Business Email Compromises: What You Need To Know

Imagine everyone you’ve emailed in the last month being sent phishing emails or fake invoices straight from your own email account. I’m sure they’re the last people you’d want to pull into a cyber attack!

These are just a couple of ways a Business Email Compromise (BEC) might play out and the impacts can be quite serious.

It’s especially concerning given the consistently high amount of phishing and stolen credential attacks that may open the door to your inbox.

For our last series, we broke down phishing attacks and how one of the objectives is to steal credentials and/or get access to your email.

In this article, we’ll take a closer look at what happens when someone does successfully access your email and everything you need to know to prevent it or stop a compromise.

What is a Business Email Compromise (BEC)?

Simply put, it’s when someone who’s not supposed to have access to your email account is able to get past your defenses.

And, if you’re a bad actor, wouldn’t it be great to have access to all of the intel in your email and be able to intercept communications? Not to mention that any of your other accounts where MFA codes are sent to email are also now more within reach!

It’s probably no shock then that it’s a pretty common incident and happens to be one of the most costly according to IBM’s latest Cost of Data Breach Report:

IBM 2024 Cost of Data Breach

While it’s not the ‘most frequent’ attack vector on its own, it can be still tied to phishing attacks or use of stolen credentials and may be a subsequent attack.

In my own experience, I find it to be more common in attacks on smaller businesses, where IBM’s study included data from larger organizations that can skew their findings.

How do attackers get access?

Access can be achieved in a number of ways and it just depends on the security you have in place on your email account (or more the lack thereof).

However, in most cases, it starts with getting the credentials you use for your email account. This can be done through a phishing attack or maybe use of credentials that were leaked in some other data breach, especially when same passwords are used across other systems.

NOTE: Even with multi-factor authentication (MFA), there are methods that can be used to bypass MFA.

What can they do?

Once they get access, the actions taken may really depend on that particular threat actor and their overall goal. Some want to stay hidden and launch a bigger attack, where others may take actions that draw immediate attention.

One of the ways to help think about risks in your email is to consider the CIA Triad of Cybersecurity: “Confidentiality, Integrity, and Availability”.

Confidentiality refers to the sensitive information in your email that needs to stay private. Once they have access, they could theoretically get access to anything in your email (and affiliated with your email account).

Integrity refers to the trust within the system. As long as a bad actor has access, there is a lack of trust in your email because at any point they could act as ‘you’ through the use of your email or possibly use the intelligence they gather to deceive others.

Accessibility has to do with how dependent you are on a system and what happens when you can’t access it. For an email compromise, it’s the equivalent of being locked out by the treat actor and unable to read or send messages.

More specifically, there are a few actions we see threat actors take that include one or more of the following:

• Create rules to preserve access and cover their tracks: Should the password be changed, the bad actor doesn’t want to lose their visibility, so it’s not uncommon for them to create rules that forward emails to another account they can monitor. They may also use rules to hide copies of emails they send from within your account.
  
  
• Steal information: As mentioned above, once someone is in your email account, all of the messages you have received, sent, or saved are accessible to them. In fact, there are easy ways for them to get this information quickly downloaded from your inbox so they have plenty of time to sort through it’s contents.
  
  
• Wait and watch: Some threat actors may not want to alert you to their access. And, in many cases people who fell for a phishing email that gave up their access never realized what happened. This might allow the attacker the opportunity to sit and wait for a conversation about financials or other information that they want to leverage (usually using some type of rule or automation that tells them when it’s time to take a closer look at your activity).
  
  
• Commit Wire Transfer Fraud and Invoice Fraud: One of the things they may wait to take action on are financial conversations where a bank account or invoice is being shared (or might be shared) so they can jump in and make a change or request a payment.
  
  
• Use your identity: When someone has access to your email, they have access to your identity and can pretend to be you. We see this with the prior-mentioned fraud attempts but also with secondary phishing attacks where the threat actor uses a rule to quickly send a phishing email to all of your past correspondents in hopes of getting access to other accounts.
  
  
• Compromise your co-workers: In a more specific case of using your identity, a common goal is to gain access to accounts with higher privileges by using your email account to send a targeted phishing email. This may include trying to compromise your leadership or IT teams in hopes of getting access to more power or, the ultimate goal: an admin account.
  
  
• Gain access to other systems: Your email is likely the gateway to much more and there may be clues within your past emails about what kinds of systems could be accessed. This could include jumping into other resources like SharePoint or OneDrive (if you use Microsoft) where it’s all tied to the same account. It may also be possible to either reset a password or even get an emailed MFA code for some systems (one reason why email-based MFA is not recommended).
  
