Business Email Compromise

How to Protect Your Business from Business Email Compromise Scams

You will be hacked – NOT if but WHEN! We didn’t look into the crystal ball to tell you this. It comes straight from an FBI agent who told this to a roomful of lawyers recently at an annual tech symposium.

FBI says there’s a substantial 65% jump in identified global exposed losses from Business Email Compromise (BEC) fraud with over 241, 206 incidents reported in the last few years. These losses include both actual and attempted losses. Also, an average of $43 billion are mis-wired globally every year due to BEC fraud, and the agency is just scratching the surface.

BEC scams are not just limited to the United States (reported in all 50 states) but 177 countries, with over 140 countries receiving fraudulent transfers. And the threat is only increasing. In 2020, BEC scammers made over $1.8 billion – far more than via any other type of cybercrime. The number rose to $18.7 billion in 2021 and $43 billion in 2022!

However, not all BEC crimes relate to wire fraud. After all, email scams have existed for probably as long as email addresses. What makes BEC dangerous is the sheer sophistry involved. We break down how a typical BEC attack works, its types, techniques, and how can you protect against these threat vectors.

What is Business Email Compromise (BEC)?

Osterman Research defines BEC as “a specific type of phishing (spear phishing) attack, relying on targeting (i.e., going after a specific person or role type in an organization) and normally seeking monetary payment as a direct outcome.” BEC attacks differ from other forms of cyber threats, relying almost entirely on social engineering to trigger human susceptibility to plausible requests.

These are becoming notoriously difficult to prevent as the traditional threat detection solutions (inbound email security) that analyze email headers, links, and metadata often miss these attack strategies. Spear phishing emails, texts, or phone calls are directed at specific individuals or organizations. You will not find messages riddled with bad grammar, broken links, or punctuation errors. Such attacks do not generally carry malware, include weaponized links, or seek to compromise email account credentials.

Instead, in this technique, attackers carefully research and spend time to make the messages highly personalized – right from sending an email from a lookalike company email domain down to adding company sayings, slogans, or common phrases to appear more legitimate. Such social engineering tricks include establishing rapport (pretexting), promising personal benefit, and invoking urgency.

Let us explore this in detail.

Types and Techniques of Business Email Compromise Attacks

The primary reason business email compromise attacks are difficult to spot is the extensive preparation that goes behind them. Attackers pose as someone the recipient trusts – it could be a boss, colleague, or vendor. Even the conversations with which they entice the recipients are fairly relatable and people don’t generally think twice.

Though the hackers will use several patterns, there are four major types of BEC scams doing the rounds.

Fake Invoice Scheme

This type of scam targets businesses that deal with foreign suppliers. The attackers will pretend to be the suppliers requesting fund transfers for payments to an account owned by them and not the original supplier. Such attacks involve sophisticated social engineering tactics of building trust and impersonation. Here is an example of how it works.

The attacker breaches the email of someone in finance or payroll. The email address can be easily obtained from social networks and these fraudsters are generally pros at hacking passwords (especially, if the target does not follow the best email protection practices, it is very easy to hack!). The attacker then continues to eavesdrop on the email, learns how the billing and payment process works in the organization and waits for a legitimate transaction to happen.

Once they get wind of a transaction about to take place, they look for a legitimate invoice, modify the details of the beneficiary, such as the routing number to which the amount needs to be credited, and spoof the vendor’s address to submit the invoice. The last piece of the scam is the email written with an urgent tone, which is then sent to you or the target saying that “the vendor has updated its payment terms” without highlighting the new account number. Since the target trusts the email sender, they would proceed with the wire transfer request after verifying the name of the vendor and the service.

The attackers spend a considerable amount of time doing the reconnaissance, employing money mules to choose specific targets, craft targeted campaigns, and launder fraudulent funds into untraceable offshore accounts.

