Explaining BEC & EAC Attacks
We all know that email is a regular part of business. Users receive an email they think is from their manager, chances are they’ll open it. And probably do what the email instructs or asks:
- “Wire money to this account.”
- “Send the payment here”
- “Attach employee files”
Sadly, a growing number of this type of email is fraudulent. These scams are part of an increasing cyber-attack known as business email compromise (BEC) and email attack compromises (EAC). We talked about these types of attacks in our 2020 Cybersecurity Webinar, recorded on October 6, 2020.
According to the FBI, BEC and EAC attacks have cost businesses upwards of $26 billion worldwide since 2016 in exposed (actual and potential) losses. The average attack nets the attacker nearly $130,000.
These attacks subvert human trust and imperfect financial controls—not technical vulnerabilities—to bilk victims out of thousands, sometimes millions, of dollars. And they’re hard to stop, especially with conventional email defenses aimed at stopping unsafe attachments and URLs.
The Good News
These threats can be managed with the right people-focused approach. It comes down to your employees; they are your last line of defense when stopping BEC and EAC attacks.
Business Email Compromise:
In a BEC scam, the attacker will pretend to be someone the victim trusts. It will start with an email address disguised to look like another. The key word being disguised!
- Domain spoofing – example: spoofing the MAIL FROM email address, so it is hidden from the viewer
- Lookalike domains – example: using the numeral “0” instead of the letter “O” in spelling (Y0urcompany)
- Display-name spoofing – senders can easily set their display name to be anything they want. This is especially useful when mobile email apps typically only show the display name by default.
Other tactics include using branded elements, such as company logo, name, colors and the use of urgent language:
- “Action Required Immediately”
Email Account Compromise:
EAC is closely related to BEC, but it is even harder to detect and stop. EAC involves the attacker taking over an email account. So, in this case the email will send to the target from a legitimate email account.
How attackers usually compromise accounts:
- Brute-Force attacks – tries username/password combination across many accounts until one works
- Breach reply attack – password is leaked due to being compromised in another account (bad practice to use the same passwords of multiple accounts)
- Phishing – emails that are “fishing” for information and access
- Malware attacks – keyloggers, and other forms can expose credentials
Once the attacker has control of an account, they are able to launch a variety of attacks: internal phishing, supply-chain phishing, BEC-style attacks and data exfiltration.
BEC and EAC are often achieved through various techniques to exploit weaknesses. Your biggest vulnerability will always be people. Even with safeguards and monitoring in place, it only takes one person clicking the wrong leak or replying to the fake email to compromise an email account.
This means it is necessary to cover both sides of vulnerabilities – the technical side and the human side. The technical side involves working with your IT partner to safeguard your network, devices and users. This can be with monitoring, firmware, antivirus and other relevant tools. The human side involves training yourself and team to know what these attacks look like and the proper actions to take when necessary.
Email-use policies can be enforced to ensure your employees know what to do when this attack appears in their inbox and, in the chance they get compromised, who to call immediately.
BEC and EAC truly comes down to education. Your team needs to be educated so they can navigate their regular duties, which ultimately includes email, with confidence.
If you are not confident in your email security and best practices, CommWest will come alongside your business to offer support on both the technical and human side of your technology. Start by calling us today to begin safeguarding your business from BEC and EAC attacks.
Helping Your Business Grow
- FBI. “Business Email Compromise: The $26 Billion Scam.” September 2019.
- Darla Mercado (CNBC). “New online financial scam costs victims $130K per attack.” February 2018.