Preventing business email compromise (BEC) attacks and scams

BEC is a sophisticated type of attack that targets organizations through email. Attackers impersonate trusted individuals within your company, like executives, vendors, or colleagues, to manipulate employees into actions that benefit the attacker. This could range from divulging organizational/personal information to sending money.

BEC is one of the most prominent attack vectors around today, and it continues to increase year-over-year. Unfortunately, small businesses and managed services providers (MSPs) tend to be prime targets for BEC. Here's a recent example uncovered by the Todyl team.

The facts on BEC:

• BEC, account takeover (ATO), and Adversary-in-the Middle attacks surged 558% across observed businesses in 2024 (Todyl)
• BEC breaches costs businesses an average of USD 4.89M in associated losses (IBM)  
• Email was the second highest action vector in breaches at 27% (3,292) of the 12,195 confirmed breaches (Verizon)
• 60% of breaches involved a human element (Verizon)

Every organization needs both strong security programs and high organizational awareness to defend against this pervasive threat. In this blog, we’ll explore how BEC attacks work and how to implement best practices to protect your organization.

How does a business email compromise attack work?

BEC attacks utilize a complex web of social engineering and impersonation to achieve their goals. Here's a breakdown of how they typically work:

Phase one: research and planning

1. Target selection: Attackers research the organization, identifying key personnel (CEO, CFO, HR) and their communication patterns.
2. Information gathering: They collect details like email addresses, titles, ongoing projects, supply chains, and internal protocols. Attackers often farm this information through social media, data leaks, or even malware infections.
3. Spoofing preparation: Attackers create phony email accounts using similar names or domains to mimic the targeted employee's email address.

Phase two: impersonation and manipulation

1. Initial contact: The attacker sends fraudulent emails using the spoofed email address. They pose as the chosen target and mimic their writing style.
2. Building trust: They leverage research to personalize the email, mentioning specific projects, colleagues, or deadlines to establish credibility.
3. Creating urgency: The attacker fabricates a scenario requiring immediate action, like a confidential payment, urgent change in bank details, or sensitive information request.
4. Exploiting emotions: They use social engineering tactics like deal loss, job security concerns, or appeals to authority. These manipulate the victim into complying.

Phase three: execution and exploitation

1. Compromising the victim: If the victim takes the bait, they can provide multiple outcomes for the attacker. These may include authorizing fraudulent payments, sharing sensitive data, or unknowingly changing financial details to attacker-controlled accounts.
2. Taking over email accounts: A successful BEC gives attackers access to the victim's email account. Using these email communication channels, the bad actor can better pose as the victim and obtain more information.
3. Extracting funds or information: If the attacker obtains a company's bank account information, they can capitalize. The attacker quickly diverts the funds or utilizes the stolen information for future attacks.
4. Further tactics: Beyond the immediate effects, attackers leverage BEC as a springboard for other attack types.

Recent types of BEC scams

• CEO fraud: Impersonating the CEO to request urgent payments or changes to bank accounts and financial processes.
• Account compromise: Hacking into a legitimate email account within the organization and using it for fraudulent activities.
• Vendor email compromise (VEC): Compromising or posing as a vendor to request payment to a fraudulent account.
• W-2 phishing: Targeting employees for personally identifiable information (PII) like Social Security numbers.

A BEC Case Study: Söze Syndicate

Let's dive into an example of a widespread BEC campaign perpetrated by the Söze Syndicate that was uncovered by Todyl.

What is the Söze Syndicate?

The Syndicate is a widespread crime ring using identity attack infrastructure spanning the globe. With sites spanning North America, Europe, and Singapore, Söze targets organizations of all sizes using email account compromises. In fact, Todyl found that approximately 65% of all attempted BEC cases across our partner base came from this group.

Söze Syndicate tactics and techniques

The group uses a "low and slow" approach, applying patience and careful planning to compromise businesses. In practice, they leverage three main procedures to carry out their actions.

