{"id":23209,"date":"2025-07-03T10:53:37","date_gmt":"2025-07-03T09:53:37","guid":{"rendered":"https:\/\/rosoft.si\/?p=23209"},"modified":"2025-07-03T10:53:59","modified_gmt":"2025-07-03T09:53:59","slug":"abuses-of-business-email-bec-business-email-compromise","status":"publish","type":"post","link":"https:\/\/rosoft.si\/en\/abuses-of-business-email-bec-business-email-compromise\/","title":{"rendered":"Abuses of Business Email (BEC – Business Email Compromise)"},"content":{"rendered":"
\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Abuses of Business Email<\/b><\/span><\/h2>\n

Online attacks with <\/span>fake data (in the context of email abuse) have become a significant problem, <\/span>affecting both individuals and organizations. Cyber attackers exploit these <\/span>attacks to impersonate trusted sources, convincing victims to disclose <\/span>sensitive information or fall for malicious schemes. Recently, there has been <\/span>an increase in breaches of corporate email systems, infiltrating business <\/span>communications and directly causing financial harm to companies that fall <\/span>victim to such abuses.<\/span><\/p>\n

Example of infiltrating business communication (BEC – Business Email Compromise)<\/b><\/span><\/p>\n

At a crucial moment <\/span>during a sale, cyber attackers infiltrate the communication between the seller <\/span>and buyer, redirecting the payment of funds to their own accounts. By the time <\/span>companies notice the irregularity, it is often too late. Companies dealing with <\/span>international transactions in large amounts are especially vulnerable. <\/span>Attackers can easily obtain company data from publicly available records. <\/span>Cyber attackers breach corporate email systems, allowing them to monitor email <\/span>communication with clients. Once they gather enough critical information about<\/span>
business processes, they can actively interfere in communication at the right <\/span>moment, sending the customer a fake message regarding a change in the <\/span>transaction account. This redirects payments for invoices and other expenses to <\/span>their fake bank accounts. By the time companies realize something is wrong, <\/span>substantial damage has already been done, ranging from a few thousand to tens <\/span>of thousands of EUR.<\/span><\/p>\n

The Process of acquiring company data and Email addresses<\/b><\/span><\/p>\n

The goal of cyber <\/span>attackers (hackers) is to gain insight into a company’s communication, which <\/span>they can achieve in various ways. They might breach the control panel of an <\/span>email service provider and redirect email forwarding to their own address, from <\/span>which they can discreetly monitor the company’s communication. They may even <\/span>infect the computer of one of the employees. They can also obtain email access <\/span>credentials through a targeted phishing attack. Regular phishing attacks are <\/span>sent to many addresses and are typically filtered into spam by email servers. <\/span>In contrast, targeted attacks are much more sophisticated: the attacker sends a <\/span>personalized message to a chosen victim, bypassing email filters and appearing <\/span>more trustworthy. As a result, such attacks are more \u201csuccessful\u201d in practice. <\/span>In regular phishing emails, victims are told they must re-enter their email <\/span>credentials, otherwise, they will lose access to their inbox. Although the <\/span>reasons are fictitious and impossible even theoretically, the threat alone is <\/span>often enough to convince users to enter their login details on a fake phishing<\/span>
site. In the case of targeted attacks, the attacker’s message is tailored <\/span>specifically to the recipient, and because the content of the message relates <\/span>to the recipient\u2019s activities, it is much more likely that the recipient will<\/span>
fall for it.<\/span><\/p>\n

Sending fake Emails with fake information (Business Email Abuse or BEC attack)<\/b><\/span><\/p>\n

