Cyberattacks have become a routine part of our lives, but it's business email compromise (BEC) attacks that could cost businesses the most.

Email remains one of the leading communication channels — both in the private and business spheres — with 319.6 billion messages exchanged across the globe every day. But just a single targeted email attack on a single endpoint can quickly spread to other devices and even servers — bringing down an entire corporate network.

Users open emails quickly, and often with little thought. The risk is significant: These messages may contain sensitive data, and sometimes even passwords or other critical information that can be stolen. Users can also be deceived in revealing information that they shouldn't.

Though email service providers try to stay on top of persistent email threats, they often lack advanced, AI-powered tools to intelligently detect attack patterns. The responsibility of deciding whether or not a message is safe is left entirely up to the recipient, making breaches almost inevitable.

As a result, email security will continue to challenge corporate security professionals in 2022 and beyond.

Types of BEC Attacks and How They Work
BEC attacks are sophisticated scams that typically encourage victims to unwittingly transfer funds to the attacker, though data may be a target for theft as well. Attackers often impersonate a CEO or other executive at the organization to lend their request a sense of legitimacy and urgency.

In a mix-and-match approach, BEC attackers often use well-known social engineering techniques to first collect identity information, and then leverage that information in a very focused way — deceiving employees into transferring funds or opening a malware attachment.

BEC exploits are like old-fashioned sting operations: people tricking people. Here are some examples that demonstrate how they work and the damage they can cause.

CEO Fraud
Perhaps the most common form of BEC attack is CEO fraud, in which attackers convincingly position themselves a leading executive — sometimes by gaining illicit access to the executive's real email account, and other times by creating a falsified account that is similar enough to be appear believable.

The cybercriminals will typically reach out to employees with financial privileges and ask them to take a specific action, such as carrying out a wire transfer payment to an owed vendor, with a sense of urgency. Of course, the actual receiving account is controlled by the attackers.

In February 2016, attackers launched a strike against Snapchat, in which they impersonated the company's CEO to obtain highly sensitive data about current and former employees — including Social Security numbers, salaries, and healthcare plans. Snapchat offered the affected employees two years of free credit monitoring, plus up to $1 million in compensation.

Vendor Email Compromise
Vendor email compromise (VEC), in which criminals take over a recognized vendor’s legitimate email account, is another common form of BEC exploit. These attacks abuse the trust between partnered organizations for nefarious purposes.

In March 2021, a cybercriminal compromised the email account of a law firm and sent a password-protected zipped file to an employee of one of its active clients, a large insurance company. The insurance company's secure email gateway did not block the message, and the unsuspecting employee was tricked by a seemingly legitimate request to review documents. However, the attachment contained a stealthy Valyrian trojan (VB:Trojan.Valyria.3963) that executes automatically upon computer startup.

The obfuscated and encrypted malicious code would be missed by most traditional malware scanners. Luckily, an additional layer of defense was able to detect the cyberthreat and block it from executing.

False Invoice Schemes
Some BEC campaigns see attackers present fraudulent invoices to an organization’s suppliers. Supplier invoices are often high-value; just one such successful attack could potentially net criminals hundreds of thousands, or even millions, of dollars.

Facebook and Google fell victim to a gang of cybercriminals who set up a fake company called Quanta Computer, which was actually the name of a bona fide hardware supplier. Over a period of two years, these two tech giants were presented with what seemed to be legitimate invoices, which were duly paid to bank accounts controlled by the malicious actors — to the tune of $121 million. The ringleader of this attack, Evaldas Rimasauskas, was ultimately apprehended, and in 2019 was sentenced to five years in prison.

Choosing an Email Security Service Provider
Managed service providers (MSPs) are responsible for delivering secure email services. They must choose their security solution vendors carefully through a multistaged selection process.

First, create a list of potential vendors based on factors like time in market, available integrations with other solutions, global presence, and cloud-native offerings. At this stage, the task is to evaluate the vendor's business and technical maturity.

Next, narrow down the list based on independent lab reviews and customer testimonials to assess how effective these solutions are. Having a checklist of email security essentials can help ensure a more thorough, objective assessment.

Together with the shortlisted vendors, create a proof of concept for the future email security solution that meets the MSP’s unique business needs. This stage is important as many vendors are not ready for a long-term partnership that fosters collaboration and addresses custom requirements — preferring instead to sell purported "one-size-fits-all" solutions.

The vendor should next create a specialized offering for the MSP to test in a sandbox environment, making sure there are no gaps in the solution requirements and final implementation.

This process enables MSPs to start playing a major role in protecting their customers' email flows and work against the weaponization of email by cybercriminals.

An enhanced email security stack means new revenue streams, a better reputation, and sustainable growth for every managed service provider. Acronis offers a cloud-native deployment that enables fast integration with existing email systems and requires less effort on the customer side. Learn more about their Advanced Email Security pack for Acronis Cyber Protect Cloud.

About the Author

Candid Wüest is the VP of Cyber Protection Research at Acronis, where he researches new threat trends and comprehensive protection methods. Previously, he worked for more than 16 years as the tech lead for Symantec's global security response team. Wüest is a frequent speaker at security-related conferences, including RSAC and AREA41, and is an adviser for the Swiss federal government on cyber-risks. He holds a master's in computer science from ETH Zurich and various certifications and patents.