{"id":17098,"date":"2019-08-19T16:00:29","date_gmt":"2019-08-19T15:00:29","guid":{"rendered":"https:\/\/www.hawkins.biz\/?post_type=insight&p=17098"},"modified":"2025-07-31T16:27:15","modified_gmt":"2025-07-31T15:27:15","slug":"business-email-compromise-investigation","status":"publish","type":"insight","link":"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/","title":{"rendered":"Open at Your Own Risk: Business Email Compromise"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Have you heard about Business Email Compromise?\u00a0 If it hasn\u2019t happened to your company yet, you\u2019re one of the lucky ones.\u00a0<\/p>

The development of the Internet and email in the last few decades has had a profound impact on businesses and the way they operate. \u00a0As industry has shifted to using electronic communication, we are hearing about Business Email Compromises (BEC) more and more. \u00a0From our clients to news reports, BEC is growing as one of the largest compromise categories under the Cyber Security umbrella. \u00a0According to the latest report by the Financial Crimes Enforcement Network (FinCEN), since 2016 32,000 BECs have been reported, totalling approximately 9 Billon US Dollars stolen from companies in America alone.\u00a0 Between 2013 and 2018 a combined total of 12 Billion US Dollars was estimated lost due to this fraud internationally.\u00a0 However, these numbers are based only on the losses that are actually reported to government organisations, meaning many more businesses have been, and could be, at risk.\u00a0<\/p>

Business Email Compromise<\/strong> is when an illegitimate user gains access to an employee\u2019s email account.\u00a0 This is most commonly accomplished by a phishing scam.\u00a0<\/p>

A Phishing Scam<\/strong> is a malicious email that appears legitimate, containing either an attachment or link that captures the account holder\u2019s email credentials. \u00a0The term phishing<\/em> is used as an illustration of a fish caught on a hook.\u00a0 You may also hear the term whaling<\/em> or spear phishing <\/em>which refers to targeting specific executives or individuals, respectively, rather than casting a wider net to target an entire organisation.<\/p>

As public awareness grows, phishing scams have increased their sophistication out of necessity in order to fool their recipients.\u00a0 Scammers create phishing emails imitating known brands, such as Amazon, FedEx, Microsoft Office 365, various banks and other large companies, using recognisable logos and email form characteristics.\u00a0 These emails usually include an urgent request to verify, confirm, or edit account information, and also provide a link directly to the account login screen.\u00a0 These illegitimate links may be difficult to spot, and the webpage may be convincingly accurate, but when the user\u2019s credentials are entered, they are delivered to the hacker instead.<\/p>

A good practice is to avoid following links within emails, instead access your account via your preferred web browser to check your account status.<\/em><\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Once the hacker has successfully extracted the user\u2019s credentials and accessed the compromised account, the hacker has free reign to review ongoing email correspondence and identify an opportunity to intercept a transaction.\u00a0 For example, let\u2019s say that an employee called Alice falls victim to a phishing email she received in her work email account.\u00a0 We\u2019ll call the hacker \u201cJohn\u201d.\u00a0 John can use Alice\u2019s email credentials to log into her account and spend some time reading through her recent emails.\u00a0 John notices that earlier that morning Alice sent an invoice to Tony for recent services provided.\u00a0 Using Alice\u2019s email account, Alice\u2019s email signature, and the invoice previously sent to Tony, John drafts a new email explaining that the bank details provided on the original invoice are incorrect and sends the \u2018corrected\u2019 invoice and bank details back with false information.<\/p>

A change in an organisation\u2019s banking information is a red flag.\u00a0 A good practice is to confirm such changes via an alternative means of communication.<\/em>\u00a0<\/span><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t\"\"\t\t\t\t\t\t\t\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t\t\t

Unfortunately, Tony is not concerned by the updated information and does not contact Alice via any alternative means in order to confirm the new instructions.\u00a0 Tony pays the invoice and sends a reply to the second email composed by John confirming payment:<\/p>

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Alice,<\/em><\/p>

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The invoice is paid.\u00a0 As requested, I have updated your bank details on my end.<\/em><\/p>

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Regards,<\/em><\/p>

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Tony <\/em><\/p>

John is in a position to manipulate the email correspondence.\u00a0 He can both email Tony as Alice and can also intercept Tony\u2019s emails before Alice receives them.\u00a0 But John does not have access to Tony\u2019s email account.\u00a0 This is where spoofing<\/strong> comes in. \u00a0Email spoofing is different from phishing, and this term is used to describe the emails a hacker must fabricate in order to give the appearance that they originate from the uncompromised party in the transaction.<\/p>

John deletes Tony\u2019s reply to Alice and sends Alice a new email from Tony:<\/p>

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Alice,<\/em><\/p>

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 The invoice is paid.<\/em><\/p>

