business email compromise

The Telltale Signs of a Business Email Compromise (and How to Avoid an Attack)

Business email compromise (BEC) attacks are on the upswing. Cyber crime caused $3.5 billion in losses in the U.S. in 2019, with BEC attacks accounting for nearly half of that, according to the FBI’s Internet Crime Report. New findings from email security firm Agari released this week revealed an emerging group of cyber criminals masquerading as legitimate business executives. Dubbed “Cosmic Lynx,” the group has been linked to more than 200 email-based attacks targeting individuals in 46 countries since July 2019, often victimizing senior leaders in Fortune 500 or Global 2000 firms.

Cyber criminals are taking advantage of the uncertainty surrounding the COVID-19 pandemic, too. Invoice and payment fraud attacks increased by more than 75 percent in the first three months of 2020 alone.

While this type of fraud is typically targeted at companies that conduct wire transfers, it can affect any company. In this blog, we’ll share tips for preventing and detecting business email compromise attacks.

The Background

First, let’s walk through a common scenario where trusting an email can lead to a bad day.

The CEO and the rest of the company are still working remotely because the office has been closed due to the COVID-19 pandemic. She sends you an email asking you to transfer funds to a new business partner to seal a big deal. The request isn’t out of the ordinary. You’re used to handling last-minute requests, and know that time is of the essence to keep the business operational. You’re savvy enough to check that it’s coming from her legitimate email address, and see that the salutation, signature block, and writing style all match her usual style. There’s even an inside joke in there about missing your usual office snacks.

What you don’t realize is that your CEO opened an email two weeks ago with a cryptic message about encryption issues and invalid certificates. This email tricked her into giving up her Office 365 account password to cyber criminals. They’ve been reading her old and incoming emails for weeks. They’ve studied her writing style, work schedule, and how money moves around in your company.

At just the right moment, while the physical office is still closed and things are far from normal, they’ve sent a perfectly crafted message asking you to wire some money to a bank account they control. However, you don’t know that this email is coming from criminals and not your boss. The numbers add up, and the attached invoice looks fine. When you reply asking for clarification, they respond right away. The CEO is out of the loop. Your responses are being sent straight back to the attacker and then immediately deleted from her inbox.

In the most extreme cases, our team has seen these fraudulent conversations and requests continue for months before they’re detected. We’ve even seen instances where cyber criminals go so far as to coordinate with multiple employees to work out details like intra-fund transfers and waivers to forgo standard processes.

How to Recognize and Respond to BEC

Business email compromise nearly always starts with someone giving up their password to a malicious actor. Typically, criminals target executives and anyone involved with transferring funds. There’s plenty of information out there already about protecting your password, having different passwords for every service (use a password manager), and how to spot a suspicious email trying to get your password (hint: it may even come from a trusted friend or colleague). Let’s focus on preventing what comes next, once the cyber criminals have compromised the email account.

First, let’s look at detecting the initial logon of a compromised account. You can prevent this first logon by implementing multi-factor authentication (MFA). A Krebs on Security post explains the success Google has had in rolling out MFA and preventing phishing attacks from compromising their user’s accounts. But what if MFA fails and the threat actors gain access anyway?

Your next line of defense is to detect the first logon, which requires logging and monitoring the authentication requests to your email accounts. If you’re using Office 365, don’t assume auditing is enabled by default — you should check that it’s actually been activated.

Once logging is enabled, you can start monitoring for suspicious logons. One example is users logging in from another country (pro tip: Nigeria is a top offender for BEC). If you can’t do this type of monitoring on your own, consider subscribing to a service that can like Delta Risk’s ActiveEye. These services offer analytics to recognize abnormal logons based on IP address, source country, device profiles, and timing.

Need help monitoring your network? Learn more about ActiveEye here.

Let’s suppose all that has failed. The attacker has gained access and has gone undetected. What happens next? The next move is to create inbox rules to automatically delete received messages that may be fraud-related. That normally means targeting messages with words like “wire transfer,” “payment,” and “invoice.” They may also delete messages from specific employees, like the CFO or the CEO’s administrative assistant. The purpose of these rules is to prevent the compromised user (e.g., CEO) from noticing the conversations happening behind their back.

How it Works

But how is the criminal reading these messages if they’re being deleted? They generally have two workarounds. First, they can simply look for the messages in the Deleted Items folder. Sneaky. Another option is to set up a rule to forward all new emails to an email address controlled by the attacker. This has an added benefit of giving the attacker continued access, even if the compromised user changes his or her password.

We can detect these compromised accounts by monitoring for the creation of a suspicious mailbox rule or email forwarding rules. For example, Office 365 has a built-in “Low Severity” policy to alert administrators of new forwarding rules. We can list them all here, but Microsoft provides a whole slew of tricks to recognize compromised accounts in their TechNet post.

Your last line of resistance against BEC is not relying on email for trusted transactions like wire transfers. Make sure your organization’s money-movers understand that email is not a trusted form of communication. This includes anyone involved in coordinating or authorizing where and when funds go — accountants, payroll, human resources, the CFO, CEO, and your bank.

Demand a second factor of communication. Since you can’t pop into someone’s office for a face-to-face meeting if the office is closed, use a video chat or, at the very least, a phone call. One of our customers discovered BEC fraud after an accountant called their CEO at a conference asking for the bank account’s time-based PIN code. The CEO was especially confused when the accountant asked why they were in such a hurry to get the transfer done that day!


Let’s review how you can prevent and detect business email compromise attacks at your organization. Setting up multi-factor authentication for email accounts can greatly reduce your risk. Make sure logging is enabled so you can monitor for suspicious logons, and monitor your accounts for new inbox rules, especially ones with words like “invoice,” “payment” and “wire transfer.” And, most importantly, don’t trust email for coordinating fund transfers. Always pick up the phone and double check, have a face-to-face or video call, or implement a more rigorous process. It’s better to be safe than sorry.

Does managed security seem like a black box? It doesn’t have to. Learn more about our Soc-as-a-Service.