  
• Access Single Sign-On and Passwords: Have you ever started a new service and been asked to access it through your existing email system instead of creating a unique login? Well, that compromised email account can be used to access those types of accounts. And, if your browser is tied to your email credentials and you’ve been using it to store passwords or auto-fill forms, then that could be just as exposed. (Use an outside Password Manager and make sure it’s well protected!)
  
  
• Cover their tracks: Threat actors typically want to stay hidden as long as possible. If they can use their access to delete alerts you may be getting, they’ll stay hidden longer.

Again, these are just a few of the things a threat actor may try and there’s a lot of damage that can be done when they have access to your email.

This is another reason why IBM saw this as one of the costliest attacks.

How do you know you’ve had a BEC?

Sometimes, it may be well after the actual attack that you discover something suspicious. Other times, when phishing emails are blasting out of your email at a concerning rate, you may find your phone ringing off the hook from concerned recipients.

Without awareness, it’s very hard to tell something is amiss. It’s important to take note of suspicious activity and say something as early as possible.

Most people never know they’ve had their account compromised when it’s a clever phishing email but, if you think you’ve clicked something you shouldn’t have, it’s important to notify your IT and security team even if it appears that nothing happened.

Some of the things we’ll mention in the tips below on how to protect yourself can help you detect suspicious activity, so it’s important to make sure you have implemented layers of security and different tools to alert the appropriate people to anything out of the norm.

The goal should be to make it as hard as possible to happen but still have a strong plan in place to be quick to detect and contain an incident.

Keep in mind that the instant your email is compromised, it is a breach and needs to be treated as such. Every second counts!

And, you may very likely have legal requirements that kick in for how to handle investigations and notifications to appropriate parties.

(Grab our guide on Data Security Laws, which discusses Breach Notification Laws)

Can this happen to a personal email account?

Yes, your personal account should be protected just the same and is often the key to many other accounts you may have. This could include your social media accounts or financial accounts that would give a threat actor the ability to steal money or your identity.

Many of us let our guard down when we leave the office. Attackers know this and more targeted attacks may very well be focused on compromising an employee at home to gain access to their place of work.

You may have limited security tools for personal email but make sure that MFA is turned on as an essential best practice.

How do you protect yourself?

Consider two focuses: reducing the chances of it happening by tightening your security practices and reducing the impact by minimizing what can be done if your account becomes compromised.

Things that reduce likelihood:

• Require strong and unique passwords for your critical systems
• Turn on MFA and avoid using email-based MFA when possible (opt for an authenticator application on your mobile device or an authenticator key like a YubiKey)
• Restrict logins from regions outside of where employees typically access email
• Disable the ability to create rules that forward emails to outside accounts
• Train staff on how to spot a phishing email and the dangers of a BEC
• Use email filtering tools to keep phishing emails out of inboxes or that can alert users to take caution when necessary

Things that reduce the impact:

• Have a plan for how to validate financial transactions, especially when there is an urgent or last-minute change
• Avoid keeping emails with sensitive data in your inbox, consider migrating them to a more secure system or moving them to a secured archive
• Limit the amount of emails that can be sent over a given period of time (in case your account is used to send a massive amount of phishing emails)
• Make sure Admins have different accounts they use for email so they are harder to get access to with phishing attacks
• Instead of using your email account to do single sign-on (SSO), use a well-protected password manager with SSO capabilities
• Improve your response time by having strong security tools like Endpoint Detection and Response (EDR) as well as the ability to identify suspicious logins or email activity
• Get cyber liability insurance
• Treat all BECs seriously – I’ve seen many situations where it was thought to be resolved but problems arise months later

This is just a list to get things started and by no means a comprehensive list of everything you should do. Get help looking at your specific environment and ensure risks are removed or mitigated appropriately.

Need help? Reach out!

What do you do if it happens anyway?

Even with strong security practices, there’s always a risk of something going wrong.

If you discover a BEC, keep in mind that it could be just the tip of the iceberg and there may be legal obligations for how you proceed.

A few things that can help:

• Reset passwords and ensure MFA is turned on
• Check for any suspicious rules that need to be disabled
• Reach out to your cyber liability provider to get help and resources to conduct a proper investigation
• Prepare to investigate activity by pulling audit logs from your email system and any connected systems in case they also were accessed (example: for Microsoft Outlook email users, you may want to look at access to SharePoint and OneDrive)
• Preserve evidence because it may provide clues for investigators about what was done

Want to make sure you’re on the right track with security?

Let us know if you have questions about today’s article or how else we can help you. We are proud to offer free initial consultations and share free resources.