CEO Fraud

“Hi, Jane – I’m on a conference call right now. I can’t talk on the phone but let me know if you got my text. Thanks, John Doe (CEO).” Through such emails, most of us are becoming too familiar with CEO fraud. Contrary to its name, it is not always the CEO who will be impersonated; it could be CFO, COO, or any high-profile C-level executive. And the targets are usually the finance, HR, or IT teams.

In such scams, attackers trick employees into transferring money or divulging sensitive information, building on the pretext of urgency. Per the FBI, CEO fraud is a $26 billion scam! It works in two ways.

  1. Name spoofing – In this technique, the attacker uses the name of the CEO with a different email address. The scam begins with obtaining the email addresses from public domains or other means and proceeding to create a “lookalike domain” by flipping just a letter or two in the email address, tricking the mind. For instance, instead of “,” it would be “” – missing just one letter “r” at the right place, hence tricking the mind. Such trickery easily fools people who are usually in a rush to respond and do not notice it. Many email clients, especially mobile email clients, also do not display the sender address by default, making it difficult to spot this attack.
  2. Name and email spoofing – In this technique, the attacker uses both the CEO’s or any other person’s name and their correct sender address. However, in the “reply-to address,” they will give a different email address than the sender address, ensuring the target’s response to the email comes to the attackers and not the actual sender. In this way, the attackers manage to get all the emails forwarded to a fake address created by them and get access to a host of confidential information.

To orchestrate such scams, cybercriminals will crawl company websites, social media pages, media coverage, and more to collect information on their target. Their aim is to get access to a variety of information, including:

  • Names, titles, and email addresses of high-profile targets.
  • Names, titles, and email addresses of employees in finance, payroll, and HR roles.
  • Company information, events, projects, or news.
  • New employees.
  • Customers, vendors, or partners.
  • Out-of-office notifications or personal social media posts about senior leadership away in a meeting or on vacation.

Email Account Compromise (EAC)

In this BEC scam, the email account of an executive or a vendor is hacked and used to request money transfers to fraudulent accounts. It is also known as email account takeover or email hijacking. In most instances, the person is not even aware that their email account is being hacked.

Such scams use several tactics, such as phishing, malware, and purchasing employee credentials from the dark web to gain unauthorized access to email accounts. Once they gain access to the account, criminals have a vast treasure trove of data to exploit to “become the target” – files, calendar meetings with customers or suppliers, emails with sensitive information, etc. The attackers profile their target thoroughly and start setting email forwarding rules and changing email account permissions.

The use cases are many – the most prominent being supplier invoices and payroll. In the case of payroll, the attacker usually compromises the email account of an employee and sends an email to HR asking to update the said employee’s direct deposit with their own bank account. In some instances, on a much bigger scale, the attacker compromises the email account of a management executive and studies the Merger and Acquisition (M&A) activities. From the executive’s email account, the attacker then sends an email to the accounting department, requesting to execute a wire transfer to complete an acquisition. The email is to-the-point with the same business language and details the executive uses; only this time the bank account is replaced by the attacker’s own account.

EAC scams are quite difficult to detect because the emails originate from the authorized sender’s account itself, which does not register a blip on the security radar of company servers. The modus operandi of EAC attacks prey on the trust established between colleagues and teams.

Lawyer or Attorney Impersonation

As the name suggests, this scam specifically targets legal professionals who are privy to crucial and confidential information. The attackers impersonate a senior lawyer to target lower-level employees who would not question the validity of the request. Scammers go to great lengths to compromise or spoof company emails or to use social engineering to assume the identity of the company attorney.

Law firms are especially vulnerable to such scams because they possess confidential data, financial records, and information on corporations, patent applications, political figures, heavily-guarded mergers and acquisitions, and more. They also operate in a sector where reputation is the key. Here are two usual scenarios of lawyer impersonation BEC scams.

Scenario #1: The attacker compromises an executive’s account and sends an email to an employee saying that he/she is part of a confidential or time-sensitive transaction. The attacker also tells the employee that they will be contacted by an attorney later in the matter. To make the scam perfect, the employee is then contacted by the attacker’s “team” via email, phone call, or SMS, informing them about the case and the next steps. Once the trust is established, the employee easily falls into the trap set by the attackers and does not suspect anything.

