Business email compromise is the second most expensive cybercrime — expert explains how hackers impersonate bosses and what companies can do to protect themselves
According to the FBI Internet Crime Report, business email compromise was the second most expensive cybercrime by experienced loss, amounting to over $2.7 billion. It’s a type of social engineering scam that exploits employees’ trust by impersonating other colleagues in the organization, with the intention to obtain credentials, sensitive data, initiate wire transfers, or infiltrate the network.
Vakaris Noreika, a cybersecurity expert at NordStellar, a threat management platform, tells Digital Journal that business email compromise is not only highly effective, it is also harder to detect. Additionally, because these scams are so personalized, even the most cyber-aware employees can fall victim.
Cybercriminals are constantly searching for more effective attack methods. While cyber-aware employees can spot the red flags in basic, award-promising email scams, most won’t think twice about clicking on a link sent by their boss. Vakaris Noreika, a cybersecurity expert at NordStellar, a threat management platform, explains how hackers exploit employee trust in their colleagues to infiltrate business networks and inflict multi-million dollar damage.
Business email compromise is a sophisticated social engineering attack meant to deceive victims by impersonating trusted individuals — their colleagues. Unlike traditional phishing scams, these attacks are highly targeted and personalized, relying on broader research about the company, its employees, and even conversations within the organization.
Noreika explains that business email compromise attacks are financially devastating because they provide a direct entry point to infiltrate a company’s network by targeting employees.
He finds: “From a technical standpoint, business email compromise is a very effective attack because it doesn’t require the use of malware, which makes them easier to deploy and they can go undetected by standard cybersecurity tools,” says Noreika. “They’re a more sophisticated version of common phishing scams. However, the reason for their efficiency lies in the target — a single compromised account is enough for cybercriminals to access internal networks or gather more information and prepare to strike when the opportunity arises.”
How do they work?
According to Noreika, cybercriminals typically carry out business email compromise attacks using data available online: they research the company, its departments, and its employees using platforms like LinkedIn. Afterward, they create look-alike domains to impersonate authority figures in the company, such as managers, and craft convincing emails asking for credentials, sensitive data, or wire transfers.
With this he states: “Attacks that utilize data available online are more standard, resembling basic social engineering scams. However, since they’re targeting companies — not individuals — they usually carry the potential of more significant monetary gain for cybercriminals. Even without gaining access to the network, hackers can trick employees into transferring company funds to their controlled accounts, get their hands on confidential data that they can sell to competitors or publish on the dark web, or gather sensitive personal information on employees or clients, resulting in a data leak”.
Noreika explains that in more advanced cases, cybercriminals utilize the dark web to search for previously leaked employee credentials and use them to access business accounts. Once they have access, they monitor daily conversations, gather more context, and wait for the right time to strike — once the stakes are high or the target is more likely to fall for their scam.
Moreover, Noreika advises: “If they manage to infiltrate an account to collect intelligence, hackers could be waiting for the perfect opportunity to request a wire transfer by impersonating a vendor or re-direct employee salary payments. However, business email compromises are often a gateway to deploy more damaging attacks,” explains Noreika. “Once inside the network, cybercriminals can facilitate a ransomware attack, spread malware to employees, clients, and partners, and deploy supply chain attacks.”
Prevention and defence
Noreika emphasizes that the first step companies should take to safeguard against business email compromise attacks is to build a comprehensive security strategy and raise employee cybersecurity awareness.
“Even the most cyber-aware user can fall victim to business email compromise attacks because they exploit the added layer of trust that comes with impersonating a person of authority in the organization. As a result, businesses should educate their employees on this specific type of attack — what constitutes suspicious activity and how to adopt a better-safe-than-sorry approach,” says Noreika.
“Reinforcing policy and procedures requiring written documentation and dual approvals where sensitive data or wire transfers are involved also help to reduce the possibility of employees falling victim to scams.”
Noreika advises companies to monitor the dark web for potential employee data leaks to prevent cybercriminals from infiltrating the network using leaked or stolen credentials. He explains that adopting a proactive approach enables companies to receive an early warning and deploy swifter mitigation measures.
“The quicker security teams can spot a cybersecurity incident, the less damage it can cause. Once the organization is aware of any leaked credentials associated with its employees, it can take appropriate actions, such as preparing for a potential data breach and informing the affected users to stay on high alert,” concludes Noreika.
