Business email compromise: threat grows dramatically

Business email compromise: threat grows dramatically

Encrypted malicious attachments, phishing and fake application mails are known attack methods used by cyber criminals to deliver malware such as ransomware into corporate systems. Once in the system, malware can cause losses of millions of dollars through encrypted corporate documents, theft of relevant files and information, or a slowdown of business processes through illegal crypto mining. Sophisticated filter systems for the detection of hidden malware make the way into a company’s system increasingly challenging for cyber criminals.

Therefore, the focus of cyber criminals is shifting more and more to the human vulnerability: They address employees of selected companies with simple but very individual and strictly textual email messages – this procedure is known as business email compromise (BEC). The Hornetsecurity Security Lab has been recording a significant increase of this type of attack for around 1 ½ year now.

What is business email compromise?

Large sums of money are fraudulently transferred to an external account, important internal company and access data as well as other confidential information leave the company unnoticed – without any malware being introduced. With a BEC, a hacker relies on special insider knowledge as opposed to simple spam. Known names and email addresses of employees or customers as well as current signatures and disclaimers make a fake email appear authentic.

By using fake email addresses similar to the one of the CEO, a customer or a clerk, the cybercriminals send a short, purely text-based email specifically to a selected employee. The display name is shown exactly as it would appear in an email from the actual person. This makes it difficult to detect the fraud behind it.

What do cybercriminals do?

In the first email, the cyber criminal gets a feel for the subject. The alleged CEO or supervisor addresses an urgent concern to a target person in a company. The criminal asks for a quick written answer by email, because the boss is allegedly in a meeting or cannot be reached by telephone. The hacker puts the recipient under pressure in terms of time and psychology to veil the fraud.

If the criminal receives an answer, he becomes more precise in a second message: The alleged superior requests the transfer of a certain amount of money to the account of an alleged customer, business partner or service provider. But not only financial resources are captured in this way. The hackers can also get internal company data as well as information to misuse them for other purposes. The CEO fraud is the best-known cyber criminal procedure to date but the fraud of the business email compromise can occur in different ways:

  • The hacker masquerades as a company’s customer and announces a change in payment information to trigger future transactions to the attacker’s account.
  • Covered with an employee’s alleged email address, the cyber criminal sends invoices to the company’s customers.
  • Using a lawyer’s compromised email account, pressure is put on a targeted recipient within a company to make a payment or return information.

Current risk situation

According to the FBI’s latest internet crime report, the business email compromise along ransomware, banking trojans and phishing is responsible for much of the world’s financial losses caused by cyber crime. In 2018, the fraud caused by fake emails led to global losses of around 1.2 billion dollars. And the threat posed by BEC is expected to persist and even increase.

Once a company is affected, it is very likely that this type of attack will be repeated. Any additional internal information unknowingly sent by an employee via email makes more fake emails look even more authentic“, said an expert from the Hornetsecurity Security Lab. „Every month, we see an increasing number of incoming emails in which cyber criminals try to impersonate real employees or customers. And each time, the method becomes more sophisticated: in some cases, the logo, disclaimer and signature of the targeted company are reproduced one-to-one. The recipient of such a fraudulent email needs to know exactly what to look out for.

Which companies are largely affected?

Cyber criminals often target large and internationally operating companies via business email compromise. Information about people in certain administrative positions is easy to find out, logos or current market activities are usually accessible on the internet. In addition, international financial transactions are not uncommon and in large companies, there is a high probability that employees have never met in person and the simple exchange of emails is a normal part of everyday working life.

In 2015, the German cable specialist Leoni AG became a victim of such a fraud. Cybercriminals betrayed the company by around 40 million euros. The globally known social network Facebook and the Google Group were also robbed of a total of 100 million US dollars for more than two years. This became known in 2017, when the fraud was discovered and made public by the US American magazine Fortune. According to the FBI’s report, the current focus is on real estate companies.

How can comanies protect themselves against it?

The Hornetsecurity Security Lab assumes that the business email compromise will remain one of the biggest cyber threats in the future: „Classic anti-phishing or spam services fail to recognize BEC emails due to their generic content. We offer our customers highly customizable and complex anti-fraud protection to ensure the highest level of security. Consequently, we receive only positive feedback from companies using our targeted fraud forensics engines. “ Precisely targeted engines verify the authenticity and integrity of metadata and email content. They identify specific content patterns that suggest fraudulent email. This prevents fake emails from reaching your inbox. Even trainings which additionally draw employees’ attention to the characteristic elements of a business email compromise can put a stop to the growing danger.

