3 of the Most Common Business Email Compromise Attacks in 2021

3 of the Most Common Business Email Compromise Attacks in 2021

The rise of cyberattacks in 2021 is no coincidence. Hackers are exploiting businesses that are stretched, responding to a pandemic and reorganising their infrastructure to cope with extra remote access requests. I’ve discussed the what and the why of business email compromise (BEC) in a previous post (link here), but today I want to look at three of the most common types of BEC attack and how organisations might mitigate against these attacks.


According to the 2021 Business Email Compromise Report by GreatHorn, the three most commonly used business email compromise (BEC) attacks were:


  • 71% spoofed email account or website

  • 69% spear phishing

  • 24% malware


In most cases, an attack may employ all strategies in one. Let’s look further at what each one is.


What is Spoofing?

Spoofing is when a hacker claims to be a known and trusted person. There are a few ways a hacker can trick employees of an organisation into trusting them. First, they can purchase very similar domains and create email addresses from these domains. We have a tendency to glance over things when we are working and you can very easily miss a single letter.


Homograph attacks are one such example of a spoofing attack and they take advantage of the typography in the domain URL bar of your browser. For example, a hacker can purchase g00gle.com or rnicrosoft.com, taking advantage of the way the ‘r’ and ‘n’ together may look like an ‘m’. This simple trick takes advantage of how easily we can miss the minor details.


According to the GreatHorn report, 71% of BEC attacks happen this way and it’s no surprise. I’ve used the example of Google and Microsoft above but realistically employees today are more wary when emails come from big companies like this. Instead, a hacker might take advantage of a known partner or vendor email address and spoof this domain to send an email from an address such as accounts@example.com. Or they could find the CFO’s name on LinkedIn and use his name to spoof an email directly from him.


What is Spear Phishing?

Spear phishing involves targeting particular people or group of people with the aim of getting them to click on a link and follow through to a website which will likely contain malware. It’s very similar to spoofing but often, the hackers target a specific person with much more detail. An email that pretends to be the company CEO and urges someone in accounts to make a payment would be an example of this. The CEO might refer to an actual customer, making it harder for the recipient to see anything suspicious in the email itself.


Attackers often use the tactic of creating urgency which is very successful at putting the recipient off the scent of the trail and worrying too much about the request then whether or not the email is legitimate.


One example could be an email from the IT department urging you to change your passwords because you have been compromised. The link leads to a fake website with a form built to capture your personal details which a hacker can later use to access your work environment.


What is Malware?

Malware is a group term used to describe any computer software designed to harm or exploit a device. Simply put, a malware can be unintentionally downloaded and automatically run to deliver a virus, worm, trojan or ransomware. All can cause sever service disruption and loss of income for a business.


But it all starts with a link. Usually, a link that has been shortened or a link that has been spoofed. Malware can also be hidden in attachments (Word or Excel).


What Do We Do?

I already touched on the larger themes of avoiding a BEC attack in my original post (link again). Here, I will detail some smaller email tactics an organisation can use to avoid attack.


Be cautious of links

All links in emails should be treated with great caution. This should be done by creating a culture of wariness and consistently training and reminding employees of the perils of clicking on a malicious link.


Using digital signatures

Digital signatures (explained more in this blog [link]) can be exchanged between employees within the same company to ensure no one in your company is being spoofed. Your email server will only accept emails from senders with a digital certificate on their computer or device. There are some caveats to this but it is one solution in a myriad.


An additional tool in your tool belt, is the use of a blacklisting feature on your email software solution. With quick reporting and email quarantine features built in, an IT administrator can get reports of suspicious emails and blacklist domains quickly and effectively.


Digital signatures can’t be successful unless both sender and receiver have a digital certificate. To get around this problem, email solutions like PieSecurity include encryption features that can wrap the whole email up and send as an encrypted PDF. With any high value or sensitive communications, companies can learn to make this the norm, so that when emails are sent or received without encryption on them, they will be untrusted.


Email rules

A secure email software solution will come with the ability to build in rules. Rules that automatically treat certain emails as suspicious or rules that block emails from being sent with sensitive information in them or attachments that aren’t encrypted. These rules circumvent employee mistakes and can often force the internalisation of good behaviour.


Phishing tests

Some organisations also create phishing awareness emails. IT teams send “phishing” emails to employees to trick them. At least in the training scenario, the employee and employer are not really compromised but it can highlight problem employees for additional training and encourage others to pay more attention.


Tools like PieSecurity are designed with business email compromise in mind. Learn more about our email hygiene and encryption solutions and how they can protect your business.