Business Email Compromise: Taking the Keys to the Kingdom

Written By Kacey Wheeler

Email has become an integral piece in everyday business communications and payments. This has helped tremendously with convenience, but it has also left a critical point of weakness if exploited. Compromising an email has become equivalent to giving threat actors the keys to the kingdom. 

Business email compromise (BEC) has become an increasingly large issue for organizations. There have been $55 billion in losses from business email compromise reported to the FBI from 2013 to 2023 (https://www.ic3.gov/PSA/2024/PSA240911).

But what exactly is BEC?

Business email compromise is a type of scam where a cybercriminal tricks someone into sending money or sensitive information by pretending to be a trusted person (like a boss or coworker) using email. Not every BEC has to involve unauthorized access to email, but this is what I will be focusing on. This is a large issue that is only becoming worse. 

Examples of the Dangers of BEC
In my career in cyber insurance, this is something I am seeing regularly occur to organizations first hand. There was an organization where one of their user’s email was compromised and leveraged to gain access to other more important applications. They were able to gain access to the organization’s financial software, changing all the routing numbers of their vendors to their own. They were also able to access the HR software as the compromised user and change the user’s direct deposit information to their own and redirect the employee’s paycheck to themselves. 

Another organization had a business email compromise that allowed for an attacker to misdirect a legitimate invoice meant for a home that was being built for this individual. The attacker sent an invoice to the customer directly, and this came from the company itself, making it difficult to discern as fraudulent. The customer then sent this payment of over $100k to the attacker. 

But Whose Fault is It?

It is also not always clear cut whose liability it is for the loss of $100k in this situation. There is very little case law surrounding this issue which is partly what makes this such a gray area. However, we do have some cases to reference. Prosper Florida Inc v SpicyWorld is an example of an interesting case around legal liability surrounding business email compromise. Who would have thought black pepper shipments would be targeted. It is a very interesting case that I would recommend you read about here: https://murray-lobb.com/prosper-florida-inc-v-spicy-world-of-usa-inc/. Factors such as negligence of the business whose email was compromised will be weighed in determining liability which is not always so easy to define. Another great article detailing some of these considerations in legal liability can be read here from McDonald Hopkins, a leading law firm in the data privacy space: https://www.mcdonaldhopkins.com/insights/news/businesses-beware-business-email-compromise-liability


Other Considerations

I have seen many of these cases involving misdirecting legitimate invoices. However, something organizations don’t often consider when funds have been impacted is any other sensitive information impacted by unauthorized access to email.  There have been items such as social security numbers contained in email potentially accessed by attackers. This highlights the importance of a good computer forensics partner in the case of a BEC to be able to tell you exactly what emails were accessed as well as ensure that the attacker does not have continued persistent access to the email. Having a good legal partner is also important to help you determine what kinds of notice you might need to provide in these kinds of situations where sensitive data may have been impacted. These kinds of events can spiral quickly. 


Continued Evolution

We are seeing attackers get creative with the kinds of items they are looking to misdirect to themselves as the result of a business email compromise as well. They are not only looking to make out with a fraudulent transfer, but they are targeting physical property as well. We have seen goods such as a large shipment of copper wire be misdirected. This has also become a growing concern for the trucking industry with a business email compromise allowing for attackers to be able to pick up loads meant for a legitimate motor carrier fraudulently. 


Protections

Some small changes can go a long way in helping to secure email accounts: 

  • Use a strong, unique password for your email account

  • Turn on MFA for access to your email. Bonus points for using something like a hardware token to login to your email. 

  • Do not use email based MFA access if possible for other accounts. If your email is compromised, this can be used to reset all other accounts

  • Monitor login activity for unusual access attempts 

  • Be careful opening strange emails from unknown senders. Phishing can be used to gain initial access to email. Email filtering can go a long way. Bonus points for opening all emails in an isolated sandbox environment. 

Be Prepared

It is also crucial to incorporate business email compromise into your incident response plan. It is important to know the steps to take and who needs to be contacted within the organization when something like this does occur. It is important to remember that if any funds are impacted, contacting the bank first and foremost is key to potentially recovering any amounts. 

Kacey Wheeler
Previous

Who is CISA?

Next

Ransomware.live