LinkedIn Facebook Twitter Email

Managing cyber risk: business email compromise attacks

David Standish, VP, Global Cyber Claims Lead, Liberty Mutual Insurance & Vivian Freedman, SVP, Chief Claims Officer, Financial Lines, Liberty Mutual Insurance

Managing cyber risk: business email compromise attacks

In a business email compromise (BEC) cyberattack, a scammer accesses a user’s business email account to access the information within the user’s account and, more frequently now than ever before, exploits the user’s connections and reputation in order to trick the user’s colleagues, clients, customers, and other contacts into sending them money or confidential information. Victims can stand to lose confidential data, intellectual property, their identities, and millions of dollars.

With more than 20,000 related complaints filed to the FBI in 2022 alone, BEC has become one of the most widespread and lucrative forms of online crime. Institutions should learn to recognize it and help protect themselves.

A fraud with many faces

BEC scammers typically pose as a trusted figure, sometimes even backed by fake websites or fraudulent business registrations in the figure’s name around the world. A scammer then might target:

  • Accounts payable, to ask the victim to pay a fake bill or divert a legitimate payment to another account, in what’s called a false invoice scheme
  • Finance, to identify and target a company’s suppliers
  • Leadership, by impersonating a CEO or other senior figure
  • Clients, especially through impersonating lawyers
  • Human resources, to steal more identities to set up further scams

The common denominator for all of these variations is email, which is the starting point for 91 percent of cyberattacks.  

Small attacks with large consequences

Even a small BEC attack can cause significant damage. A single compromised email account may contain terabytes of information. Understanding what has been compromised can involve hiring a cyber forensics vendor to track every attachment the account has sent or received. Depending on the vendor and amount of data for manual review, costs can easily spiral into the millions of dollars.

A successful BEC attack can lead to other costly consequences:

1. To the bottom line

From false invoices and diverted payments to fake accounts, cybercrime can be lucrative. Evaluating and remediating the results of an attack can be costly as well. 

2. To reputation

Even the reasonable belief that the unauthorized access or acquisition of protected information has taken place can trigger a variety of data-breach notification laws and contracts. That can leave a company responsible for notifying hundreds or thousands of their customers, partners, or employees of their error — even those whose information might still be secure, spreading the impact to the company’s reputation and relationships. Regulators interpret data-breach notification laws strictly, and because of logging and licensure regulations, organizations may lack access to the evidence needed to prove which information is still safe.

3. To future security

Cybercriminals can use data collected from a BEC to launch other attacks, stealing HR information to identify other targets, or credentials to access other systems in the future, or even intellectual property to leak to the public.

New attacks, new attackers

In recent years, there has been a steady uptick in BEC claims, particularly those involving false invoicing and the misdirection of funds to scammers. According to the FBI’s Internet Crime Report, the Bureau’s Internet Crime Complaint Center (IC3) received 21,832 BEC complaints in 2022, with more than $2.7 billion in adjusted losses. This is an increase compared to both 2021, with 19,954 complaints and $2.4 billion in losses, and 2020, which saw 19,369 complaints and losses of $1.8 billion.

Other trends include an increase in targeting victims’ investment accounts instead of traditional bank accounts. According to the report, “[t]here was also an increasingly prevalent tactic by BEC bad actors of spoofing legitimate business phone numbers to confirm fraudulent banking details with victims.” Due to the rise in remote work provoked by the COVID-19 pandemic, criminals are increasingly using virtual meeting platforms to conduct BEC-related scams.

The profile of the BEC attacker is evolving as well. Successful ransomware attacks are trending down due to ransomware readiness and resiliency efforts by targets, and BECs are on the rise. As opposed to the relative sophistication of ransomware, BEC requires significantly less effort on the part of the hacker. While ransomware complaints were down 36 percent from 2021 to 2022, BEC complaints continue to rise yearly. Globally, attackers made some $2.7 billion from BEC attacks in 2022 versus the $34.3 million yield for ransomware.

Helping stop BEC in its tracks

Fortunately, there are ways to help protect yourself and your institution from dangerous BEC attacks. The FBI makes recommendations for individuals that can be helpful for companies looking to institute data hygiene practices, including:

  • Use multifactor authentication. This multistep authentication process requires users to enter more than just a password. These extra steps may include a fingerprint, a code, or a secret question. Set it up on any account that allows it, and never disable it.
  • Be careful with sharing personal information online. By openly sharing things like pet names, schools attended, links to family members, and birthdays, employees can give a scammer all the information they need to guess your password or answer your security questions.
  • Don’t click on anything you don’t recognize. This includes links in unsolicited emails or texts asking you to update or verify account information or unexpected attachments. If you’re unsure if a request is legitimate, look up the company’s phone number on your own (don’t use the one a potential scammer provides) and call directly.
  • Carefully examine the email address, URL, and spelling used in correspondence. Scammers use slight differences to trick your eye and gain your trust.
  • Be careful with what you download. Never open an email attachment from someone you don’t know and be wary of email attachments forwarded to you.
  • Verify payment and purchase requests. Do so in person if possible or by calling the person to ensure it is legitimate. Also, verify any change in account number or payment procedures with the person making the request. Be especially wary if the requestor is pressing you to act quickly.
  • Set up a dedicated invoicing process. This would include a standardized, multistep procedure for updating bank accounts and other information and validating such changes with the other organization. Establishing such a process avoids ad-hoc emails directing modifications that can easily be falsified or tampered with. 
  • Train employees to recognize common BEC tactics. Train employees frequently, not just once a year, and establish internal processes to verify requests and report suspicious activity — a known tactic in helping organizations reduce risk.
  • Use a subscription service. Utilizing a service like Microsoft Defender for Office 365, you can automatically check email authentication standards, detect spoofing, and send emails to quarantine or junk folders. You can also use AI to model each person’s normal email patterns and flag unusual activity. With Threat Explorer, you can investigate threats, find out who’s being targeted, detect false positives, and identify scammers. And with Spoof Intelligence, you can check domain-wide email patterns and highlight unusual activity with advanced algorithms.

A partnership for protection

Leveraging information hygiene and best practices can keep BEC scammers at bay. So can partnering with your insurance partner for cyber insurance protection. With a cyber insurance policy, BEC victims experiencing a covered loss can reach out to their carrier or a vendor trained to respond to BEC incidents and minimize business interruption losses, including extra expenses and financial impact from lost revenue.

Liberty Mutual’s dedicated underwriters, close partnerships with our clients and brokers, and expert mitigation and claim resources help us deliver cyber liability solutions appropriate to the individual needs of companies across geographies and industries.

This website is general in nature, and is provided as a courtesy to you. Information is accurate to the best of Liberty Mutual’s knowledge, but companies and individuals should not rely on it to prevent and mitigate all risks as an explanation of coverage or benefits under an insurance policy. Consult your professional advisor regarding your particular facts and circumstance. By citing external authorities or linking to other websites, Liberty Mutual is not endorsing them.