ABC of business email compromise

by Mark Rowe

Social engineering is nothing new, writes Anthony Hess, Head of Incident Response at cyber risk firm CFC Underwriting.

From the tale of the Trojan horse to Victor Lustig, the infamous Austria-Hungarian who convinced a number of scrap metal dealers that he was selling the Eiffel Tower, scams like these are about as old as human history. But social engineering scams are taking on a new form.

The technological revolution of the past two decades has meant that they are no longer confined to skilful con artists plying their trade in the real world; in recent years, there has been a massive rise in social engineering scams in the digital sphere, and it’s causing serious financial harm to businesses around the world. According to the FBI, between October 2013 and May 2018 alone, some $12.5 billion was lost worldwide due to funds being transferred following social engineering scams.

Many of these attacks involve Business Email Compromise (BEC). As the name suggests, this involves hackers gaining access to business email accounts and then using deception to manipulate individuals into carrying out a particular act, most often to transfer money. Indeed, funds transfer fraud as a result of a social engineering scam is CFC’s primary source of cyber insurance claims, making up 30% of claims by volume last year, and it’s on course to rise again for 2018.

How it happens

How fraudsters gain access to business email accounts can vary, but we find that the two primary ways are through phishing scams – where an employee is tricked into entering their credentials onto an external site – or through reused credentials. With the average number of online accounts registered to a single email address sitting at 118 in the UK, it’s no surprise that individuals use the same password across multiple accounts.2 However, this means that if one set is compromised, multiple accounts are then vulnerable to attack, which is leading to a steady incline in BEC.

Once in the system, hackers study their victim’s email exchanges to determine the most convincing way they can steal cash. These generally take three forms:

•Aptly named CEO fraud, the hacker poses as a company executive and sends an email to an employee in finance, where they instruct them to transfer money to an account that they control.

•Called account fraud, hackers falsify emails to clientele asking for payment. Oftentimes, these emails explain that the business has changed its account details and asks for future payments to be made to a new account that is under hacker control.

•Similar to account fraud and often focused on companies with foreign suppliers, invoice fraud occurs when fraudsters change the payment details on outbound invoices, redirecting payments to their own accounts. The compromised business may not become aware of the issue until they follow up to check the status of the payment.


One of the major complexities that arises with these attacks is determining who’s at fault. Aside from CEO fraud, which generally targets other employees within the compromised organisation, many of these attacks cause financial losses for business partners rather than the business that was originally hacked. Although some responsibility lies with these third parties to perform due diligence when making payments, some emails are so convincing – even containing altered phone numbers that direct queries to the fraudsters – that it can be very difficult to tell if something is amiss. In addition, the post-GDPR world has muddied the waters when it comes to these types of cyber events. Although it’s generally clear that the intent of BEC attacks is to steal money, accessing emails often means that hackers are privy to sensitive information. In many cases, BEC that results in funds transfer fraud will fall beneath the GDPR’s ‘risk of harm threshold’ and a business will not be required to report the breach because it is highly unlikely that harm will come to the rights and freedoms of anyone involved. Nevertheless, digital forensic investigators will be required to determine how many emails were accessed and to what extent – for example, if an IMAP connection was established and a download of email was noted – and legal advice will need to be sought in order to ensure compliance.

How to prevent it

Whilst you can never totally eliminate the risk of business email compromise, the good news is that there are a number of ways for businesses to mitigate the risk. These include:

•Implementing call back procedures to ensure that whenever a new payee account is set up or a change of account is requested, the request is validated by having a member of the finance department call the person or company requesting the change on a pre-verified number to confirm that it is legitimate;

•Setting up multi-factor authentication on email accounts so that an additional verification step is in place for any external connection to email, such as a code generated by a mobile app or through an SMS message; and

•Training employees to recognise scams. A number of educational tools are available that can help protect businesses from social engineering attacks, including those that allow businesses to send out fake phishing emails to test employees and better prepare them for a real life incident.
Even with risk management measures such as these in place, however, it’s nearly impossible for any business to be completely impervious to these kind of attacks. Cyber insurance can help protect businesses that have themselves been hacked, as well as the businesses that unintentionally transfer money to fraudulent accounts after receiving a forged email.

Related News

  • Interviews

    Delivery model

    by Mark Rowe

    As customers demand more cost-efficient, high quality security services, and as more technical and varied security risks arise, several UK security providers…

  • Interviews

    CCTV guidance

    by Mark Rowe

    The Surveillance Camera Commissioner, Tony Porter, has issued guidance setting out the responsibilities of owners and installers of CCTV in relation to…

  • Interviews

    Research on excellence

    by Mark Rowe

    What are the most important characteristics of an excellent corporate security department? What makes an excellent security supplier? These are among the…


Subscribe to our weekly newsletter to stay on top of security news and events.

© 2024 Professional Security Magazine. All rights reserved.

Website by MSEC Marketing