Abuses of Business Email
Online attacks with fake data (in the context of email abuse) have become a significant problem, affecting both individuals and organizations. Cyber attackers exploit these attacks to impersonate trusted sources, convincing victims to disclose sensitive information or fall for malicious schemes. Recently, there has been an increase in breaches of corporate email systems, infiltrating business communications and directly causing financial harm to companies that fall victim to such abuses.
Example of infiltrating business communication (BEC – Business Email Compromise)
At a crucial moment during a sale, cyber attackers infiltrate the communication between the seller and buyer, redirecting the payment of funds to their own accounts. By the time companies notice the irregularity, it is often too late. Companies dealing with international transactions in large amounts are especially vulnerable. Attackers can easily obtain company data from publicly available records. Cyber attackers breach corporate email systems, allowing them to monitor email communication with clients. Once they gather enough critical information about
business processes, they can actively interfere in communication at the right moment, sending the customer a fake message regarding a change in the transaction account. This redirects payments for invoices and other expenses to their fake bank accounts. By the time companies realize something is wrong, substantial damage has already been done, ranging from a few thousand to tens of thousands of EUR.
The Process of acquiring company data and Email addresses
The goal of cyber attackers (hackers) is to gain insight into a company’s communication, which they can achieve in various ways. They might breach the control panel of an email service provider and redirect email forwarding to their own address, from which they can discreetly monitor the company’s communication. They may even infect the computer of one of the employees. They can also obtain email access credentials through a targeted phishing attack. Regular phishing attacks are sent to many addresses and are typically filtered into spam by email servers. In contrast, targeted attacks are much more sophisticated: the attacker sends a personalized message to a chosen victim, bypassing email filters and appearing more trustworthy. As a result, such attacks are more “successful” in practice. In regular phishing emails, victims are told they must re-enter their email credentials, otherwise, they will lose access to their inbox. Although the reasons are fictitious and impossible even theoretically, the threat alone is often enough to convince users to enter their login details on a fake phishing
site. In the case of targeted attacks, the attacker’s message is tailored specifically to the recipient, and because the content of the message relates to the recipient’s activities, it is much more likely that the recipient will
fall for it.
Sending fake Emails with fake information (Business Email Abuse or BEC attack)
Once attackers gain access to a company’s email, they set up email forwarding to their own email address, which they have created with a free provider (such as Gmail or Hotmail). They then monitor the entire communication for a while to determine how business transactions and payments are conducted, and to identify the largest clients or those with the most transactions. At a crucial moment, such as just before the payment of a large invoice, they actively intervene in the communication. They register an email address using the name and surname of an employee in the company (for example, name.surname@company.com becomes name.surname@gmail.com). They then send the victim an email with fake account details for the payment. The funds are redirected to the attackers’ accounts, and communication with the client is also redirected to their email. Since users usually do not pay attention to the sender’s email address, the victim rarely notices the change. The attackers provide various reasons for the change in bank account details, such as difficulties with their bank, faster payment processing if the payment is made to an account in a nearby country, or the use of an intermediary account. In most known cases, the bank accounts involved belong to individuals,
often referred to as “money mules,” who immediately withdraw the transferred funds and send them further via another channel, typically using services like Western Union. This method quickly obscures the trace of the money.
Analysis of a business Email abuse attack, step-by-step
How does the breach occur in Email communication?
Attackers may breach the control panel of the email service provider and redirect emails to their own address, infect the computer of an employee, or obtain the email password via a targeted phishing attack.
What is a targeted phishing attack?
Targeted attacks, unlike regular ones, are much more sophisticated: the attacker’s message is carefully prepared and tailored for a specific recipient, which helps it bypass email filters and appear more credible. As a result, such
an attack is more “successful.”
How does the financial harm occur?
The responsible person (e.g., accounting) receives a message in the employee’s name with information about a changed bank account for the payment. Funds are then redirected to the attackers’ accounts, and email communication with the client is redirected to their accounts as well.
Who owns these bank accounts?
In all examined cases, the bank accounts belonged to individuals, known as “money mules,” who immediately withdrew the funds upon receipt and transferred them via another method, usually through services like Western
Union, to the criminals. This quickly obscures the trace of the money.
Why is the trail of money lost?
To assist with withdrawing and transferring funds of suspicious origin, criminals use physical individuals – intermediaries, also known as “money mules.” Once the victim is defrauded and the amount is transferred to the
individual’s personal account, the individual uses transfer services (such as Western Union) to send the money further, which makes tracing the funds almost impossible.
Preventive Measures – what can you do
If you do business internationally, be especially cautious of any sudden deviations from established practices. Verify any changes in sensitive data, especially those related to money transfers, through multiple channels, including phone calls and online communication tools.
Check the email addresses of your business partners. Some email programs only display the name of the sender, which anyone can alter. However, by hovering over the name, you can see the full email address. Is it possibly altered? Pay attention to the domain part of the sender’s address (the part after the “@” symbol). Does the address change from name.surname@company.com to name.surname@gmail.com?
Regularly check your email settings to see if your messages are being forwarded to an unknown email
address. In Gmail, you can find this under “Filters” and “Forwarding” in settings. If you’re using another email provider, check their documentation for where to find these settings. If you notice any suspicious forwarding, act immediately.
If your email provider allows you to view the IP addresses from which your inbox has been accessed, regularly check this data. It is possible to determine the email provider’s location and, in some cases, the approximate physical location. In the case of a criminal investigation, the exact IP address and timestamp can help identify
the user behind the access.
Do not ignore any suspicious activity notifications from your email provider. Each such notification needs to be analyzed, and you should investigate the cause of the issue (but be careful not to confuse these with fake phishing emails that look like official messages from your provider).
What is your company’s password policy? Use complex passwords and ensure that no password is shared between users. Be especially cautious with the password for accessing your company’s email system’s control panel. The theft of a single password can compromise access to all company email accounts. Therefore, enable two-factor authentication (2FA) for the email system if your provider offers it.
SI 
EN