What is Business Email Compromise and How to Spot It

1. Caught in the phishing line
A growing threat

2. Facts
WHAT IS BEC
Business Email Compromise (BEC) is a sophisticated
multi-layered cyberattack targeting senior figures within
business enterprises. In the simplest terms, BEC involves an
impersonation of an authority figure or vendor who sends
emails soliciting fraudulent payments. It is one of the most cost-
effective methods for cybercriminals, allowing them to easily
contact employees internally and retrieve funds.

3. How to spot it
An employee receives an email from a C-suite executive or
reputable vendor or supplier
1
Email appears to be legitimate as it is so very similar to
usual sender address
2
The email copy contains an element of urgency or secrecy3
Amount requested is not too dissimilar to what department
is used to processing so suspicion is low
4
Employees are referenced or cc’d in in an attempt to further
appear legitimate
5

4. Figures
BEC has cost businesses $12.5 Billion since January 2017
www.ic3.gov/media/2018/180712.aspx
Reported in 150 countries
https://www.ic3.gov/media/2018/180712.aspx
Asian banks, mainly in China and Hong Kong, remain
primary location for fraudulent funds
www.teiss.co.uk/threats/bec-attacks-business-cost/
9,708 attempts at implementing a BEC scam
www.statista.com/statistics/820912/number-of-attempts-of-bec-scams-ceo-fraud/
Financial organisations are the most common to be attacked

5. Case studies
PATHE
One example of a recent BEC scam involves Pathé , a leading independent
film group in France. Experiencing a loss of $22 million in 2018, the attack
convinced Pathé’s CFO and CEO enough to oblige in sending funds to a
French subsidiary.
Impersonating CEO Marc Lacan, several emails were sent requesting
funds, with both commenting on how suspicious it was but not realising
the full extent of the breach. It wasn’t until it was highlighted by their
head office that the CEO and CFO realised they had been victims of a BEC
scam.
www.forbes.com/sites/martijngrooten/2018/11/12/cinema-chain-sees-bad-movie-script-play-out-as-
it-loses-millions-in-email-scam/#6fb246326af9

6. Case studies
Back in 2015 an unidentified American company was defrauded out of
nearly $100m by individuals who succeeded in posing as one of their
legitimate vendors. Almost $74m was recovered and returned to the
company
www.reuters.com/article/us-cyber-fraud/american-company-lost-100-million-to-email-fraud-u-s-
says-idUSKCN0XB2US

7. Case studies
ST. AMBROSE CATHOLIC PARISH
It’s not just large organisations that are
targeted. In early 2019, hackers managed
to steal $1.75m from St. Ambrose Catholic
Parish in Brunswick. By accessing two
employee emails, they tricked employees
into sending the money to a construction
firm who they had been working with to
repair the church.
www.cleveland.com/crime/2019/04/email-hackers-steal-175-million-from-st-ambrose-catholic-
parish-in-brunswick.html

8. How can we help you?
With the growing threat of BEC, you can do more to make sure your
business is always protected. Start by defending your organisation
against future threats and social engineering techniques with
Barracuda Sentinel
www.barracuda.com/products/sentinel