Business Email Compromise. PHOTO: Cybercrime Magazine.

Don’t Get BEC On Your Face

How to avoid business email compromise

Gil Friedrich

New York City, N.Y. – Jun. 21, 2022

The hottest cybercrime out there is Business Email Compromise (BEC). It’s a seemingly simple attack, whereby an executive is spoofed and then asks an underling for an urgent favor, which usually involves money. And yet, it’s such a popular and successful scam that Americans, according to the FBI, lost $2.4 billion to BEC scams in 2021.

Now, the FBI has come out with global numbers. Between Jul. 2019 and Dec. 2021, there was a 65 percent increase in global losses. Beyond that, from Jun. 2016 to Dec. 2021, there was a total global loss of over $43 billion. This amount was pilfered over just 241,206 incidents. And this number is probably an undercount, as not all incidents are reported.

This is a global crime with global consequences. It requires a new way of thinking about security. Here are some of them:

Internal Context

The most important part of stopping BEC attacks is internal context. What does this mean? It means that the security solution has an understanding of the context of conversational relationships within an organization. If a solution monitors only inbound email, when they see an email from the “CEO” to the “CFO,” it will be the very first time it has seen such a conversation. For an email solution that is deployed inside the cloud email server, it will see thousands of similar real, internal conversations. From there, the solution can understand if this is a typical conversation or not. Within hours of the first deployment, the email security solution should have its AI scan a year’s worth of email conversations to build a reputation network, the type of internal context that alerts the AI to something suspicious.


Cybercrime TV: Gil Friedrich, Founder & CEO at Avanan

Protecting Office 365 inboxes from phishing attacks


Artificial Intelligence

For AI to work effectively, it needs to be trained on the best data set. For email security, it must be embedded within the cloud suite via API. Once embedded, the data set of cloud email security solutions is much richer. By being embedded, the solution can understand who the people being emailed are, the social graph, internal email, geo-suspicious login events, and more. Beyond that, training the AI on the specific tenant, as opposed to a one-size-fits-all solution, is critical.

Account Takeover Protection

With a BEC attack, sometimes the executive is spoofed and the sender address is different than the actual one. But other times, the account can be fully taken over. In that case, full-throttled account takeover protection is needed. With an anomalies engine, the security solution can determine whenever there is a foreign login. This can notify admins or send notifications to SIEMs/orchestration systems to disable an account until an MFA and/or password reset is made. Beyond that, an event analysis algorithm identifies behavior that can be a sign of account takeover. This involves a historical scan that monitors over 100 event indicators and correlates them to identify previously compromised accounts.

Full-Suite Security

Threat researchers have dubbed certain Teams attacks as the new business email compromise. Why? Because the same principles for BEC apply to chat applications. In fact, the FBI report on BECs notes that there’s been an increase in using such apps for these schemes. As they write: “They do so by compromising an employer or financial director’s email, such as a CEO or CFO, which would then be used to request employees to participate in virtual meeting platforms. In those meetings, the fraudster would insert a still picture of the CEO with no audio, or a ‘deep fake’ audio through which fraudsters, acting as business executives, would then claim their audio/video was not working properly. The fraudsters would then use the virtual meeting platforms to directly instruct employees to initiate wire transfers or use the executives’ compromised email to provide wiring instructions.”

If someone is duped into sharing a spreadsheet over Teams with sensitive info (e.g., credit card numbers, SSNs, etc.), being able to stop that traffic is essential. Further, a Teams anomaly engine should monitor all logins and events for suspicious activity.

Full Integration with Azure Active Directory/Google Directory

Typically, IT admins have to manually update the active directory integration whenever there are job changes, employee turnover and more.

A better way is to automatically integrate, constantly updating employee names, email and job titles. Because of a complete AI integration, your security should know your employees by name — even nickname — and role, so that it can identify when messages are attempting to impersonate someone real.

It should also use the hundreds of thousands of data points it collects to undergo impersonation analysis, scanning the sender and message content for impersonation. The algorithm looks for user impersonation, and whether a single sender exists in the organization with a different address. You can do that by cross-referencing several fields, such as sender and signature.

BEC can be devastating. But it doesn’t have to be that way. With some easy-to-implement policies, such as internal context, strong AI, full-suite security, account takeover protection and automatic active directory integration, these attacks don’t have to cause your business harm.

Start a Demo to Experience the Power and Simplicity of Avanan

Avanan Archives

Gil Friedrich is co-founder and CEO at Avanan.


About Avanan 

Avanan is a cloud email security platform that pioneered and patented a new approach to prevent sophisticated attacks. We use APIs to scan for phishing, malware, and data leakage in the line of communications traffic. This means we catch threats missed by Microsoft while adding a transparent layer of security for the entire suite and other collaboration tools like Slack.

Avanan catches the advanced attacks that evade default and advanced security tools. Its invisible, multi-layer security enables full-suite protection for cloud collaboration solutions such as Office 365™, G-Suite™, and Slack™.  The platform deploys in one click via API to prevent Business Email Compromise and block phishing, malware, data leakage, account takeover, and shadow IT across the enterprise. Avanan replaces the need for multiple tools to secure the entire cloud collaboration suite, with a patented solution that goes far beyond any other Cloud Email Security Supplement.



Send this to a friend