Our previous posts looked at why cyber criminals favour business email compromise as their method of attack to turn a profit, and also how you could reduce your risk profile.

With the loss resulting from a business email compromise now reaching £27,000, we thought we’d continue our series of blogs examining this criminal tactic – commonly known as phishing – and why it’s so successful and popular with cyber criminals.

This week we’re going to take you behind the scenes of a business email compromise.

*Statistics are based on chosen sources and are available upon request.

Stage 1: Preparation

Cyber criminals have to prepare to launch a phishing attack that will ultimately result in business email compromise.

Generally, this will involve setting up a fake email address in order to launch the initial attack from, a fake website to capture credentials, and a convincing looking fraudulent email to trick unsuspecting users into giving their credentials away.

They also need to collect email addresses, which can be done by a variety of means. It can be done manually, by targeting particular businesses and trawling social media or corporate websites.

Alternatively, cyber criminals can use software to trawl the web for them and return large numbers of openly-available email addresses.

Access to email addresses that can be targeted or have already been compromised can also be purchased at a low cost on the dark web.

The fraudulent email will contain a warning message requiring the targets to follow a hyperlink and enter their email login credentials.

Stage 2: Attack launch

With all the groundwork done, cyber criminals can launch their attack. Often, this will be a huge automated program that sends the email out to as many targets as possible – it’s a numbers game.

Alternatively, the attacker may target specific businesses with a more dedicated focus.

Either way, with the attack launched, most of the hard work is out of the way. At this point, they have to wait and see if anyone falls into their trap.

Stage 3: Harvesting and testing credentials

When the targeted mailboxes receive the fraudulent emails, many users will realise the deception and ignore them. However, those that do fall victim will follow the hyperlink and enter their login credentials into what they think is a legitimate web-based form and business email compromise will have been achieved.

Upon doing this, the login credentials will be delivered to the cyber criminal and logged in their database.

At this point, the cyber criminal will be able to start testing to see if they have got the right credentials from unsuspecting users, by logging into their accounts.

The actual number of successfully hacked accounts might be quite low, but it is still a highly profitable endeavour.

Only 1 in 10 phishing emails is successful in compromising its target, but between 90-95% of successful cyber-attacks begin with an email compromise, giving you an idea of the sheer volume of attacks carried out.

Stage 4: Prime Target Selection and Monitoring

Having tested the credentials of the successfully compromised accounts, the hacker will then select the best ones from which to profit.

The accounts of choice are often those belonging to people in the finance and accounting departments. This is because invoices are often sent to customers and partners from these email addresses, and that provides them with the perfect opportunity to grab a quick payday.

In any case, if your account isn’t of interest to the attacker, they may then look to sell your login credentials to somebody else for a small fee.

By monitoring the compromised mailboxes, they’ll be able to adopt the tone of the real user and work out when invoices are sent out to customers. This helps them prepare for the final stage of their ruse.

Stage 5: The End Game – Business Email Compromise!

With the stage set, the attacker can replicate invoices that are sent to customers, or even stop legitimate ones that are due to be sent out. Then, they can swap the account details to their own, unbeknownst to the victim and their partner.

Once the invoice is paid, the payment goes straight into the hacker’s bank account, and not the legitimate business’ that they think they are paying.

The victims are left clearing up the mess

The cyber criminal is almost untraceable in these circumstances and it is therefore unlikely that you will ever receive the payments for the goods that you may have sent out before your customer’s payment was diverted.

It’s also unlikely you will ever regain the trust of the customer whose money was stolen because you had inadequate email security and employee awareness.

Startlingly, a quarter of the victims who are directly responsible for these mistaken payments actually try and hide the evidence of their errors, and act as if it didn’t happen.

In these instances, third-party archiving of email can enable you to keep a record or exactly what has happened which is great for investigative purposes, as well as a more general safeguard against data loss or malicious deletion.

Now you know!

Now you know what goes on behind the scenes of a phishing attack, it’s time to think about the measures you have in place at your business.

Do you rely on your inbuilt spam filter to stop malicious emails, or do you have a third party email security solution?

Do you have sandboxing functionality within your current antispam solution?

Do you have email archiving, or do you let them clog up your inbox instead?

Are your employees trained to stop fraudulent emails, or is it only a matter of time until your business falls victim?