data validation and settings management using Python type hinting. In affected versions passing either `'infinity'`, `'inf'` or `float('inf')` (or their negatives) to `datetime` or `date` fields causes validation to run forever with 100% CPU usage (on one CPU). Pydantic has been patche...
PUBLISHED: 2021-05-13
An issue was discovered in the Headunit NTG6 in the MBUX Infotainment System on Mercedes-Benz vehicles through 2021. A Message Length is not checked in the HiQnet Protocol, leading to remote code execution.