Hornetsecurity releases new feature for protection against encrypted malware attachments

Hornetsecurity releases new feature for protection against encrypted malware attachments

Hanover (01.07.2019) – With the help of encrypted email attachments, cyber criminals are currently trying to circumvent classic antivirus programs. Encryption prevents filter mechanisms from detecting the underlying malware. Since the beginning of the year, for example, the ransomware GandCrab has been spreading this way. In view of the increasing threat situation, the cloud security provider Hornetsecurity has developed a unique feature that recognizes this procedure and blocks the malicious email before it arrives in the email inbox.

“Nowadays, companies are investing much more in IT security than they did 5 years ago. Through AI and other intelligent defense mechanisms, attackers can no longer reach their target with simple methods. Therefore, cybercriminals are increasingly developing more detailed strategies to circumvent these mechanisms. Hornetsecurity technology enables us to react to targeted attacks at any time”, says Daniel Hofmann, CEO of Hornetsecurity. “With the new function Malicious Document Decryption we react quickly to the systematic approach of cybercriminals. The capabilities of Malicious Document Decryption are unique to the market.”

So that the encrypted document can be opened by the selected recipients in order to install the underlying malware unnoticed in the system, the fraud email contains the corresponding password in plain text.
Malicious Document Decryption analyzes the content of incoming emails with encrypted attachments for the appropriate password to remove the encryption. Using static and dynamic analysis techniques, the behavior of the decrypted file is examined. This ensures that the underlying malware is detected immediately and does not reach the recipient’s email inbox.

The new feature is part of the Advanced Threat Protection service and complements the protection for secure email communication against particularly intelligent and systematic cyber attacks. Hornetsecurity customers who already use the ATP service can rest assured: The feature was already integrated and activated in the service for all ATP users since the beginning of June.

About Hornetsecurity:

Hornetsecurity is the leading German cloud security provider in Europe, which protects the IT infrastructure, digital communication and data of companies and organizations of all sizes. The security specialist from Hanover provides its services worldwide via 9 redundantly secured data centers. The product portfolio covers all important areas of email security, including spam and virus filters, legally compliant archiving and encryption, as well as defense against CEO fraud and ransomware. With around 200 employees, Hornetsecurity is represented globally at 10 locations and operates in more than 30 countries through its international distribution network. The premium services are used by approximately 40,000 customers including Swisscom, Telefónica, KONICA MINOLTA, LVM Versicherung, DEKRA, Claas, and the Otto Group.

secIT 2019: The security meeting spot in Hannover

secIT 2019: The security meeting spot in Hannover


IT security – a topic that is gaining in significance and importance every year – is increasingly becoming the focus of interest for many companies. With the rise of cybercrime, executives are looking for platforms and opportunities to share the latest trends in cyber security and to stay up to date with the latest threats.


With its successful premiere in 2018, the secIT by Heise has established itself as an important security event in northern Germany. At this year’s event, Heise already reported an increase in visitors of almost 50%. Around 1,750 visitors and 58 exhibitors met at the Hannover Congress Centrum on 13 and 14 March to discuss topics such as threat intelligence, storage, cloud and endpoint security and current cyberattacks. Expert talks, workshops and lectures by leading IT experts were very popular. Especially the session about “How Emotet decomposes a company” by Hornetsecuritys Head of Product Management Dr. Yvonne Bernard received a lot of interest.

For all who are interested you can download the presentation below.


On the first evening of the secIT 2019, Heise organized a networking party, which was a great success– Hornetsecurity served freshly tapped free beer to the guests. The second and last day of the Security Event was once again filled with qualitative conversations and lectures about the current situation of IT security.


The next secIT is scheduled already: On March 25 and 26, 2020, IT security operators and providers will meet again in the capital city of Lower Saxony and we are already curious to see which topics will await us in the coming year.

Impressions of the secIT 2019:

The images were provided by Tobias Giessen and Hornetsecurity

RSA 2019 – One step ahead of cybercrime

RSA 2019 – One step ahead of cybercrime


The significance that cyber security has achieved worldwide became obvious once again at the 28th IT Security Conference “RSA Conference” in San Francisco. The world’s leading annual information security conference and exhibition welcomed nearly 42,500 visitors and 700 exhibitors to this year’s event, which took place from March 4 to 8, to discuss current and future security issues and concerns in times of growing global cyber threats. As an expert for email security in the cloud, Hornetsecurity took part in the RSA again this year and reports about the highlights of the ultimate marketplace for the latest technologies and comprehensive know-how in cyber security in the following article.


