top of page
  • OpaCyber

What is Business Email Compromise (BEC) and what is CEO fraud? Are they the same?

In short no, they are not the same, but a lot of people refer to them as if they are

To explain in more detail, we hate to tell you this but, there are more options! 🤦‍♂️

We like to explain the differences with FOUR options:

  1. Business Email Compromise (BEC)

  2. CEO fraud

  3. CEO impersonation

  4. Response-based phishing

Let’s break it down

1. Business Email Compromise

is where a real email account has been compromised and is being used for nefarious purposes. The compromise is usually achieved by phishing e.g. an email stating the user needs to login to their account for some reason, and the credentials are intercepted

The attacker then has access to the email account and will use it to send emails as the user

Now that the attacker has control of the email account, they will also set up rules to hide their actions from the real email user, so:

  • Sent emails will have a rule to delete the email after sending, or move them to somewhere “hidden” (a new folder or the archive folder for example)

  • Replies to emails will be moved, again to somewhere “hidden” (a new folder or the archive folder for example)

The two most common resulting actions are:

  1. Financial fraud

  2. Delivering malware (usually ransomware)

The above is not a simple exercise so a frequently used, more basic, attempt at extortion is:

3. CEO impersonation

is where an attacker pretends to be the CEO (or other person in authority) but does not have actual control of the CEO email account

The attacker will send an email from either a newly created domain that is close in name to the target company (requires work, this type of attack is usually carried by the more lazy type of criminal) or more usually a freemail account (frequently gmail) trying to spoof the sender

If our imaginary target company is “example . com” and our imaginary CEO’s name is “Important Person” then they might look like this:

From: Important Person <important.person@exarnple . com> Note the use of r + n to replace m in example . com

From: Important Person <ahan2346bht@gmail . com> Note that the gmail address doesn’t relate in any way to either the sender or the real company domain

Bonus! 🤣 Additional obfuscation (and we’ve used this one ourselves 🤣) is to add the real email address to the display name which psychologically re-enforces to the recipient that it is genuine, like so:

From: Important Person [important.person@example . com] <important.person@exarnple . com>

From: Important Person [important.person@example . com] <ahan2346bht@gmail . com>

This works particularly well if the recipient’s email client doesn’t display the actual email address by default. They all CAN, make sure yours does

This type of phish is most often used in combination with the next option

4. Response-based phishing

is where the attacker uses CEO Impersonation as above and will send a seemingly harmless email along the lines of “I need you to do something for me” or “Are you available”

These are hard for security systems to flag as it’s just text. No attachments, no links. The purpose is to generate a response and then the attacker knows they have the victim “on the hook”

Frequently used lures would be such as these:

“I’m just going into a meeting” / “I’m at a conference” / I’m just boarding a plane”. These are trying to prevent the victim from perhaps phoning the real CEO

followed by:

“Are you available?” / “I need you to do something for me” / and we’ve seen many times the slightly non-native English “Are you on seat?” 🤦‍♂️

In order to minimise the chance of a security system spotting these, the attacker will often try to get the victim off the corporate systems by switching platforms and including:

“Send me your WhatsApp number”

Once "on the hook" this type of attack is often used to try and get the victim to purchase Gift Cards "for a client"

Lastly (we’re sure you noticed it was missing): 🤣

2. CEO fraud

This might be plain old embezzlement 🤣 but in the context of email it might refer to any or all of the above

That’s why we don’t think it’s a particularly useful terminology

The best way to prevent any of these attacks from happening is Security Awareness Training for all staff

Contact us if you need help in this area


Commenting has been turned off.
bottom of page