What is the Difference Between Business Email Compromise (BEC) and Phishing?
Business email compromise (BEC) is a sophisticated and targeted cyberattack that impersonates high-ranking company officials or trusted partners to conduct financial fraud. It requires in-depth knowledge of the organization and its operations. In contrast, general phishing is less sophisticated and targets a broad audience indiscriminately, aiming to steal personal information like login credentials or credit card numbers through deceptive emails.
BEC focuses on financial deception within a business context, while phishing seeks broader information theft through mass communication. Understanding the differences in how the attacks operate enables organizations to leverage the most effective preventive technologies and targeted training to reduce the risk of breaches.
A Closer Look at BEC
Business Email Compromise (BEC) is a type of cyberattack that uses email to impersonate high-ranking corporate officials, employees, attorneys, or business partners. Its purpose is to deceive vulnerable employees into taking actions that benefit the scammers.
BEC attackers use artificial intelligence (AI) and Machine Learning (ML) technologies to extensively research their targets and create convincing messages that appear to be legitimate business correspondence. BEC scams have caused massive financial damage to organizations, with billions of dollars lost. The U.S. government considers BEC attacks one of the most financially destructive forms of online crime.
A Closer Look at Phishing
Phishing is a type of cyberattack that involves sending fraudulent emails to a wide range of individuals. Although these emails appear to come from a trustworthy source, their primary goal is to deceive individuals into providing confidential information like login credentials, credit card numbers, or personal identification details.
The information is then used to perpetuate fraud. Phishing attacks are more widespread than BEC scams and use automation to send many people the same or similar deceptive messages.
Key Differences Between BEC and Phishing
Phishing and Business Email Compromise (BEC) are related cyberthreats, but they have distinct characteristics and operate at different levels of sophistication and targeting. BEC and phishing differ primarily in their targets, methods, and objectives.
Targeting and Personalization:
BEC: A BEC attack usually focuses on specific individuals or departments within an organization, often those with the authority to make financial transactions or access sensitive information. Scammers spend time researching their targets to create highly personalized and convincing emails.
Phishing: Phishing attacks are not usually personalized to the same degree as BEC attacks. Instead, they rely on a broader approach, sending the same or similar deceptive messages to many recipients.
Attack Complexity and Effort
BEC: BEC attacks are typically more sophisticated, requiring reconnaissance and AI and ML to mimic the writing style and email patterns of the person they are impersonating.
Phishing: Phishing attacks can range from basic to sophisticated, but many rely on a template-based approach. The same message is sent to numerous individuals, hoping some will not recognize the scam.
Objectives
BEC: The primary objective is usually financial gain through direct wire transfer fraud or payment redirection scams. BEC can also steal sensitive business information.
Phishing: The main goal is often to steal personal information, such as login credentials, credit card numbers, or other sensitive data. This information can be used for various fraudulent activities, including financial theft, ransomware, or identity theft.
Method of Delivery
BEC: Almost exclusively relies on email as the method of communication.
Phishing: While phishing is also commonly conducted via email, it can take other forms, such as text messages (smishing), voice calls (vishing), or social media messages.
Scale and Scope
BEC: Typically involves fewer targets but aims for higher returns from each attack.
Phishing: Casts a broader net, targeting many individuals to increase the likelihood of finding a victim.
What Are Some Examples of BEC Attacks?
BEC scammers use common tactics, techniques, and procedures (TTPs), such as impersonating a CEO or other high-level executive or emailing phony invoices from real partners that seem legitimate but divert the payment to an attackers' account.
BEC attacks often create a false sense of urgency for the recipient to act quickly. BEC attacks have increased because automation, AI, ML, and social engineering make them more effective and easier to launch. They are also lucrative, as can be seen in the following examples:
CEO Fraud
Ubiquiti Networks, a U.S. communications company, reported a $46.7 million loss due to a BEC scam. Fraudsters impersonated executives and requested finance employees to transfer funds for supposed business operations, which were sent to overseas accounts controlled by the attackers.
Vendor Email Compromise
Toyota Boshoku Corporation, a major supplier of Toyota, lost over $37 million to a BEC scam where attackers posed as a known supplier and directed the company to send payments to new bank accounts.
Payroll Fraud
An employee in the U.S. office of Japanese media company Nikkei Inc. was duped into transferring $29 million into a scammer’s bank account under the pretense of a legitimate transaction requested by a company executive.
Legal Impersonation
A Nebraska-based grain company, Scoular Company, lost $17.2 million in a BEC scam where fraudsters posed as the company’s CEO and a fake outside legal consultant instructed an employee to wire funds for a bogus acquisition.
Acquisition Scam
Austrian aircraft parts manufacturer FACC lost about €50 million ($55 million) when its finance department received fraudulent emails from the CEO concerning a fake acquisition project, leading to unauthorized fund transfers.
What Are Examples of Phishing Attacks?
