Business Email Compromise – persistent threat or consistently mismanaged?

5 minutes

What is Business Email Compromise (BEC)?

I remember working in banking when BEC first happened – according to Google, this was around 2013. In our bank security department, we worked out how the fraud scheme worked, quickly developed internal controls and process improvements to reduce our vulnerabilities, and effectively treated the risk. So why in 2023, ten years later, are business owners still falling victim to BEC and other scams? More concerning, some executives only hear about BEC when they have become a victim – so what is BEC and how does it happen?

BEC is a type of fraudulent email scheme (scam) – more specifically a cybercrime – where fraudsters attack a company’s internal processes or functions. Most commonly, I come across BEC in relation to invoicing scams or banking transactions, but there are also other less common variations. Criminals use phishing techniques, which involve well crafted or deceptive emails, and in some cases other social engineering tactics as well, to convince an employee or manager that they are legitimate.

an exhausted woman reading documents
Photo by Mikhail Nilov on

At times, these emails may even be combined with other channels such as phone calls to reinforce the sense of urgency, build trust and rapport with the victim. A simple ‘BEC attack example’ involves 4 phases – research & reconnaisance, targeting, attack, escape – as illustrated below:

Here’s an example how BEC could play out:

BEC is still happening – why?

As a cybercrime / online fraud, the simple TTP (Tactics, Techniques, Procedures) employed by criminals mean and the ensuing response by workers means BEC is still going strong. According to the Australian Competition & Consumer Commission (ACCC) ‘Targeting scams 2022‘ report:

  • In 2022, Australian’s reported $569million in losses to ScamWatch, a 76% increase on the previous year
  • The volume of incidents has decreased – but the value of incidents has increased (average losses have increased by 224% since 2020)
  • Losses from False Billing scams totalled $24million in 2022

These statistics demonstrate the size of this problem. Clearly, businesses need to do more to manage fraud, cybersecurity and scam risks.

Why is BEC still this prominent? Simple – because it works.
For criminals, fraudsters and scammers, it’s quick, cheap and profitable.

People are too busy to stop and think about what they are doing or take process shortcuts, to trusting of what happens online due to poor security awareness or inadequate fraud awareness training, or because the way the scammer delivers their ‘attack’ email is so well crafted it gets the recipient on the hook easily and convinces them it’s legitimate.

For managers, its important to realise that BEC has a strong nexus to your Insider Risk Management program – BEC scams cannot succeed without a wilful, complacent or ignorant insider.

A strong Trusted Insider program should be mutually reinforced and supported by a strong security culture, where all staff (including contractors and casuals, not just employees) understand and embrace the importance of security to your business. If security awareness is low and you have a poor security culture, employees and contractors can be complacent or even ignorant of the risk.

How to prevent BEC and other scams?

Who typically gets targeted? Because BEC frauds primarily target the invoicing process, staff in accounts and procurement are most likely to be targeted, as well as potential line managers, executives and their assistants.

1. Up your game – improve culture and awareness

Whilst all staff in your organisation should have some level of fraud and security awareness, staff in these roles should have a high level of understanding about BEC, it’s various forms, and how prolific it is.

2. Identify, assess and manage the risk

Too often, I find organisations which haven’t stopped to think about how fraud and security issues can materialise in their business. Business need to perform a detailed security risk assessment to understand how and where they may be vulnerable to cybersecurity or fraud compromise. Any security or fraud risk assessments should be regularly updated to reflect changes in the business and its operations.

3. Review your business processes and internal controls

Frauds and scams differ from violent crimes in that they exploit a business process. To succeed, criminals must complete a particular task, often in a specific order. For a business, each of these tasks is a vulnerability unless you have sufficient internal control coverage to mitigate these risks.

In practice, I find overlaying a process map of the scam or fraud from the criminals (external) perspective onto the internal business process helps identify gaps (vulnerabilities). This is often done in Red Teaming and other Security Assurance activities.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.