Scenario #2: This is the most common scenario used in an attorney impersonation scheme, where the attacker directly contacts the employee posing as an attorney. The attacker generally creates a sense of urgency, stating that he/she is being included in an important case for the company, the company leadership has engaged the services of the said law firm, and he/she should be on the lookout for the next steps. The communication continues until trust is established and the employee completes the attacker’s request.

You can avoid falling into the trap of such simple, yet sophisticated scams by following some best practices like setting up multi-factor authentication, conducting cybersecurity and BEC scam awareness training for employees, establishing protocols for what will be sent over email, and what needs to be done with a phone call, and more.

Impostor emails are purpose-built to impersonate someone your users trust and trick them into sending money or personal information to cybercriminals. What you would need is an integrated, holistic solution that can address all attackers’ tactics, provides visibility into malicious activities and user behavior, and automates the detection and threat response.

RMail, a global email security solution from RPost, can help

How RMail Helps You Prevent and Pre-Empt BEC Scams

Well known for its Registered Email™ and Registered Encryption™ features that mitigate risk by providing proof of who said what when, or audit-ready proof of the fact of privacy compliance, RMail’s AI continues to evolve. It now includes a suite of features designed to pre-empt cybercrime: PRE-Crime™. Put simply, this means stopping the e-crime after the hook is in, but before the steal (crime) completes – a boon to thwart and pre-empt business email compromise attacks.

PRE-Crime has components designed to alert you or your administrator of a potential e-crime in progress before it is too late - whether the cyber trickery is happening inside your organization or at your recipient’s email account.

RMail’s Targeted Attack Defense

RMail’s PRE-Crime suite of services follows a targeted attack defense approach of stopping the crime after the cybercriminal has:

  1. Identified whom to target in the sender’s company and the recipient domain to fake.
  2. Purchased a lookalike domain of the recipient.
  3. Sent a fake email from the lookalike domain to the target in the original sender’s company aiming at diverting payment to a fraudulent bank account.

There is no one provider that specializes in defending against all the threats. So, you might ask, where does RMail’s PRE-Crime “targeted attack defense” fit within your organization, without overlapping your existing tools? In other words, if you already have the top-of-the-line inbound email security gateway and all it has to offer, for what scenarios will RMail add value and security?

It is here where RMail’s PRE-Crime service differs in the sense that its technology focuses on outgoing emails, with features that range from tracking email opens to detecting email account compromise (even at your recipients’) to alerting senders that they are about to reply to an impostor before they do so.

RMail Outbound Email Security Stack

1. IT Admin Insights and Alerts. These features provide real-time alerts and scheduled summary reports with forensics to assist IT admins identify, and further analyze threats.

a. Email Eavesdropping™ Alerts for Wire-Fraud Pre-Emption. When it comes to business email compromise wire fraud attacks, cybercriminals target their victims by eavesdropping on emails from the sender to the recipient. Their goal is to siphon off email, analyze it, copy it with slight modifications related to payment instructions, and then pivot replies to route in a loop back to them rather than the original sender. So, it does not matter what grade of email security you use, if there is a leak at your recipient level, you would be compromised. RMail’s new email eavesdropping alerts provide insight into a potential cybercrime in progress at your recipient – before the cybercriminal cuts you (the sender) out of the communication.

Take the example of invoice delivery, where the supplier sends an invoice to the client. En route, at the supplier level (supplier account compromise), or at the client level (client account compromise), if the invoice-by-email delivery is being eavesdropped on, RMail’s system will return a red alert to the sender or their administrator in real-time. The alert will indicate which email to which recipient has been reviewed by an unauthorized third party (cybercriminal) in which location with a complete forensic record.

If you are already using an email security gateway, it may flag certain inbound email threats, or even prevent traditional outbound data leaks. What RMail does is identify email security breaches after an email has left your server or when the email is still inside your recipient’s inbox.