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Regards,<\/em><\/p>

\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Tony<\/em><\/p>

This email didn\u2019t really come from Tony, or even Tony\u2019s email account.\u00a0 But as far as Alice can tell, the email shows that it was sent from Tony\u2019s email address and she doesn\u2019t question it.\u00a0 It\u2019s not until a few days later, when Alice notices that Tony\u2019s payment has not been received.\u00a0 Alice calls Tony, as he is a good customer and is always reliable when paying his invoices.\u00a0 Tony tells Alice that he made the payment to the new bank account.<\/p>

In most cases, by the time the money is noticed missing, it is too late for recovery.\u00a0 An investigation may be necessary if the two parties dispute who is at fault; however, a follow up investigation can be beneficial to identify compromise and prevent future access.<\/p>

It is also very common that neither party is willing to admit fault, because to both sides the emails all appear legitimate.\u00a0 A forensic investigation of the emails can distinguish between spoofed and legitimate emails.\u00a0 A review of account access logs can also identify illegitimate logins.\u00a0 Using these records, Hawkins can establish an approximate date when the credentials were compromised, and review emails received around that time to identify the phishing email.\u00a0<\/p>

If your organisation is interested in hearing more about methods for the prevention and early detection of BECs, please contact us<\/a> to schedule a presentation.<\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"

