In the span of a single year, three very different companies became the targets of Business Email Compromise (BEC), an increasingly prevalent type of a cyber-attack, one that is projected to cause over $9 billion in damage in 2018.

One of these companies, San Jose-based maker of networking technology Ubiquiti, disclosed in a quarterly financial report that cyber thieves stole $46.7 million from the company. The Scoular Company, an employee-owned commodities trader that has been in business for over 125 years, lost $17.2 million. Finally, a mid-sized manufacturing company in northeast Ohio nearly lost $315,000 if it weren’t for some quick thinking and a delay with a wire transfer.

These three companies were, by far, not the only targets of BEC that year. According to the statistics published by the Internet Crime Complaint Center (IC3), there were approximately 40,000 BEC incidents between October 2013 and December 2016. In Tennessee alone, there were 161 reported BEC cases in 2016, and I’m sure many more that went unreported. “The BEC/EAC scam continues to grow, evolve, and target small, medium, and large businesses. Between January 2015 and December 2016, there was a 2,370-percent increase in identified exposed losses,” reported the IC3.

In the recently released 2018 Verizon Protected Health Information Data Breach Report, we see data breaches affecting small and large healthcare organizations with equal frequency. “When the victim organization size is known, we have a 53 percent/47 percent breakout between large (over 1,000 employees) and small (1,000 or fewer employees) businesses. The result when looking solely at organizations in the healthcare industry is an almost exact 50/50 split between the two. It isn’t just large, complex organizations that are vulnerable to data breaches. Small organizations such as doctor-owned clinics are also disclosing losses of PHI.”

What Is BEC?

BEC is a sophisticated scam that can be seen as an evolution of phishing, a social engineering attack that relies on deceptive emails, websites, and sometimes even phone calls. Unlike traditional phishing attacks, which target a broad number of users at once, BEC attacks are highly focused, typically targeting only a single individual, very difficult to recognize, and they often rely on a combination of social engineering and malware.

Most BEC attacks target companies that often perform wire transfer payments to foreign suppliers. An email is sent from a compromised or spoofed corporate email address belonging to the CEO or someone else who is authorized to make financial decisions to someone working at the same company. Assuming the identity of the person the compromised or spoofed email is supposed to belong to, the attackers then ask the victim to send money to an international bank account.

Despite their seeming simplicity, BEC attacks work because they are preceded by time-consuming and in-depth reconnaissance. The attackers gather all available general information about the company they want to target, collect the names and titles of the employees, learn how the company is structured, register lookalike domain names, and sometimes even infect the company’s network with malware to capture login credentials and other sensitive information.

Because of the highly targeted nature of BEC attacks, they yield significantly greater net profit compared to ransomware scams, which demand payment from the victim to restore access to the victim’s data.

Protect Your Organization Against BEC

  • Continual Security Awareness Training

Effective protection against BEC attacks should start with employee training to improve security awareness. It is a known fact that 95 percent of all security breaches are caused by human error, which is why companies should treat employee training as a foundational activity and not as something optional. This is not an area to address once per year, rather the security awareness training program should have elements that reach employees on at least a monthly basis.

  • Change Employee Behavior

Employees should be taught to be wary of unexpected emails sent by high-level executives, and they should be encouraged to get a secondary verification of any suspicious request by calling the sender on the phone or asking in person.

  • Establish Law Enforcement Relationships

Key employees should be establishing relationships with law enforcement ahead of dealing with any sort of breach. The FBI, U.S. Secret Service, and DHS all have community outreach programs with a mission to be involved in a public/private partnership to help reduce breach impact and share best practices. An easy way to connect with your local FBI office is to join InfraGard. Having a relationship with law enforcement before a breach occurs provides your organization pre-established resources in the midst of crisis.

  • Practice Your Incident Response Plan (IRP)

Does everyone in your organization know what to do when a breach occurs?  What are the roles to play and who plays those roles?  If you don’t have an Incident Response Plan, or if your IRP was written 5 years ago and is never tested, that can be a recipe for disaster (pun intended). Make sure the key players in your company have walked through a data breach exercise and know their part to play in responding.

  • Two-factor Authentication

All email platforms should have two-factor authentication (2FA) enforced for access. 2FA requires employees to provide a piece of information in addition to a username and password in order to access a system/data. By enforcing 2FA, BEC actors who attempt to use the email system of the victim organization in their exploitation will be thwarted since they don’t have that third piece of information. Event with 2FA, BEC threats still exist since not all bad actors attempt to leverage their victims email system, some just use a trusted third party of the victim or a look-a-like domain.

  • Better Email Security

Lastly, every organization should implement an email security gateway, which protects small to large businesses against BEC through a dynamic impostor email classifier. This gateway will also protect against other email-born threats. In addition to a best-of-breed email gateway, the implementation of SPF, DKIM and DMARC records for your email domain will further reduce the risk of being the victim of a data breach stemming from email.


Don BahamDon Baham, CISSP, CISA, MCSE, is president of Kraft Technology Group, an affiliate of KraftCPAs. For more information on how KTG protects organizations against BEC attacks and other cyber threats, click here, and for information on KTG’s full line of services, go online to