Understanding the Four Business Email Compromise Attack Types

What is Business Email Compromise?

Business Email Compromise (BEC), also sometimes referred to as email account compromise (EAC) or vendor email compromise (VEC), is a type of phishing attack that takes advantage of an existing relationship between a victim and organization. These scams, which fall into four types of BEC attack types, as outlined further below, typically do not involve any malware or executable payloads. Instead, they rely on social engineering to trick individuals into performing financial transactions. 

Cloudflare Area 1 currently protects more than 10 million end users and, in 2021, blocked more than 40 million phishing campaigns. Although BEC attacks represented a minimal footprint (less than 5% of Area 1-identified phishing emails), BECs are some of the most costly cyberattacks. The FBI’s Internet Crime Complaint Center (IC3) reported that BEC cost U.S. businesses more than $2 billion last year —losses these businesses absorbed into the cost of doing business but should not have had to do.”

But why is BEC so difficult to detect?

BECs create very low signals that don’t rise to the top of a defender’s alert list, and tend to blend in with the usual noise of corporate network traffic. Without integrated email security built to stop targeted campaigns, BEC attacks can unfortunately stay undetected until they cause real monetary loss. Additionally, there are different BEC attack types that evade different email security technologies. 

It’s important to understand the different BEC attack types in order to guide your email security strategy. Although well-known “Type 1” and “Type 2” BEC attacks (like notorious “gift card scams” via external spoofed emails or internal account takeovers) persist, the more targeted “Type 3” and “Type 4” BECs can comprise much lengthier “long con” campaigns that exploit vendors and supply chain partners (and even involve compromising your partners’ partners!).

The Four Types of BEC

When analyzing BECs that threaten organizations’ inboxes, Area 1 describes the types of BEC phishing fraud in four categories as follows: 

Type 1 BEC: Spoofed Executive Sender or Domain

These external spoofed emails are fairly simple scams that use an executive as a lure. The attacker spoofs either the name of a CXO and/or the target company’s domain. Then, posing as the executive, the attacker requests an employee to perform a financial transaction such as wiring money or purchasing gift cards. 

Type 2 BEC: Compromised Employee Account

A step up in sophistication, this type of internal account takeover BEC uses a compromised employee as a lure. By taking over an actual employee’s account (typically through stolen passwords), the attacker poses as the employee and asks a colleague (the victim) to help complete a financial transaction. 

Type 3 BEC: Spoof Impersonating Vendor / Supplier

Similar to the first BEC type, Type 3 BECs spoof (or takeover the account of) a supplier or vendor with an existing relationship to the target organization. Since the spoofed sender is outside of the organization, unwary victims may not notice the telltale signs of a spoof. 

Type 4 BEC: Compromised Vendor / Infiltrated Supplier 

We’ve seen the most advanced type of BEC — Type 4 BEC or supply chain phishing — can take months to execute. These advanced attacks first compromise a supply chain partner or vendor through one or more email account takeovers. The attacker silently observes legitimate email threads, then injects themselves into the conversation at the right moment, pivoting payment requests to an attacker-controlled account. In some of these supply chain BEC attacks, the victim may not even know they suffered financial losses until a future audit. Example steps in a Type 4 BEC scam are illustrated below:

Four Common Reasons BEC Evades Legacy Defenses

A combination of characteristics allow BECs of all types to fly under the radar of many traditional email security systems. Here are four reasons in particular why BECs are difficult to detect:

  1. BECs use social engineering instead of malware
    Instead of using malicious links or payloads, BECs are usually short, text-only messages. They rely on our tendency to follow social etiquette, like lending a hand to a coworker, or power dynamics, like complying with an urgent request from an executive, to trick victims into sending money to fraudulent accounts.
  2. BEC attackers use legitimate domains
    Attackers take advantage of free or low-cost email domains, like Gmail for example, to send BEC phishing emails. It’s also inexpensive for an attacker to purchase a legitimate “lookalike” domain similar to their target victim’s domain. With cloud-based email, attackers don’t even need to host their own infrastructure for these scams.
  3. BECs are low volume but highly targeted
    Our 2021 Email Threat Report showed that BECs made up only 1.3% of attacks and an even smaller percentage of total email volume. However, BECs are extremely targeted. Attackers research targets and intended recipients to craft messages that appear personal and legitimate.
  4. Your trusted vendors / suppliers don’t know when they have been compromised
    In BEC attacks that leverage account takeovers, the target victim and their (trusted but compromised) supply chain partner typically do not know accounts have been compromised. In these attacks, the bulk of the messages in a conversation thread are benign. The recipient (in this case your vendor and other supply chain partners) may only become suspicious when the attacker subtly hijacks the thread to divert payment. This can be easily missed by both humans and conventional email security systems. 

What’s Needed to Successfully Stop BEC Attacks?

While some BECs can be spotted by careful users, sophisticated BECs require advanced anti-phishing and active fraud detection techniques. Small variations in details matter, especially in BECs that involve partner account takeovers as the attacker has the correct “login” and privileges already. 

For Type 3 and Type 4 BEC attacks in particular, which are dependent on exploiting your partners’ vulnerabilities — yet you have little control or visibility over your partners’ security — consider applying zero trust principles to all communications, across your organization’s entire network.

Gartner’s “Protecting Against Business Email Compromise Phishing” report (ID: G00716389) is also a great resource that provides recommendations on technologies and processes for protecting against different BEC attack types.

At Area 1, we use the following techniques, among others, to detect and stop all BEC types and targeted phishing. Check if your email security solutions also offer these to help keep your organization’s inboxes BEC-free:

Sentiment Analysis

Analyzing message tone, relationship(s) between the sender and recipient(s), and relationship hierarchies in addition to message context and intent. 

Conversation Thread Analysis

Looking at intent and relationships within entire conversation threads, not just individual messages. Analyzing nuances such as variation in message(s) within a thread to detect account takeovers and hijacked conversations.

Sender Trust Graphs

Analyzing partner social graphs and sending history to map risk exposure and trust relationships to detect account takeover and partner impersonations. 

Active Fraud Verdict Escalations

Escalating and notifying organizations of potential fraudulent communications happening in real time. Automatically blocking/quarantining/retracting malicious messages and kicking off review processes. 

To learn more about BEC attack trends, download the “How to Stop Business Email Compromise Threats” ebook, here