Have you heard about Business Email Compromise? If it hasn\u2019t happened to your company yet, you\u2019re one of the lucky ones.
\nThe development of the Internet and email in the last few decades has had a profound impact on businesses and the way they operate. As industry has shifted to using electronic communication, we are hearing about Business Email Compromises (BEC) more and more. From our clients to news reports, BEC is growing as one of the largest compromise categories under the Cyber Security umbrella. According to the latest report by the Financial Crimes Enforcement Network (FinCEN), since 2016 32,000 BECs have been reported, totalling approximately 9 Billon US Dollars stolen from companies in America alone. Between 2013 and 2018 a combined total of 12 Billion US Dollars was estimated lost due to this fraud internationally. However, these numbers are based only on the losses that are actually reported to government organisations, meaning many more businesses have been, and could be, at risk. <\/p>\n","protected":false},"featured_media":17100,"parent":0,"template":"","insight_category":[],"experties":[64],"class_list":["post-17098","insight","type-insight","status-publish","has-post-thumbnail","hentry","experties-cyber-digital-technology"],"acf":[],"yoast_head":"\nBusiness Email Compromise: Cybersecurity Forensics<\/title>\n<meta name=\"description\" content=\"Explore how forensic experts investigate business email compromise (BEC) incidents and help organizations recover from cyber fraud.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Business Email Compromise: Cybersecurity Forensics\" \/>\n<meta property=\"og:description\" content=\"Explore how forensic experts investigate business email compromise (BEC) incidents and help organizations recover from cyber fraud.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/\" \/>\n<meta property=\"og:site_name\" content=\"Hawkins Forensic Investigation\" \/>\n<meta property=\"article:modified_time\" content=\"2025-07-31T15:27:15+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.hawkins.biz\/wp-content\/uploads\/2022\/12\/MAIN-IMAGE_AdobeStock_187695875_830x630.jpeg\" \/>\n\t<meta property=\"og:image:width\" content=\"830\" \/>\n\t<meta property=\"og:image:height\" content=\"628\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/\",\"url\":\"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/\",\"name\":\"Business Email Compromise: Cybersecurity Forensics\",\"isPartOf\":{\"@id\":\"https:\/\/www.hawkins.biz\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.hawkins.biz\/wp-content\/uploads\/2022\/12\/MAIN-IMAGE_AdobeStock_187695875_830x630.jpeg\",\"datePublished\":\"2019-08-19T15:00:29+00:00\",\"dateModified\":\"2025-07-31T15:27:15+00:00\",\"description\":\"Explore how forensic experts investigate business email compromise (BEC) incidents and help organizations recover from cyber fraud.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/#primaryimage\",\"url\":\"https:\/\/www.hawkins.biz\/wp-content\/uploads\/2022\/12\/MAIN-IMAGE_AdobeStock_187695875_830x630.jpeg\",\"contentUrl\":\"https:\/\/www.hawkins.biz\/wp-content\/uploads\/2022\/12\/MAIN-IMAGE_AdobeStock_187695875_830x630.jpeg\",\"width\":830,\"height\":628,\"caption\":\"Mail Communication Connection message to mailing contacts phone Global Letters Concept\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.hawkins.biz\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Insights\",\"item\":\"https:\/\/www.hawkins.biz\/insight\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Open at Your Own Risk: Business Email Compromise\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.hawkins.biz\/#website\",\"url\":\"https:\/\/www.hawkins.biz\/\",\"name\":\"Hawkins Forensic Investigation\",\"description\":\"Specialising in Forensic Investigation\",\"publisher\":{\"@id\":\"https:\/\/www.hawkins.biz\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.hawkins.biz\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.hawkins.biz\/#organization\",\"name\":\"Hawkins and Associates\",\"url\":\"https:\/\/www.hawkins.biz\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.hawkins.biz\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.hawkins.biz\/wp-content\/uploads\/2022\/03\/logo_svg.svg\",\"contentUrl\":\"https:\/\/www.hawkins.biz\/wp-content\/uploads\/2022\/03\/logo_svg.svg\",\"width\":164,\"height\":61,\"caption\":\"Hawkins and Associates\"},\"image\":{\"@id\":\"https:\/\/www.hawkins.biz\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/hawkins-and-associates-limited\/\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Business Email Compromise: Cybersecurity Forensics","description":"Explore how forensic experts investigate business email compromise (BEC) incidents and help organizations recover from cyber fraud.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/","og_locale":"en_GB","og_type":"article","og_title":"Business Email Compromise: Cybersecurity Forensics","og_description":"Explore how forensic experts investigate business email compromise (BEC) incidents and help organizations recover from cyber fraud.","og_url":"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/","og_site_name":"Hawkins Forensic Investigation","article_modified_time":"2025-07-31T15:27:15+00:00","og_image":[{"width":830,"height":628,"url":"https:\/\/www.hawkins.biz\/wp-content\/uploads\/2022\/12\/MAIN-IMAGE_AdobeStock_187695875_830x630.jpeg","type":"image\/jpeg"}],"twitter_card":"summary_large_image","twitter_misc":{"Estimated reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/","url":"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/","name":"Business Email Compromise: Cybersecurity Forensics","isPartOf":{"@id":"https:\/\/www.hawkins.biz\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/#primaryimage"},"image":{"@id":"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/#primaryimage"},"thumbnailUrl":"https:\/\/www.hawkins.biz\/wp-content\/uploads\/2022\/12\/MAIN-IMAGE_AdobeStock_187695875_830x630.jpeg","datePublished":"2019-08-19T15:00:29+00:00","dateModified":"2025-07-31T15:27:15+00:00","description":"Explore how forensic experts investigate business email compromise (BEC) incidents and help organizations recover from cyber fraud.","breadcrumb":{"@id":"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/#primaryimage","url":"https:\/\/www.hawkins.biz\/wp-content\/uploads\/2022\/12\/MAIN-IMAGE_AdobeStock_187695875_830x630.jpeg","contentUrl":"https:\/\/www.hawkins.biz\/wp-content\/uploads\/2022\/12\/MAIN-IMAGE_AdobeStock_187695875_830x630.jpeg","width":830,"height":628,"caption":"Mail Communication Connection message to mailing contacts phone Global Letters Concept"},{"@type":"BreadcrumbList","@id":"https:\/\/www.hawkins.biz\/insight\/business-email-compromise-investigation\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.hawkins.biz\/"},{"@type":"ListItem","position":2,"name":"Insights","item":"https:\/\/www.hawkins.biz\/insight\/"},{"@type":"ListItem","position":3,"name":"Open at Your Own Risk: Business Email Compromise"}]},{"@type":"WebSite","@id":"https:\/\/www.hawkins.biz\/#website","url":"https:\/\/www.hawkins.biz\/","name":"Hawkins Forensic Investigation","description":"Specialising in Forensic Investigation","publisher":{"@id":"https:\/\/www.hawkins.biz\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.hawkins.biz\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/www.hawkins.biz\/#organization","name":"Hawkins and Associates","url":"https:\/\/www.hawkins.biz\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.hawkins.biz\/#\/schema\/logo\/image\/","url":"https:\/\/www.hawkins.biz\/wp-content\/uploads\/2022\/03\/logo_svg.svg","contentUrl":"https:\/\/www.hawkins.biz\/wp-content\/uploads\/2022\/03\/logo_svg.svg","width":164,"height":61,"caption":"Hawkins and Associates"},"image":{"@id":"https:\/\/www.hawkins.biz\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/hawkins-and-associates-limited\/"]}]}},"_links":{"self":[{"href":"https:\/\/www.hawkins.biz\/wp-json\/wp\/v2\/insight\/17098","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hawkins.biz\/wp-json\/wp\/v2\/insight"}],"about":[{"href":"https:\/\/www.hawkins.biz\/wp-json\/wp\/v2\/types\/insight"}],"version-history":[{"count":5,"href":"https:\/\/www.hawkins.biz\/wp-json\/wp\/v2\/insight\/17098\/revisions"}],"predecessor-version":[{"id":40645,"href":"https:\/\/www.hawkins.biz\/wp-json\/wp\/v2\/insight\/17098\/revisions\/40645"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.hawkins.biz\/wp-json\/wp\/v2\/media\/17100"}],"wp:attachment":[{"href":"https:\/\/www.hawkins.biz\/wp-json\/wp\/v2\/media?parent=17098"}],"wp:term":[{"taxonomy":"insight_category","embeddable":true,"href":"https:\/\/www.hawkins.biz\/wp-json\/wp\/v2\/insight_category?post=17098"},{"taxonomy":"experties","embeddable":true,"href":"https:\/\/www.hawkins.biz\/wp-json\/wp\/v2\/experties?post=17098"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}