Once attackers gain <\/span>access to a company\u2019s email, they set up email forwarding to their own email <\/span>address, which they have created with a free provider (such as Gmail or <\/span>Hotmail). They then monitor the entire communication for a while to determine <\/span>how business transactions and payments are conducted, and to identify the <\/span>largest clients or those with the most transactions. At a crucial moment, such <\/span>as just before the payment of a large invoice, they actively intervene in the <\/span>communication. They register an email address using the name and surname of an <\/span>employee in the company (for example, name.surname@company.com becomes <\/span>name.surname@gmail.com). <\/span>They then send the victim an email with fake account details for the payment. <\/span>The funds are redirected to the attackers’ accounts, and communication with the <\/span>client is also redirected to their email. Since users usually do not pay <\/span>attention to the sender’s email address, the victim rarely notices the change. <\/span>The attackers provide various reasons for the change in bank account details, <\/span>such as difficulties with their bank, faster payment processing if the payment <\/span>is made to an account in a nearby country, or the use of an intermediary <\/span>account. In most known cases, the bank accounts involved belong to individuals,<\/span>
often referred to as \u201cmoney mules,\u201d who immediately withdraw the transferred <\/span>funds and send them further via another channel, typically using services like <\/span>Western Union. This method quickly obscures the trace of the money.<\/span><\/p>\n

Analysis of a business Email abuse attack, step-by-step<\/b><\/span><\/p>\n

How does the breach occur in Email communication?<\/u><\/span>
Attackers may breach the control panel of the email service provider and <\/span>redirect emails to their own address, infect the computer of an employee, or <\/span>obtain the email password via a targeted phishing attack.<\/span><\/p>\n

What is a targeted phishing attack?<\/u><\/span>
Targeted attacks, unlike regular ones, are much more sophisticated: the <\/span>attacker\u2019s message is carefully prepared and tailored for a specific recipient, <\/span>which helps it bypass email filters and appear more credible. As a result, such<\/span>
an attack is more “successful.”<\/span><\/p>\n

How does the financial harm occur?<\/u><\/span>
The responsible person (e.g., accounting) receives a message in the employee\u2019s <\/span>name with information about a changed bank account for the payment. Funds are <\/span>then redirected to the attackers’ accounts, and email communication with the <\/span>client is redirected to their accounts as well.<\/span><\/p>\n

Who owns these bank accounts?<\/u><\/span>
In all examined cases, the bank accounts belonged to individuals, known as <\/span>“money mules,” who immediately withdrew the funds upon receipt and <\/span>transferred them via another method, usually through services like Western<\/span>
Union, to the criminals. This quickly obscures the trace of the money.<\/span><\/p>\n

Why is the trail of money lost?<\/u><\/span>
To assist with withdrawing and transferring funds of suspicious origin, <\/span>criminals use physical individuals \u2013 intermediaries, also known as \u201cmoney <\/span>mules.\u201d Once the victim is defrauded and the amount is transferred to the<\/span>
individual\u2019s personal account, the individual uses transfer services (such as <\/span>Western Union) to send the money further, which makes tracing the funds almost <\/span>impossible.<\/span><\/p>\n


<\/span><\/p>\n

\n<\/p>

Preventive Measures – what can you do<\/b><\/span><\/p>\n

If you do business <\/span>internationally, be especially cautious of any sudden deviations from <\/span>established practices. Verify any changes in sensitive data, especially those <\/span>related to money transfers, through multiple channels, including phone calls <\/span>and online communication tools.<\/span><\/p>\n

Check the email <\/span>addresses of your business partners. Some email programs only display the name <\/span>of the sender, which anyone can alter. However, by hovering over the name, you <\/span>can see the full email address. Is it possibly altered? Pay attention to the <\/span>domain part of the sender\u2019s address (the part after the \u201c@\u201d symbol). Does the <\/span>address change from name.surname@company.com to name.surname@gmail.com?<\/span><\/p>\n

Regularly check your <\/span>email settings to see if your messages are being forwarded to an unknown email<\/span>
address. In Gmail, you can find this under “Filters” and <\/span>“Forwarding” in settings. If you’re using another email provider, <\/span>check their documentation for where to find these settings. If you notice any <\/span>suspicious forwarding, act immediately.<\/span><\/p>\n

If your email provider <\/span>allows you to view the IP addresses from which your inbox has been accessed, <\/span>regularly check this data. It is possible to determine the email provider\u2019s <\/span>location and, in some cases, the approximate physical location. In the case of <\/span>a criminal investigation, the exact IP address and timestamp can help identify<\/span>
the user behind the access.<\/span><\/p>\n

