Guest Blog: Business Email Compromises – What are the Most Common Threats by F-Secure

December 22nd, 2021


With around 80% of security compromises driven and enabled by credential theft to date, when a business email account is compromised, the entire organization can suffer.

With around 80% of security compromises driven and enabled by credential theft to date, when a business email account is compromised, the entire organization can suffer.

Our friends at F-Secure have written a helpful blog which takes a look at some of the most common threats currently faced by organisations, and to understand how they work in order to protect your email systems from them.

Business Email Compromise

Business email Compromise (BEC) scams are a form of email fraud where the attacker masquerades as a senior employee and attempts to coerce the recipient into performing their business function for an illegitimate purpose, such as wiring money.

Attackers might carry out these scams through any of the following methods:

  • Email or website spoofing – imitating a legitimate email or website
  • Sending spear phishing emails
  • Deploying malware

According to the Europol, they are also becoming alarmingly more professional and convincing. BEC attacks have quickly become a top priority for European law enforcement as the threat landscape continues to evolve at tremendous speed.

Four Common BEC Scams  

Here are four basic BEC scams to watch out for:

  1. Fake Invoice Scam: This type of attack typically involves the impersonation of a company’s trusted supplier. The impersonation relies on social engineering and is often achieved using spoofed email. The scam is then carried out with a request for funds to be wired for an invoice payment into a fraudulent account instead of a legitimate account for that supplier. Last year, Google and Facebook made headlines for falling victim to such a scam and ended up losing approximately $100m.
  2. Wire Fraud Scam: Attackers in a wire fraud scam typically impersonate higher-level executives such as the CEO, CFO, or COO of the targeted company. They may appear to be handling urgent and confidential matters but are actually spoofing. These matters are accompanied by a request to wire a transfer to an account within their control, e.g. a mule’s account. In some cases, these requests are made directly to the company’s financial institution, insisting funds need to be wired urgently.
  3. Fake Lawyer Scam: In this scam the attacker reaches out to employees of the targeted company while pretending to be a lawyer with either the Corporate Counsel or another law firm. Similar to the above–mentioned scams, they often claim to be handling confidential and time-sensitive matters that require the employee to handle a transfer of funds. The request may reference matters which are occurring at the company like a merger or acquisition, thus making the request seem more believable. This type of attack is typically timed close to the end of a business day when the employees are tired and more likely to fall victim to the scam.
  4. Human Resources Scam: Here, the attacker poses as someone from a specific functional area in the company such as Human Resources. However, unlike the previous scams, they will ask for personally identifiable information (PII) instead of money. This request is even more damaging to the company as the information received can be used to make money or to facilitate a larger attack.

The bad news about BEC scams is that they work. BEC scams are even more believable when they are carried out from compromised email accounts.

According to the Internet Crime Complaint Center (IC3), there were U.S. $1.7 billion in losses in 2019 alone due to BEC scams.

Email Account Compromise

Email Account Compromise (EAC) is a sophisticated attack in which attackers use various tactics, techniques, and procedures to compromise a user’s email account in order to gain access to their legitimate accounts. While it is similar to BEC, the difference between EAC and BEC lies in whether the email system has been compromised.

  • BEC: Impersonates you but does not compromise the email system. BEC attackers typically use identity deception tactics such as domain spoofing, display name spoofing, and lookalike domains to trick targets into making payments to fraudulent accounts.
  • EAC: Impersonates you, compromises the email system, and uses your actual email account.

EAC attackers take control of your account which allows them to bypass email filters and authentication controls. This is a very effective way to conduct email fraud internally or with your customers. Phishing emails from a compromised account are especially effective because they are “trusted”.

Both EAC and BEC rely heavily on social engineering and are targeted at specific people. These two kinds of compromises are so intertwined that the US Federal Bureau of Investigation (FBI) has been tracking these scams as a single crime type since 2017.

EAC attacks launched from compromised email accounts are difficult to detect. These attacks may be targeted at other users within the target organization or externals such as clients and partners.

An EAC attack is a serious risk for the account’s legitimate owner and the companies involved. It not only gives attackers the ability to impersonate the account’s owner, it also provides full access to the person’s contacts, ongoing email conversations, and email archives.

That means that attackers can now leverage hacked company email accounts to craft new scams that are extraordinarily personalized and effective based on the information they have. Among them are:

  1. Launching large phishing campaign from the compromised account. In most cases, the ‘good reputation’ of the account and the company email server makes these campaigns successful.
  2. Sending more targeted and elaborate emails to employees who are authorized to pay bogus invoices, if the account owner is a senior figure within the organization.
  3. Inserting themselves into organizational conversations that are centered around payments to inform recipients that they need to wire money to a different account on this occasion, creating the opportunity for theft.

Due to the increase in credential theft used to hack cloud-based email services and to conduct a BEC or an EAC, it is crucial to ensure the security of business credentials and their use.

Organizations can keep their businesses safe by implementing a multilayered approach to their security, including the use of Multi-Factor Authentication (MFA), User and Entity Behavior Analytics (UEBA), and password managers.

It is also essential to conduct organization-wide security awareness training against credential theft so that employees can assist in the detection of social engineering attacks instead of falling for them. Other attacks such as malware and network intrusion will, however, require a different type of response.

To find out more about email security, the most common threats and how you can protect your business, check out F-Secures whitepaper here.


Sign up to our newsletter