Eavesdropping alerts can be easily configured for administrators and senders with options to adapt the threat thermometer and alert sensitivity. Admins can define green and red zones depending on where it would be expected/unexpected that the company’s business emails are opened. By default, any country that is not manually set to green or red will be yellow. Put simply, if a company has no business in China, the administrator can flag the country as red and choose to be immediately notified if one of their business emails is opened there. Admins can also choose to be notified on every open, only the first one, and more. The same configurations are available at the user level.

Transmission level encryption emails HIPAA compliant
message level encryption emails HIPAA compliant

b. SMARTR Encryption.

i. Transmission Level: RMail’s default encryption is set to transmission level at the minimum sender-acceptable security level, delivering the encrypted email right to the recipient’s inbox. The sender can send the email like a regular one, without any logins, links, or the need to create an account. Recipients can also reply encrypted. If the minimum security cannot be automatically achieved, the message dynamically reverts to message level encryption.

ii. Message Level: If RMail SMART engine detects that the recipient’s server is not able to receive your message with the minimum acceptable security level, it automatically reverts to message level encryption. The email and any attachments will be automatically wrapped inside an AES-256-bit password-protected, digitally signed PDF, which would be delivered straight to the recipient’s inbox along with the instructions to decrypt.

Encrypted emails from RMail
message level encryption emails HIPAA compliant

c. Security Breach Locator™ Report. The Security Breach Locator™ Report provides court-admissible evidence of proof-of-fact of privacy compliance. Further, if an email is identified as being eavesdropped on, this Registered Encryption™ report identifies the most likely security gaps. It also offers audit-ready proof that the security gap must have been after the recipient forwarded the message onward --- and it’s not a fault of the sender.

The security forensics provided by RMail are fact, and allow IT admins to easily justify and demonstrate their hypothesis about where cybercriminals may have accessed an email in the path from sender to recipient, even if the breach occurred at the recipient's end.

2. Sender Augmented Intelligence: Data Loss Prevention (DLP) in the Desktop. RMail Sender AI assists senders with non-disruptive, in-the-moment-of-sending insights and recommendations and easy-to-use secure email tools, integrated into Microsoft Outlook, Gmail, Salesforce, and more.

a. RMail Recommends™: RMail automatically sensitizes users to the need to treat certain emails with special care and then transforms the message with specialized security in mind. This is true DLP on the desktop - no server settings or routings needed. For the sender, it’s just like sending any other email, while for IT admins, it’s peace of mind with pure email security and compliance bliss.

Encrypted emails from RMail
message level encryption emails HIPAA compliant

b. Right Recipient™

b.1 Lookalike Domain™ Detector. Consider a scenario where you are about to receive an invoice or payment request from your vendor or supplier and the email is intercepted or compromised at their end. There is a high probability that you would receive an altered email. The alteration ultimately (often after some back and forth) may have different payment coordinates, luring your unsuspecting payment staff into sending funds to the cybercriminal.

When the cybercriminal creates the impostor email to send to you (the recipient) using a legitimate lookalike domain (that is one letter off), they can bypass sophisticated inbound email security gateway and firewall security (e.g., DKIM, SPF, DMARC, phishing detectors, malicious link detectors).

With RMail’s “Right Recipient email Lookalike Domain alert,” running inside Outlook, if the recipient replies to one of these newly purchased legitimate email addresses (technically legitimate but created with criminal intent), the RMail system will alert the user in milliseconds. And this would be after they click send, but before the reply is sent.

Notice one letter “r” which is not there in the email address highlighted in red – “” instead of “” Though it’s a legitimate domain, but RMail’s AI tells you that it was created just a week ago, alerting you to proceed with caution. This would help you thwart the impostor wire or funding instructions lures and mis-wiring of money.

