Skip to main content

Cyber criminals are exploiting an email forwarding rule vulnerability to send and receive emails on behalf of unknowing employees.

An Overview of Business Email Compromise (BEC) Attacks

Here’s how hackers operate in the shadows of your email account.

Business Email Compromise attacks… a hacker gains access to your work email account, and sends/receives emails pretending to be you. So how do they get in, what kinds of emails do they send, and how do they remain unnoticed?

Breaking into a business email account is easier than most employees realize. Billions of log-in credentials are already available for purchase on the dark web, so it’s often as simple as buying a bundle of credentials, and trying them all one-by-one. That is one of the main reasons it’s so important to change your passwords regularly and to not use the same passwords for multiple accounts. Keep in mind, if a hacker purchases your Facebook/Instagram log-in credentials, they often try using that same password to access your email and/or bank accounts.

Once inside your business email account, hackers first search your history for email threads containing words like “bank”, “invoice”, “wire”, or “payment.” Typically, they want to find payments/invoices that occur at the same time each month, or open invoices which have not yet been paid. The criminals then email those individuals saying something to this effect:

“Hi Patricia,

Just wanted to send a note regarding this month’s invoice. We were having some issues with our bank, so we decided to move all of our accounts to a new bank. For this month and all future transfers, please send funds to Account #123456789, Routing #987654321.

Thanks, and hope to see you in person once all of this COVID craziness is over!


Steve the CFO”

But wait, couldn’t you just go into your sent messages and see the shady emails in your history? And if the recipient (in this case, Patricia) responds, wouldn’t you see that message come through your inbox? No you would not, thanks to the power of auto-forwarding rules. Hackers can set rules to automatically forward messages to their own inbox, and automatically delete all messages from your sent folder and they can do the same with your inbox, auto-deleting messages received from their targets, or by sending emails where the “reply” address is different than the “from” address.

Related: Read the FBI’s Official Warning

How do I know if my account has been compromised?

You could usually just check your auto-forwarding rules to make sure there is no funny business going on, but hackers recently found a massive loophole in some email providers. Here’s the trick: rules set up on the web-based version of an email account do not automatically sync to the desktop app version, enabling criminals to hide in the background until settings are manually synced. While some IT departments scan for these types of discrepancies and sync web and desktop versions daily, some do not. In this case, the rules would likely go unnoticed until the next manual sync.

Here are the FBI’s official risk mitigation recommendations:

  • Ensure both the desktop and web applications are running the same version to allow appropriate syncing and updates.
  • Be wary of last minute changes in established email account addresses.
  • Carefully check email addresses for slight changes that can make fraudulent addresses appear legitimate and resemble actual clients’ names.
  • Enable multi-factor authentication for all email accounts.
  • Prohibit automatic forwarding of email to external addresses.
  • Frequently monitor the Email Exchange server for changes in configuration and custom rules for specific accounts.Create a rule to flag email communications where the “reply” email address differs from the “from” email address.
  • Add an email banner to messages coming from outside your organization.
  • Consider the necessity of legacy email protocols, such as POP, IMAP, and SMTP, that can be used to circumvent multi-factor authentication.
  • Ensure changes to mailbox login and settings are logged and retained for at least 90 days.
  • Enable security features that block malicious email, such as anti-phishing and anti-spoofing policies.

Are BEC attacks covered by cyber insurance?

Yes. Here’s how.

Evolve’s cyber insurance policy covers both 1st party and 3rd party bank accounts. If the Insured suffers a BEC attack and the hackers successfully trick one of the Insured’s vendors to wire money to a fraudulent bank account, Evolve would cover the losses of the vendor in aggregate up to the policy limit.

If the vendor were the one whose email account is hacked, and the criminals convince an Evolve Insured to wire money to a fraudulent account, then the Insured would be covered on an each and every claim basis up to the policy limit.