Email Phishing
Over two years, Facebook and Google were tricked into paying more than $120 million collectively in a phishing scheme. The scam involved fraudulent emails from a legitimate-seeming supplier, Quanta Computer, requesting fund transfers for outstanding invoices.
Spear Phishing
A technology company experienced this type of phishing scam and handed over the tax information of thousands of current and former employees to scammers. An employee fell for a spear-phishing email that appeared to be from the company's CEO, requesting the information.
Data Theft
A well-known entertainment company suffered a significant data breach from a phishing attack. The attackers used a series of phishing emails to gain access to the company's network, which led to the leak of confidential data, including personal information about employees and their families, emails between employees, information about executive salaries, and copies of unreleased films.
Whaling
Whaling is a phishing attack that explicitly targets high-profile individuals within an organization. It refers to 'big fish' targets instead of the more expansive net cast in regular phishing attacks. In one example, attackers crafted an email that appeared to be from an organization’s CEO requesting confidential payroll information. This breach exposed sensitive personal information, including names, social security numbers, and salary data.
Smishing
Smishing, combining "SMS" with "phishing," is a type of phishing attack that occurs through text messages (SMS). A popular delivery organization fell victim to this scam when attackers sent out SMS messages prompting recipients to click a link to set package delivery preferences. Recipients were supposedly asked for personal and financial information to process their delivery requests. The attackers harvested the information for identity theft and financial fraud.
Best Practices to Mitigate Risk
Because BEC and phishing have much in common, cybersecurity teams can deploy technology solutions and effective training methodologies against both attacks. Standard best practices in mitigating the risk of both BEC and Phishing attacks include:
Zero Trust
Zero trust operates on the principle that no internal or external users are trusted by default, even inside the network perimeter. Implementing a Zero Trust framework mitigates the risk of BEC and phishing attacks by limiting access to data and systems only to those who need it. Best practices enable continuous verification of all users and devices to ensure they are authenticated and authorized.
AI and ML
AI and ML can identify patterns indicative of BEC and phishing attacks, such as unusual email-sending patterns or anomalous financial requests. AI-driven behavioral analytics enhance the productivity of Security Operations Centers (SOCs) and strengthen real-time intelligence and incident response. AI and ML-based threat detection systems can learn and identify patterns, detect phishing URLs, and recognize malicious attachments even if they are new or have not been previously reported.
Integrated Security
Overcoming cybersecurity tools sprawl is a must in BEC and phishing defense. Security teams need an integrated approach that provides visibility across the entire organization and eliminates silos. With an integrated security model, organizations can condense operations and management. This makes it easier to deploy Zero Trust across the enterprise and keep strict controls over patching, updates, updates, and regulatory compliance.
Secure Web Gateways and Network Security
Secure web gateways and robust network security monitor and control internet traffic, preventing access to malicious websites and links often used in these scams. These security measures help detect and block the transfer of sensitive data to unauthorized external sources.
Ongoing Training and Monitoring
Nothing is more important than ongoing training and monitoring to mitigate the risk of successful attacks. Humans are the prime target for BEC and phishing. One slip-up by a single key employee can be extremely costly. Well-trained employees are often the first line of defense. Keeping employees up-to-date on changes in TTPs and policies is essential to any modern cybersecurity strategy.
In addition to areas of commonality, there are areas where organizations and cybersecurity teams can tune their defenses to meet the different challenges posed by BEC and phishing. These include:
Email Authentication Protocols
Email authentication protocols verify the authenticity of the sender's email address, thwarting attackers' attempts to impersonate trusted sources. These protocols help filter out fraudulent emails before they reach the recipient.
BEC Protocols
Implement advanced email security systems that use protocols like DMARC (Domain-based Message Authentication, Reporting, and Conformance), SPF (Sender Policy Framework), and DKIM (DomainKeys Identified Mail). These protocols help verify the email sender's authenticity, a critical step in identifying BEC attempts.
Phishing Protocols
Employ email filtering technologies that can detect and block phishing emails, including solutions that analyze email content for phishing indicators, such as suspicious links or attachments.
Policies and Procedures
Implement strong access control policies, ensuring employees have only the necessary access to do their jobs. Regularly update and back up sensitive data. Develop and maintain an incident response plan that includes procedures for responding to BEC and phishing incidents. Review and update the plan regularly to address new threats.
BEC Policies and Procedures
Establish strict verification processes for financial transactions, such as requiring multiple approvals or phone verification for changes in payment details or large transfers.
Phishing Policies and Procedures
Create a policy for reporting suspected phishing attempts and encourage employees to report them without fear of repercussion.
BEC and Phishing FAQs
Spear phishing, by contrast, involves carefully crafted messages aimed at specific individuals or small groups, making it more deceptive and challenging to detect. Regarding specificity and target, spear phishing stands between general phishing and BEC. It is more personalized than general phishing but not necessarily focused on financial deception like BEC. It can serve various purposes, including monetary gain.