Your existing email security systems will not protect you or your recipient from such trickery as they will not flag such email domains, considering it is registered and legitimate ones. This is best automated with adaptive AI within the email program of the recipient, which is what RMail does.

b.2 Reply Hijack™ Alerts Sophisticated cybercriminals may also trick you by placing the newly created lookalike email domain within the hidden-to-recipient “reply-to” header of the message that they send to the target recipient. It is located right under the “Bcc” field in the Outlook email client. Or, they may also place another seemingly plausible email address that poses as a legitimate sender in the hidden-to-recipient “reply-to” header.

In both cases, they may put the actual email of the legitimate sender in the email “from” field – and send it to you or your recipient to make it appear as though the legitimate sender sent the email. The goal of this type of trickery is to have the recipient continue a back-and-forth email exchange with the impostor without arousing any suspicion, thinking it is a trusted sender (supplier, or otherwise). And ultimately, you or your recipient will end up making a payment to the impostor’s bank account. Such scams are also successful in convincing the payor to update recurring payment systems and even payroll systems.

Encrypted emails from RMail
Encrypted emails from RMail

Your existing email security systems will not protect you from this type of cybercrime as the security gateways will look for DKIM, SPF, or DMARC sender authentication failures, which can block some of these. However, if the impostor sends from a legitimate lookalike or plausibly alternative email address, these will generally pass the DKIM, SPF, and DMARC sender authentication policies. Email security gateways at the recipient level can also look for mismatches in the header of the inbound email (mismatch in the “from” and “reply-to” headers). However, there are legitimate reasons for such mismatches to occur, and blocking this traffic can block legitimate emails.

Such trickery is best automated at the email program of the recipient. This is where RMail employs its Reply-Hijack™ alert that runs within the Microsoft Outlook email program. This is also known as a “Whaling” type of “Spear phishing” or a “reply-to pivot.”

b.3 Fake Forward™ Alerts. Consider a scenario where your recipient forwards your email and it gets intercepted by an attacker at some level. You have no way to tell if the email that comes back to you from your recipient is not from an impostor. RMail’s “Fake Forward email detector” helps here. RMail will detect and alert that a fake email that was part of a “Reply-Hijack, reply-to pivot scheme” is about to be forwarded, unknowingly creating a sense of legitimacy for the impostor email content.

Your existing email security systems will not protect you or your recipient from this type of cybercrime. Email security gateways at the recipient can block an email if they have sender authentication policies like DKIM set up. However, not all recipients do. RMail’s Fake Forward™ alert running within the Microsoft Outlook email program can alert on some forms of email from impostor senders being forwarded on by the first recipient.

message level encryption emails HIPAA compliant
message level encryption emails HIPAA compliant

c. Digital Seal® Authorship Verification for Recipients. When delivering sensitive messages that you think a cybercriminal may try to intercept, alter, or create a near replica follow-up email, the RMail Digital Seal® impostor defense is your go-to tool. It makes it easy for a recipient to verify the origin and authorship of an email (for example, an email with an invoice attached).

The Digital Seal technology employed by you protects your recipient from being fooled. It provides you with the assurance that only you will get the funds requested from the recipient and not an impostor who is impersonating you.

You could probably achieve the same effect by applying PKI digital signatures to email, while sending an email to your recipient, offering them a form of sender authentication of email. However, these “signatures” technically break if the email is forwarded and are not visible if the recipient views the email in certain email programs.

Similarly, applying DKIM and other (SPF, DMARC) sender authentication of email for a receiving server may also flag certain inbound email threats. However, they must be employed in your email system as well as at your recipient server. Even if you do so, the system will not be able to thwart lookalike domain trickery when an email is sent from valid domains purchased to trick a recipient even though the email sender is technically sending from a legitimately configured email account.

Pre-Empt BEC Cybercrimes Effectively with RMail

Each of the RMail technologies discussed above is additive layers that either the email security gateway systems employed by companies do not address completely or address only in half. RMail’s security services run within Microsoft Outlook, making it seamless. Besides, irrespective of your existing email systems, these RMail technologies also focus outside the boundaries of normal email security server filtering capabilities.

Try RMail to thwart a crime in progress, after the spear phishing hook is in, but before the steal, for free!