• Adversary-in-the-Middle (AitM): This approach tricks employees into logging into their email account through a phishing email. The attacker presents a fake login page, but channels the credentials into an actual one behind the scenes. Then, Söze steals the valid session token to compromise the account. They then use that account to send out invoice emails and divert funds.
• SharePoint Phishing: This tactic uses the same setup as AitM, but pivots to target even more users. Gaining access to an employee's account, Söze sends a document through SharePoint to other users. Appearing to be from a real employee, the document tricks those users into engaging. Then, they click the link and give up their account information, spreading the Söze web.
• Rogue Application Install: Building off these accounts, this technique relies on VPN compromise. The group logs into the company VPN using stolen credentials and downloads a copy of the user's inbox. That way, they can spy on its contents and identify new, more valuable targets. Then, Söze sends new phishing emails to those users with the rogue inbox, posing as the employee to drive greater success.

Thankfully, the combined efforts of Todyl  and our MSP partners stopped most of these attempts. But, the Söze Syndicate remains a threat, requiring constant vigilance. We'll cover how Todyl can help you identify and prevent threats like Söze and others later in this blog.

If you'd like to learn more about this investigation, read our full threat report on the Söze Syndicate.

Key differences between BEC and phishing

Both BEC and phishing attacks involve email deception aiming to steal money or information, but they have key differences:

Targets

• BEC: Targets specific individuals within organizations, aiming for high-value transactions or sensitive data.
• Phishing: Targets a wider audience with generic emails, aiming for broad credential harvesting or malware infection.

Methods

• BEC: Uses social engineering techniques, impersonation, and careful research to create highly personalized and believable emails.
• Phishing: Often relies on generic emails with urgency, fear, or curiosity triggers, sometimes using malware or malicious links.

Complexity

• BEC: Requires significant research and planning, making each attack unique and difficult to detect.
• Phishing: Uses automation and bulk sends, which can be easier to identify and block.

Impact

• BEC: Can result in significant financial losses and data breaches, impacting the entire organization.
• Phishing: Can steal individual credentials or infect devices, but the impact on the organization is often less severe.

Ultimately, phishing can be a step in a larger BEC campaign. But, BEC often represents higher impact, targeted attempts on an organization that can lead to devastating results.

How to defend against BEC attacks

BEC attacks can have immense impact to your organization. That being said, proactive security measures will strengthen your defenses and make your company much harder to target. A few ways to protect against BEC include:

1. Cultivate a security-first culture

Employees are your first line of defense against BEC attacks. That's why it’s critical to train them to identify common red flags in emails. Attackers use spoofed email addresses, urgency tactics, and requests for sensitive information to trick employees. Regularly test employees with simulated phishing attacks to reinforce training and identify areas needing improvement.

2. Be proactive

Regularly review and update security measures, including employee training, technology solutions, and incident response plans, to stay ahead of evolving attack tactics. Foundational cyber hygiene is a must: enforce strong password policies to keep accounts secure. Password managers also help reinforce strong passwords since users can create many unique passwords without having to track them.

Multifactor authentication (MFA) on all accounts is also critical, adding an extra layer of security beyond passwords. This process makes it harder for attackers to gain access, even if they obtain login credentials.

3. Prioritize strong security

Consider implementing security solutions like Security Information and Event Management (SIEM) and Managed eXtended Detection and Response (MXDR). These provide broader visibility into network activity and potential threats, allowing for faster detection and response to BEC attempts.

Going a step further, seek out solutions that provide Identity Threat Detection and Response (ITDR). ITDR specifically identifies changes and misuse of user credentials to directly stop attacks like BEC.

How Todyl protects against BEC

Business email compromise attacks are more prevalent than ever. That's why it’s crucial to implement strong security programs to combat evolving threats.

Todyl’s SIEM identifies suspicious activity on systems, apps, and infrastructure such as unusual login attempts and impossible travel. It also alerts our Managed eXtended Detection and Response (MXDR) team, allowing them to further investigate potential BEC attempts.

The MXDR team distinguishes genuine threats from false positives and recommends appropriate action such as disabling compromised accounts. Using our Anomaly Framework, MXDR automatically uncovers credential misuse to provide top-of-the-line ITDR. Unlike other ITDR providers, Todyl MXDR dynamically correlates account actions and other data to quickly identify signs of BEC. Automated response actions help MXDR to stop bad actors from successfully compromising accounts, keeping you and your clients protected.

This combined approach improves the chances of identifying and stopping BEC attacks before significant damage occurs. Todyl is here to help you tackle the threat of BEC and fight the good fight.

Read how Todyl’s MXDR team jumped in to help a partner after they fell victim to a BEC attack.