Do not ignore any <\/span>suspicious activity notifications from your email provider. Each such <\/span>notification needs to be analyzed, and you should investigate the cause of the <\/span>issue (but be careful not to confuse these with fake phishing emails that look <\/span>like official messages from your provider).<\/span><\/p>\n

What is your company\u2019s <\/span>password policy? Use complex passwords and ensure that no password is shared <\/span>between users. Be especially cautious with the password for accessing your <\/span>company\u2019s email system\u2019s control panel. The theft of a single password can <\/span>compromise access to all company email accounts. Therefore, enable two-factor <\/span>authentication (2FA) for the email system if your provider offers it.<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>","protected":false},"excerpt":{"rendered":"

Abuses of Business Email Online attacks with fake data (in the context of email abuse) have become a significant problem, affecting both individuals and organizations. Cyber attackers exploit these attacks to impersonate trusted sources, convincing victims to disclose sensitive information or fall for malicious schemes. Recently, there has been an increase in breaches of corporate email systems, infiltrating…<\/p>","protected":false},"author":1,"featured_media":23192,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[19,18],"tags":[],"class_list":["post-23209","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-novice_1","category-digital-technology"],"rttpg_featured_image_url":{"full":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025.jpg",1600,1095,false],"landscape":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025.jpg",1600,1095,false],"portraits":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025.jpg",1600,1095,false],"thumbnail":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-150x150.jpg",150,150,true],"medium":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-300x205.jpg",300,205,true],"large":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-1024x701.jpg",640,438,true],"rsaddon-team-round-style":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-500x500.jpg",500,500,true],"1536x1536":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-1536x1051.jpg",1536,1051,true],"2048x2048":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025.jpg",1600,1095,false],"trp-custom-language-flag":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-18x12.jpg",18,12,true],"braintech_portfolio-slider":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-520x640.jpg",520,640,true],"braintech_portfolio-full-slider":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-1400x650.jpg",1400,650,true],"braintech_portfolios-slider":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-1000x1000.jpg",1000,1000,true],"braintech_blog-slider":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-365x243.jpg",365,243,true],"braintech_blog_long_height":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-365x480.jpg",365,480,true],"braintech_latest_blog_small":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-255x157.jpg",255,157,true],"braintech_latest_blog_medium":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-340x270.jpg",340,270,true],"braintech_image_slider_big":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-860x450.jpg",860,450,true],"braintech_blog-footer":["https:\/\/rosoft.si\/wp-content\/uploads\/BEC-2025-80x68.jpg",80,68,true]},"rttpg_author":{"display_name":"admin","author_link":"https:\/\/rosoft.si\/en\/author\/rosoft_admin\/"},"rttpg_comment":0,"rttpg_category":"Novice<\/a> Digitalne tehnologije<\/a>","rttpg_excerpt":"Abuses of Business Email Online attacks with fake data (in the context of email abuse) have become a significant problem, affecting both individuals and organizations. Cyber attackers exploit these attacks to impersonate trusted sources, convincing victims to disclose sensitive information or fall for malicious schemes. Recently, there has been an increase in breaches of corporate email systems, infiltrating...","_links":{"self":[{"href":"https:\/\/rosoft.si\/en\/wp-json\/wp\/v2\/posts\/23209","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rosoft.si\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rosoft.si\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rosoft.si\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rosoft.si\/en\/wp-json\/wp\/v2\/comments?post=23209"}],"version-history":[{"count":8,"href":"https:\/\/rosoft.si\/en\/wp-json\/wp\/v2\/posts\/23209\/revisions"}],"predecessor-version":[{"id":23217,"href":"https:\/\/rosoft.si\/en\/wp-json\/wp\/v2\/posts\/23209\/revisions\/23217"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rosoft.si\/en\/wp-json\/wp\/v2\/media\/23192"}],"wp:attachment":[{"href":"https:\/\/rosoft.si\/en\/wp-json\/wp\/v2\/media?parent=23209"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rosoft.si\/en\/wp-json\/wp\/v2\/categories?post=23209"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rosoft.si\/en\/wp-json\/wp\/v2\/tags?post=23209"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}