Particularly discussed at this year’s conference were the effects of legislation, such as the GDPR, on the cyber security industry and its impact on companies worldwide. Some speakers also focused on the topic of Security Awareness: For example, in her presentation “Folk Theories of Security & Privacy”, Professor Emilee Rader of Michigan State University explored how employees make decisions that affect corporate security and how to help them make a potentially better decision.


Many of the attending companies were particularly interested in how security will evolve in the near future in our digitalized world. In an interactive session, the audience had to choose best case and worst-case scenarios in a future of security and privacy in 2025 – the challenge was to allow companies to tailor their strategy to the most likely scenario.


Some sessions about the Top and Emerging Threats showed already known issues like Ransomware as a Service as well as new attacks, especially on the vector DNS: The service, often considered the unchangeable “telephone book” of the Internet, provides an attack channel for redirecting or modifying data streams in the event of insufficient security.
Due to the International Women’s Day on March 8th, the RSA Conference focused on the topic “Women in IT” by offering special programs and a platform for multiple campaigns.

A major highlight for Hornetsecurity was the handover of the “InfoSec Award 2019” in the category Most Innovative SaaS/Cloud Security at the RSA by the Cyber Defense Magazine on March 4th. “Cybercrime is one of the greatest dangers in our technically and online driven world and is an issue that affects all of us – the threat of cyberspionage, blackmailing, and cybercrime is undeniable.

This award signifies that we are on the right track to protect businesses from the increasing and evolving cyber threats. Every day we see the amount of new and sophisticated cyberattacks which shows that we always have to be one step ahead of the criminals.” Daniel Hofmann, CEO of Hornetsecurity, says.


Large and established events such as the RSA prove that we can achieve a significant change by sharing experiences. We were able to get an idea of what the future holds for us and are very happy to make a major contribution to improving security in the IT industry with our innovative technologies.” concludes CEO Oliver Dehning.

A few impressions of the RSA 2019

Hornetsecurity in Malaysia – Email security has international significance

Hornetsecurity in Malaysia – Email security has international significance

The World Economic Forum’s Global Risk Report 2019 lists the world’s biggest threats, led by weather extremes, trade wars, and particularly rising cybercrime. Cyberattacks such as viruses, trojans and ransomware are not limited by national borders. The need and demand for security against attacks continues to grow internationally from year to year.

In particular, over the past four years, the threat situation in Malaysia has intensified extremely. According to the Malaysian Computer Emergency Response Team (MyCERT), Southeast Asian companies are increasingly affected by cyberattacks, mainly mails containing malware. Since 1999, the Malaysian distributor InternetNow! based in Kuala Lumpur provides secure email communication among other IT security services. InternetNow! distributes Hornetsecurity’s quality email security services in Malaysia for 6 years now.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

Just prior to the traditional Chinese New Year celebrations, on February 5, InternetNow! was pleased to announce another highlight: On January 23, the Southeast Asian partner celebrated its 20th anniversary and organized an exclusive event with the topic “Reseller Appreciation Dinner 2019”. Our colleague Alexis Tenzler (Head of Customer Success) was part of this special event and had the pleasure to hand over a prize to the most successful InternetNow! partners.

Ilyas Sapiyan, CEO of InternetNow!, started the celebrations with some anecdotes about the history of the Internet specialist and led the attending partners and employees through the most important milestones of the company. Thereby he emphasized the significant growth of InternetNow!. Hornetsecurity’s Email Security Services generated the largest revenue volume in 2018 and thus established itself as the distributor’s strongest growth driver. Shinjiru International Inc., leading offshore web hosting provider, has been recognized by Tenzler as the most successful Hornetsecurity reseller in Malaysia.

Later, the present partners of InternetNow! introduced one of their products. Regarding the increasing threat from malware attacks, Alexis Tenzler presented Hornetsecurity’s „Advanced Threat Protection“ (ATP): He explained exactly what and who is behind “Advanced Persistent Threats” and that ATP is able to detect even the most sophisticated attacks through innovative analysis and filtering mechanisms.

At the end of the event, Sapiyan once again pointed out the growing threat of cybercrime and that it can only be dealt with through global cooperation. In 2019, InternetNow! will focus primarily on security awareness training for its customers’ end users, synchronized security with Next Gen endpoints and email security.

A few impressions:

Hornetsecurity in Malaysia
Hornetsecurity in Malaysia
Hornetsecurity in Malaysia