Business Email Compromise (BEC), also known as CEO Fraud, is when criminals use email to infiltrate a business’ processes to scam them out of money or goods and services.

Hackers either impersonate an executive staff member (quite often it’s the CEO or CFO) requesting money transfers from their finance department, or they gain access to email accounts to commit their scams, also known as Email Account Compromise (EAC). This is a very profitable type of scam, as it only needs to be successful a few times to provide a return-on-investment.

In June 2020, the Australian Competition and Consumer Commission (ACCC) reported that in 2019, BEC attacks cost companies in Australia AUD $132 million. Statistics from statista.com show that the countries most targeted by BEC were the US, followed by Australia and the UK.

According to securityboulevard.com, in 2019, the FBI’s Internet Crime Complaint Centre (IC3) compiled their ‘2019 Internet Crime Report’ with all registered complaints for that year (467,361) and the reported losses exceeded $3.5 billion, with Business Email Compromise (BEC) and Email Account Compromise (EAC) accounting for $1.7 billion of that.

How it works

There are many methods that hackers use to carry out BEC scams.

‘Impersonation’ and ‘Spoofing’ are the most common types of BEC. The hacker will send an email pretending to be a staff member or executive. The email might: come from a similar domain that has been registered specifically to carry out the scam (so the sender’s email address seems legitimate); be spoofing the legitimate domain (so the “From” email address matches exactly); or simply be from a Gmail or Hotmail account set up to use the impersonated person’s name in the “From” field.

The criminals will usually send a few emails back and forth to build rapport or trust – How was your weekend? Are you looking forward to some time off at Christmas? – but eventually there will be an urgent request to make a payment to a different bank account, or to purchase gift cards or iTunes cards and send them the card details. It’s always urgent and quite often, a reason is given for bypassing normal validation processes.  They might also state that they are in a meeting and can’t be disturbed (to try to stop the person checking the request via phone first) or they may ask the employee to keep quiet about the request, because a surprise is planned. Because the employee believes they are communicating with a company executive, they are less likely to question what they are being asked to do.

Criminals have also impersonated employees and contacted the HR department, requesting their pay be sent to a different bank account. Conversely, the email may pretend to be from the HR or IT department, and be asking employees to update their personal or log in details.

Gaining access to legitimate email accounts (EAC) is also a very common attack method, and the risks that come with this are huge. Criminals resend invoices to clients stating that the company has new bank account details.  In this case, the client will pay money to the hackers account, instead of the legitimate company’s account.  This exact type of attack, was reported in Australia in November 2020, and AUD $51,000 of sub-contractor payments was lost forever.

To steal goods and services, criminals intercept orders made by the company, and change the delivery addresses.  If the attackers gain access to an Office 365 account, they will often set up automatic forwarding, moving, or deletion rules to allow them to obtain useful information, while remaining undetected.

Who is at risk?

All types of businesses are at risk. At FraudWatch International, we have seen examples of large corporates, charities and even sole-traders being targeted with these types of scams.

BEC targets the people within an organisation to steal money, data or confidential information, anyone of seniority in an organisation OR anyone that has access to the transfer of company funds.

BEC attacks are heavily reliant on social engineering tactics. Names, job titles, and email addresses, will be obtained from LinkedIn profiles, company websites, etc. and used to target employees who have access to the company bank accounts.