Business Email Compromise: What it is, and how to stop it

Business Email Compromise is a damaging form of cybercrime, with the potential to cost a company millions of dollars. Even the most astute can fall victim to one of these sophisticated schemes.

Matt Lundy is Assistant General Counsel at Microsoft, responsible for leading efforts to prevent these crimes. Here, he explains how they work, and how they can be prevented.

What is Business Email Compromise?

It’s a cyberattack that is designed to gain access to critical business information or extract money through email-based fraud.

Cybercriminals send email that appears as though it’s coming from a member of your trusted network – someone in an important position at work, such as your manager, the CFO or the CEO, a business partner, or someone that you otherwise trust. These emails are an attempt to convince you to reveal critical business or financial information, or process a payment request that you would never have done otherwise.

In many cases, this attack can also involve an attempt to compromise your email account through a credential phishing email. Once the account is compromised, the criminals use the unlawful access to obtain information about trusted contacts, exfiltrate sensitive information, attempt to redirect wire payments, or use the account to further support or facilitate more cybercrime.

Why is this such an area of concern?

We’re seeing an increase in the frequency, the complexity and the amount of loss associated with this crime.

The 2019 FBI cybercrime report indicates that losses from Business Email Compromise attacks are approximately $1.7 billion, which accounts for almost half of all losses due to cybercrime.

[Read more: Microsoft takes legal action against COVID-19-related cybercrime]

As more and more business activity goes online, there is an increased opportunity for cybercriminals to target people in BEC attacks and other cybercrime. Their objective is to compromise accounts in order to steal money or other valuable information. As people become aware of existing schemes and they’re no longer as effective, the tactics and techniques used by cybercriminals evolve.

You’re dealing with an adversary that is constantly looking for new ways to victimize people. We’ve moved past the days when phishing attacks were largely bulk-delivered in an indiscriminate way. These actors are engaged in significant research and reconnaissance. They often specifically target corporate officers and other executives in ways that illustrate a level of sophistication and diligence that’s well beyond what was initially seen in early schemes.

Cybercriminals also change their social engineering schemes to reflect current events. For example, we have seen a phishing lure that was designed to take advantage of the COVID-19 pandemic – an email that included purported information about a Covid bonus, which was designed to encourage people to click on a malicious link.

How can you spot it?

The first thing I would encourage people to look at is the urgency of the request in the email.

Very frequently, phishing campaigns will have urgency built into the request and promise dire consequences if you don’t act promptly – something along the lines of “confirm your credentials or your account will be turned off.”

Look at whether the request is atypical for the sender. Is it asking for personal or confidential information over email, a request that you ordinarily don’t receive? Is it asking to change the designated account for receiving wire payments? Any of these out-of-the-ordinary requests should be a red flag for the recipient.

[Read more: Protecting healthcare and human rights organizations from cyberattacks]

One of the best steps individuals can take to prevent an account compromise is to confirm that the purported sender of the suspicious email actually sent the communication. You can do this by phoning to confirm the email request. It is very important that you have actual confirmation before you change the account where money is being wired or before you provide log-in credentials. Use an alternative form of communication – the phone, or some other means – that is designed to reach the authentic person.

It’s always dangerous to seek confirmation by email, because you may be inadvertently communicating directly with the criminal.

What can you do if you think you have been compromised?

To protect your accounts before any suspicious email arrives, enable two-factor authentication.

If you think you have received a phishing email, and you’re on Microsoft’s platform, you can report that through Office365. Letting Microsoft know about suspicious emails and links is important. Microsoft identifies and provides additional layers of technical protection for customers.

If you believe you’ve been the victim of a compromise, look at your forwarding rules to determine whether there is outbound mail traffic to an unknown account from your account. If so, disable those forwarding rules and change your password.

If you have an administrator on your Office365 account, let that person know you’re experiencing this problem.

If you believe that you are the victim of an unlawful account compromise or related crime – if you have an actual loss of information or money – I encourage you to report those crimes to the Internet Crime Complaint Center in the U.S., or your appropriate law enforcement agency, so that you can assert your rights and potentially recover lost funds.

What is being done to protect Microsoft customers and stop the criminals?

There are significant resources available on – I urge people to review and understand the best ways to protect themselves and their online resources and accounts. You are one of the first lines of defense in protecting your credentials and your personal information.

[Read more: Staying safe and smart in the internet-of-things era]

Microsoft has implemented a range of built-in technical defenses in our products and services, and we will continue to do so as we learn more and more about various crimes and schemes.

These include stopping phishing emails before they even reach your inbox and disabling malicious links. Also included are smart screen browsers that provide warnings concerning malicious websites. These efforts are ongoing, and our security teams continually evolve to adapt to emerging threats.

Finally, the Digital Crimes Unit looks at legal enforcement options to address cybercrime. The DCU is an international team of technical, legal and business experts who use creative techniques and Microsoft technology to take down criminal infrastructure and pursue financially motivated cybercriminals or nation-state actors. We investigate online criminal networks and make criminal referrals to appropriate law enforcement agencies throughout the world. We also take civil actions, such as this one, that seek to disrupt key aspects of the technical infrastructure used by cybercriminals to target our customers.

All of this works together to provide protection for our customers. As cybercriminals evolve, we’re adapting our legal actions, our techniques, and our ability to provide effective protection for our customers.

To further protect yourself against phishing campaigns, including Business Email Compromise, Microsoft recommends you:

Businesses can also take these steps to secure their data and consider solutions like Office ATP for advanced protection against advanced phishing and Business Email Compromise attacks. 

For more on cyberthreats and how to counter them, visit Microsoft Security. And follow @MSFTIssues on Twitter.