Encrypted malicious attachments, phishing and fake application mails are known attack methods used by cyber criminals to deliver malware such as ransomware into corporate systems. Once in the system, malware can cause losses of millions of dollars through encrypted corporate documents, theft of relevant files and information, or a slowdown of business processes through illegal crypto mining. Sophisticated filter systems for the detection of hidden malware make the way into a company’s system increasingly challenging for cybercriminals.

Therefore, the focus of cyber criminals is shifting more and more to the human vulnerability: They address employees of selected companies with simple but very individual and strictly textual email messages – this procedure is known as business email compromise (BEC). The Hornetsecurity Security Lab has been recording a significant increase of this type of attack for around 1 ½ year now.

What is business email compromise?

Large sums of money are fraudulently transferred to an external account, important internal company and access data as well as other confidential information leave the company unnoticed – without any malware being introduced. With a BEC, a hacker relies on special insider knowledge as opposed to simple spam. Known names and email addresses of employees or customers as well as current signatures and disclaimers make a fake email appear authentic.

By using fake email addresses similar to the one of the CEO, a customer or a clerk, the cybercriminals send a short, purely text-based email specifically to a selected employee. The display name is shown exactly as it would appear in an email from the actual person. This makes it difficult to detect the fraud behind it.

What do cybercriminals do?

In the first email, the cybercriminal gets a feel for the subject. The alleged CEO or supervisor addresses an urgent concern to a target person in a company. The criminal asks for a quick written answer by email, because the boss is allegedly in a meeting or cannot be reached by telephone. The hacker puts the recipient under pressure in terms of time and psychology to veil he fraud.

If the criminal receives an answer, he becomes more precise in a second message: The alleged superior requests the transfer of a certain amount of money to the account of an alleged customer, business partner or service provider. But not only financial resources are captured in this way. The hackers can also get internal company data as well as information to misuse them for other purposes. The CEO fraud is the best-known cybercriminal procedure to date but the fraud of the business email compromise can occur in different ways:


  • The hacker masquerades as a company’s customer and announces a change in payment information to trigger future transactions to the attacker’s account.
  • Covered with an employee’s alleged email address, the cybercriminal sends invoices to the company’s customers.
  • Using a lawyer’s compromised email account, pressure is put on a targeted recipient within a company to make a payment or return information.


Current risk situation

According to the FBI’s latest internet crime report, the business email compromise along ransomware, banking trojan virus and phishing is responsible for much of the world’s financial losses caused by cybercrime. In 2018, the fraud caused by fake emails led to global losses of around 1.2 billion dollars. And the threat posed by BEC is expected to persist and increase.

Once a company is affected, it is very likely that this type of attack will be repeated. Any additional internal information unknowingly sent by an employee via email makes more fake emails look even more authentic“, said an expert from the Hornetsecurity Security Lab. „Every month, we see an increasing number of incoming emails in which cybercriminals try to impersonate real employees or customers. And each time, the method becomes more sophisticated: in some cases, the logo, disclaimer and signature of the targeted company are reproduced one-to-one. The recipient of such a fraudulent email needs to know exactly what to look out for.

Which companies are largely affected?

Cybercriminals often target large and internationally operating companies via business email compromise. Information about people in certain administrative positions is easy to find out, logos or current market activities are usually accessible on the internet. In addition, international financial transactions are not uncommon and in large companies, there is a high probability that employees have never met in person and the simple exchange of emails is a normal part of everyday working life.

In 2015, the German cable specialist Leoni AG became a victim of such a fraud. Cybercriminals cheated the company by around 40 million euros. . The globally known social network Facebook and the Google Group were also robbed of a total of 100 million US dollars for more than two years. This became known in 2017, when the fraud was discovered and made public by the US American magazine Fortune. According to the FBI’s report, the current focus is on real estate companies.

How can comanies protect themselves against it?

The Hornetsecurity Security Lab assumes that the business email compromise will remain one of the biggest cyber threats in the future: „: Classic anti-phishing or spam services fail to recognize BEC emails due to their generic content. We offer our customers highly customizable and complex anti-fraud protection to ensure the highest level of security. Consequently, we receive only positive feedback from companies using our targeted fraud forensics engines. “ Precisely targeted engines verify the authenticity and integrity of metadata and email content. They identify specific content patterns that suggest fraudulent email. This prevents fake emails from reaching your inbox. Even trainings which additionally draw employees’ attention to the characteristic elements of a business email compromise can put a stop to the growing danger.