How Business email compromise works

Business Email Compromise – How it Works?

Of the 229 breaches added this year to the HHS “wall of shame”, the largest one is the attack on UnityPoint Health. The Iowan company fell victim to a business email compromise (BEC) attack that compromised its business email system.

How big is the UnityPoint Health data breach?

As per the Des Moines Register, about 1.4 million patients were notified that their personal information might have been breached.

As per Becker’s, the hackers might have stolen not just patients’ medical information (PHI) but their financial information as well.

The exposed personal information may have included patients’ dates of birth, medical record numbers, treatment information, surgical information, diagnoses, lab results, medications, providers, dates of service and insurance information, and in some cases, their social security numbers.

What’s worst!

The hackers weren’t actually aiming at stealing patient health information (PHI), but were attempting to use the email system to divert business funds from UnityPoint Health.

How did the breach happen?

Using phishing emails, the hackers attempted a business email compromise, and gained unauthorized access to UnityPoint’s business email system.

As per the investigation, company employees received a series of phishing emails (fraudulent) disguised to appear to have come from a trusted executive within the organization. This attack tricked some of their employees into providing their confidential sign-in information to the hackers, thus exposing internal business communication to the attackers.

The HHS ‘wall of shame’ pin-points the affected number of individuals at 1421107.

What is Business Email Compromise (BEC)?

As per the FBI website, the losses due to BEC frauds are in billions of dollars.

BEC in one word – DECEPTION

A business email compromise (BEC) attack targets company employees with access to company finances. With various phishing techniques, scammers trick these employees into making wire transfers to bank accounts thought to be belonging to trusted partners, such as HR payroll and vendors – which they aren’t. The money ends up in accounts controlled by the scammers.

With various phishing techniques, scammers target employees with access to company finances and trick them The Phishing techniques used for BEC include – spear-phishing, social engineering, identity theft, e-mail spoofing, and the use of malware.

This is how BEC works:

First, the hackers gain access to your company’s network with a phishing attack. Undetected, they spend weeks (even months) studying your financial system, the communication network, and the schedules of their targets.

BEC is also known as CEO impersonation

And when the time is right – often when an executive is away from the office, the hackers send a bogus email from that executive to targeted employees in the financial network requesting immediate wire transfer, usually to a trusted vendor. The employees believe they are sending money to a familiar bank account; however, the money ends up in a different account- an account controlled by the criminal group.

Five basic forms of a BEC attack

  1. CEO Fraud
  2. Bogus invoice scam
  3. Attorney impersonation
  4. Account compromise
  5. Data theft (typically asking for W-2’s)


As the FBI says – Don’t be a Victim

If you receive a request to transfer money, verify its authenticity, personally.

Do NOT rely on email alone.

Walk into the CEO’s office or talk with them directly on the phone.

Methods to safeguard your business against BEC attacks

    1. Intrusion detection system

      • Create email rules to
        • Flag emails with extensions similar to the company email.
        • Flag communications where the Reply address is different from the From
        • Color code emails so that internal communications are of one color and external exchanges are of another.


    1. Two-factor authentication

      • Use a two-factor authentication system to
        • Verify changes to vendor payment locations.
        • Confirm all money transfer requests.
      • Have the secondary sign-off by company personnel.
      • Use phone verification as part of your two-factor authentication system.
      • Use ONLY previously known numbers, NEVER use numbers provided in the e-mail.


  1. Auditing

    • Conduct routine audits of your email system for
      • BEC venerability,
      • Authorized/unauthorized access/disclosures, and
      • Privacy policy enforcement.

Like this post? Subscribe to receive updates directly in your inbox.