Pirhana dressed like a lamb

136, more or less, little kingdoms are shown above as a point of comparison – the FBI said there were 21,832 reports of Business Email Compromise in 20222

That’s $2,742,354,049 lost to Business Email Compromise in the US in 2022

That number is eight times the population of the United States. If you stacked that number of dollar bills like a giant deck of cards and laid them horizontally, it would take you more than a day to drive that distance1

In your organization’s defense

Unless you’re aware of the continually evolving cyber-threats, how can you make the most informed decisions about how to protect your organization?

As Bryley partner Barracuda describes them, Business Email Compromise (BEC) attacks are audacious4. The over 2.7-billion-dollar losses suffered via BEC far outstrip the money lost to ransomware – in 2022 there were $34 million dollars in reported ransomware payouts5. And to pull off a BEC attack takes a lot more know-how and investment than ransomware does – Ransomware-as-a-Service can be found cheap – it’s like subscribing to a cloud service – on the dark web. BEC actors are stealthy, manipulative and tend to go big, to make it much harder for employees to suspect them.

There are many variations, but in a typical BEC attack, criminals send an email message using the name of a known source making a plausible request. For example a vendor seems to ask for your credit card information or a bank looks like it’s giving updated instructions on how to wire your payment.

Barracuda cites some recent examples, in one famous case, deepfake audio was used to trick a British CEO into believing his German boss had requested a €220,000 money transfer. In another, a bank manager from the UAE was conned into transferring $35 million at the request of a ‘customer’ … One recently spotted attempt tried to trick a victim organization into transferring $36 million in funds.6

And now the FBI has described a new wrinkle in BEC that goes like this:

  • An organization gets an email that seems to come from a legitimate company with a legitimate-looking request for goods.
  • The sender’s email domain has been spoofed, and the sender’s name may be actual buyers’ names at the company.
  • The criminals provide false credit references and tax forms in order to secure 30- or 60-day credit terms.
  • Once the criminals have received the goods, they disappear leaving the supplier to bill a company that never knew about this request for goods.
  • The victim only realizes they’ve been defrauded days later.

An AI guard, updated protocols and Security Awareness Training

The tools to combat Business Email Compromise are to combine advanced email threat protection, updated policies that reflect the changing cyberattack realities and a commitment to continually update employee Security Awareness Training.

  • Use AI-enabled email security tools that analyze regular email content, patterns and writing styles. This will help discover email activity that deviates from the ordinary. AI-powered email tools, such as Bryley Advanced Email Threat Protection are trained on your employees’ communications. It will accumulate a dataset of characteristics by which to compare legitimate exchanges with communications from attackers. AI has the ability to recognize and alert regarding pattern deviations that people may sometimes miss7.
  • Set up email rules that recognize and notify when reply email addresses are different from the displayed “from” address.
  • Employ intrusion detection software that quickly alerts you when corporate emails are being faked with similar-looking domains.
  • Keep your staff aware and up-to-date on the latest BEC tactics through a regular program of Security Awareness Training.
  • Examine and improve your procedures for wire transfers and high-value sales. For example, directly contact the supplier, CEO, or customer using known contact details to verify the authenticity of a request. Instead of solely relying on the information in an email, use a company directory or search online for alternate contact information.
  • Make it mandatory for individuals to get a superior’s approval or a second set of eyes on the communications before okaying large sales or transfer requests.

Business Email Compromise is a serious issue, but by staying vigilant and well-informed about the latest threats, companies can strengthen their cyber-risk practices to develop organizational fortitude against these major attacks8.

For more information Bryley’s Garin Livingstone and Roy Pacitto spoke at length about BEC in a February Clinton Chamber seminar.

And Bryley is here to advise regarding your situation – since 1987 Bryley has helped organizations deal with cyber-threats. To speak to Roy Pacitto about defending against Business Email Compromise, please complete the form, below, call 978.562.6077 x217 or email RPacitto@Bryley.com.

Connect with a Bryley IT expert about avoiding Business Email Compromise

1 In Tom Scott’s video he drives (on the wrong side of the road! [it’s the UK, but it is unnerving]) for over an hour with an odometer set to register the thickness of a dollar bill https://www.youtube.com/watch?v=8YUWDrLazCg

2 The FBI’s 2022 Internet Crime Report https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf

3 ibid.

4 https://blog.barracuda.com/2023/04/11/new-wave-bec-attacks


6 Barracuda

7 It’s important to be cognizant that like all security technologies, AI is an ever-escalating arms race – good guys against bad guys each trying to outsmart the other.

8 Barracuda