The $50,000 is gone, and you might not get any of it back. That’s the reality for thousands of organizations a year who are targeted by Business Email Compromise attacks. Crowdstrike’s report in May 2024 found that nearly 75% of businesses were targeted with BEC, pretexting, CEO fraud, or other email system attacks. And the average transaction (fraud) amount remains at a near-all-time high of fifty thousand dollars.
Many organizations are falling short of appropriate prevention, detection, and response strategies that could stop an attack before the pain of an email security compromise or data breach. The key to taking appropriate action is understanding the nature of the BEC attack and setting the organization up for success in the event of an actual or attempted account compromise.
In this preview of our upcoming trilogy, we’ll examine the dangers of business email compromise and the basic goals, methods, and traits of an email compromise attack. Understanding the impact of BEC attacks is the first step toward being able to protect against BEC.
In later parts of the series, we’ll examine:
While other types of social engineering sometimes come into play (via SMS, QR code, or over the phone, for example), the first step is still almost always a fraudulent email or phishing attack. The BEC attackers might impersonate a vendor by spoofing their email address or by attacking the email of a trusted partner.
The malicious email contains a link or file that prompts the user to authenticate their email or uses malware to steal a stored token or credential. Once this happens, the attackers gain access to the employee’s email account, including any associated services such as file sharing, online storage, and other messaging applications—anything that the legitimate email account can do, the BEC attackers can do as well. The account could even be used to send out fraudulent email messages impersonating the victim; this allows the threat actors to “work ahead” and begin targeting the next victims even while the current attack is underway.
These attacks rely on having access to the compromised accounts for an extended period of time. Often, the BEC attacker settles down for a lengthy phase (possibly weeks or months) of information gathering and surveillance.
This step of the attack is what makes an email compromise so dangerous. Instead of quickly deploying ransomware or other payload, the threat actor gets comfortable in the environment, reading emails, accessing documents, attempting to escalate privileges, establish persistence, and learning as much about the practices and environment as they can. This process can take weeks or months, leading to ever-broadening data exposure as they access and review critical and confidential business documents. They may use their access to try to move “laterally” and compromise other accounts they see as high value—IT personnel, senior leadership, or accounting, for example.
If the victim is unfortunate enough for the affected account to have administrator rights, the situation gets worse, as the attackers can potentially disable email security or data loss prevention features and monitor email communication between other, uncompromised accounts.
Eventually, when the threat actor is ready, they launch their attack—initiating a wire transfer, redirecting a payment, submitting a false invoice, or other BEC exploit strategy aimed at separating the target organization from as much currency as they think they can get away with. If the attack works, they’ll “sweep” the money into a safe account and repeat the attack until they are discovered. Then they simply abandon the account and move to the next target.
BEC schemes are difficult to deal with once they’ve begun, but there are some things to keep in mind that make them even more frustrating.
Even with quick action and a skilled investigator, bringing the hacker to justice may be difficult. VPN, darkweb, and proxy use make identifying the phishing suspects unlikely. And because they are frequently operating from foreign countries, law enforcement jurisdiction becomes difficult to navigate. Further, few local police departments have the resources to properly investigate these crimes, and federal agencies don’t have the staff or time to investigate or prosecute “smaller” crimes of less than several million dollars.
The one piece of good news is that victims who report potential BEC and related fraud to law enforcement are beginning to have increasing luck getting the stolen funds frozen for return, with nearly half of all victims getting nearly 80% of their funds returned after reporting to IC3 in 2024—if reported quickly. The sunshine isn’t universal, though: about 18% of victims were unable to recover any of their funds, even with law enforcement assistance.
The other factor that is often overlooked is that the actual victim of the crime (the person or organization from whom money is stolen) may or may not be the victim of the phishing attack. A vendor email compromise can result in false invoices by customers and other third-party partners. This makes the aftermath of a fraud attack even more confusing and chaotic, as there may not be a clear indicator at first which organization was the source of the intrusion.
Understanding how Business Email Compromise attacks work is the first step to being ready to meet the threat actor on an equal footing; if we know what they do and what they’re after, then we can work to put appropriate prevention into place. In part two of the series, “An Ounce of Prevention,” we’ll examine how to prevent BEC fraud and defend against BEC attackers.
If you or your organization has questions, the RubinBrown Cyber Security Services team has experts ready to talk to you about cyber investigations, security assessments, penetration testing, or ongoing security support.
Published: 03/03/2025
Readers should not act upon information presented without individual professional consultation.
Any federal tax advice contained in this communication (including any attachments): (i) is intended for your use only; (ii) is based on the accuracy and completeness of the facts you have provided us; and (iii) may not be relied upon to avoid penalties.