"Business email compromise is the number one cyber-crime, period – there is no sugarcoating it. It's an international, global problem with victims in over 90% of countries in the world – that's the scale we're operating at," says Ronnie Tokazowski, principal threat advisor at cybersecurity company Cofense.
BEC attacks are built on using social engineering to trick victims into transferring a payment to cyber criminals. Often scammers will pose as a colleague, a client, your boss or a business partner to make their request seem legitimate.
There are two main ways in which scammers attempt financial BEC frauds. The first is by sending emails from a spoofed account pretending to be someone you know, with a request to make a transfer.
The other is more sophisticated, with attackers stealing usernames and passwords to break into legitimate email accounts and using those accounts to make their requests for funds. Sometimes this happens midway through a real conversation, which makes it seem even more plausible in what's called a conversation-hijacking attack.
In each case, the scammer asks for a payment to be made urgently. Often, in order to hurry things along, they claim that the payment must be made quickly and that it also should be kept a secret, telling the potential victim that disclosing the transaction could put a business deal at risk.
The payment, of course, is in reality sent to an account owned or controlled by the cyber criminals. By the time anyone notices something is wrong, it's likely the scammers have withdrawn and made off with the money, either spending it or laundering it elsewhere.
The sums transferred as part of BEC attacks can be in the hundreds of thousands of dollars. But they're often not reported, because many businesses that fall victim don't class it as a cybersecurity issue – and when it is reported, because money is involved, it gets reported to finance.
"Business email compromise hasn't gotten the attention it deserves as a potential attack because, for the longest time, it's not been a security issue," says Adenike Cosgrove, cybersecurity strategist at Proofpoint.
"They're not going to the security team, they're going to the finance team – and it's escalated to the CEO or CFO and then becomes a legal and financial issue, not a security issue," she adds.
Even the most basic BEC campaigns can rake in thousands of dollars. And all a scammer needs to start BEC campaigns is an email account and some targets to go after – and if you're going to pose as the CEO of a particular company, that information is extremely easy to find by just using a search engine.
"In many cases with BEC attacks, one of the biggest benefits with doing those attacks is there's much less overhead from a business perspective than other types of cyberattacks," says Crane Hassold, director of threat intelligence at Abnormal Security.
"In a lot of cases, it's basic research and then simply sending emails impersonating people, so the return on investment for BEC attacks is significantly higher than other types of cyberattacks," he adds.
In some cases, malware or phishing might be used to steal login credentials to take control of a legitimate account to exploit, but a lot of the time, it's enough to just spoof the email of the boss or CEO that the scammer is pretending to be.
"It's really leveraging a human element, socially engineering people, and I think again we forget in cybersecurity that it really is a human problem – it's a people problem," says Cosgrove.
That's one of the things that makes BEC attacks so challenging – when the transaction is being made, it isn't being made by a cyber criminal. The payment is being made by someone who thinks they're doing the right thing with the information they're being provided with.
As a result, victims often feel shame and embarrassment that they've been tricked – and that makes them less willing to talk about the experience, even if doing so could help stop others making the same expensive error.
"In order to address it, we actually have to take a step back and acknowledge there's a lot of shame that goes into this," says Tokazowski. "Because of the shame, many of them don't want to come forward."
Another complicated element around BEC attacks is that, in some cases, the company that gets duped into transferring a payment has never itself actually been breached by cyber criminals – instead it is one of their clients, customers or business partners that have either been impersonated or have had their system breached.
"At the end of the day, the company that is sending money, that is losing money, actually doesn't have any control over that initial compromise which is, I think, one of the most concerning aspects of this whole trend," says Hassold.
BEC attacks are easy to carry out but difficult to detect and stop – that's why they're so successful and why scammers are making such large amounts of money from attacks.
And while it's a major form of cyber crime, it isn't really a technical problem, it's a people problem – people with good intentions are tricked into transferring funds that they think are being requested for legitimate reasons.
While there are measures that can be taken to help prevent accounts from being compromised to conduct attacks – like using multi-factor authentication – and policies that can be put in place to ensure that several people should be part of the process to authorise payments, one of the best things that can be done to help detect BEC attacks is raising awareness about the issue.
And it's vital that businesses provide a framework for staff – who worry that they may have been duped by a BEC attack – to come forward repercussion-free, so that incidents can be reported and acted upon to help people understand what they need to look out for.
"We need to shift away from victim blaming," says Cosgrove. "We want them to very quickly tell us if they see something that they think is suspicious, or if they did click on that link or send the data or wire the money.
"We want them to very quickly tell us so that we can respond much more quickly – it's not about victim blaming. It's about having that additional source of intelligence," she said.