Business email compromise

Attackers want to trick victims into opening and responding to emails. To increase the success of their attacks, they will design the email to look like it came from someone the target knows, including their boss! Business email compromise (BEC) is a rapidly growing type of phishing scam where the attacker will try to impersonate or spoof CEO and executive email addresses to trick employees into divulging sensitive or financial information.

Cyber criminals are aware that people receive and respond to dozens of emails a day. The most common subject lines used in business email compromise attacks show how cyber criminals exploit urgency and personalization. Using strategic subject lines increases the attacker’s success to trick victims into opening their emails, clicking on links, downloading malware, or unknowingly sharing sensitive information.

Common Subject Lines

Below are some of the most common subject lines used in business email compromise attacks:

  • Request
  • Follow up
  • Urgent/Important
  • Are you available? /Are you at your desk?
  • Payment Status
  • Hello
  • Purchase
  • Invoice Due
  • Re:
  • Direct Deposit
  • Expenses
  • Payroll

These subject lines are used to convey urgency and spark curiosity. If your manager or CEO sends you an email saying it’s “Urgent” or “Important” chances are you’re going to open that email the second you see it in your inbox and immediately act upon it.

Subject lines like “Are you at your desk” creates familiarity between sender and recipient, while subjects like “Re:” or “Follow up” suggest that the email is part of a previous conversation. Many of these subject lines also refer to finances. If the recipient thinks they might lose money or that they forgot to pay for something, they’ll act quickly and pay without thinking twice about it.

Warning Signs

Some common warning signs of a business email compromise attack include:

  • Receiving an email from a higher-up ordering you to quickly perform a task. Tasks can include processing an invoice, changing the recipient of a payment, or providing sensitive documents.
  • The message is short, urgent, and encourages you to ignore policies and procedures.
  • The sender says they are traveling or in a meeting, and the email signature looks like it came from a cell phone.
  • The email comes from a different domain instead of a company domain.

From instilling a sense of urgency, spoofing email addresses, and personalizing emails, attackers are constantly improving emails attacks. When it comes to phishing emails, you need to fight the urge to panic. If something doesn’t seem right about the email, don’t act on it.

If you think you’ve received a business compromise email, here are some things you should do:

  • Don’t reply directly to a suspicious email. Call that person directly to speak with them about the task or request. It’s always better to take the extra time to ask for permission then to try and ask for forgiveness if you jeopardize the company.
  • Never send sensitive or financial information without verbally confirming it’s authentic.
  • Always closely examine the sender’s email address. Phishers may slightly vary a genuine address, adding a letter or changing punctuation, to make it seem legitimate.
  • Don’t call any phone numbers listed in the suspicious email.
  • As always, don’t click on any links or attachments.