Business Email Compromise (BEC)

Attackers are using business email compromise (BEC) attacks to acquire millions of dollars and sensitive data, necessitating an elaborate defense-in-depth strategy including email protection and trained workforce in order to counter this increasing threat.

Attackers pose as trusted employees or vendors to steal money or data through various phishing techniques. Unlike traditional cyberattacks, which typically use malware as their means, these attacks rely instead on human trust for success.


Email remains the top threat vector for cyberattacks, with attackers using phishing techniques to impersonate trusted individuals and solicit requests that coax unsuspecting employees into initiating financial transactions such as wire transfers or sharing sensitive data. According to estimates for 2020, wire transfer BEC attacks cost organizations an average of $75,000.

BEC attackers target C-level executives and other trusted company personnel with authority to make payments on behalf of their organization. After conducting extensive reconnaissance over days or weeks – including collecting contact and organizational details on websites, social media, and the dark web – attackers perform targeted attacks by impersonating suppliers, vendors, or even members of their own team and then use various tactics to convince victims that their requests are valid, such as sending fake invoices with urgent requests for action, needing new direct deposit details quickly or suggesting vendor services have been compromised.

Although BEC attacks can happen to anyone at any level of an organization, scammers tend to target lower-level workers who have access to sensitive data and can be easily persuaded by fear or urgency. HR, payroll, accounts payable and legal employees often come under attack with email attacks posing as managers or lawyers claiming they need W2s, tax information or personal financial details for personal financial analysis.

Ubiquiti Networks was victim to a BEC attack that resulted in losses totaling $70 million due to impostor emails that appeared from impersonated CEO positions and fake invoices claiming that Ubiquiti owed money to unnamed third parties; when presented with these fake bills by their finance department they transferred the funds directly to bank accounts controlled by attackers resulting in substantial financial loss for Ubiquiti’s finance department and ultimately leading to significant financial losses for their own organization.

BEC attacks require minimal resources and technical skill, making them a favorite strategy of criminals. Email protection is important; but awareness training for employees and DMARC protection are equally as vital components of an integrated defense-in-depth strategy against such sophisticated threats. Trained employees can identify suspicious emails quickly while DMARC can prevent attackers from accessing your email accounts in the first place.


Contrary to traditional malware attacks, which typically feature attachments with suspicious file types or links, BEC attacks use social engineering techniques in lieu of malware to conceal themselves more effectively from threat detection solutions that analyze links, metadata or other indicators of phishing attacks. As a result, it becomes harder for security solutions that analyze links, metadata or other typical indicators of phishing to detect BEC attacks.

Step one of a Business Email Compromise (BEC) attack involves infiltrating a company network through spear-phishing or credential theft. Once inside, hackers can unleash havoc using Remote Access Trojan (RAT). A RAT gives hackers access to harvest email addresses, encrypt files and steal login details – as well as harvest email addresses themselves!

Once a hacker gains entry to an employee network, they can begin researching their target. This usually entails studying their Internet footprint – their personal details on social media sites like Facebook or the geolocation of their IP address among other factors – in order to craft more convincing fraudulent messages containing real names, job titles and other pertinent details that fool target recipients into opening them.

Once the research is complete, an attacker will zero in on their target and begin their attack. They often assume the persona of someone with decision-making authority within an organization like C-suite executives or finance department workers because these positions have access to sensitive financial data or have fiduciary responsibilities within it.

Scammers typically create convincing email messages to convince victims into taking an action they wish, often wire transfers. Fake invoices or other materials will be supplied in support of this request for more convincing results. Employees have been trained to follow routine workflows which involve emails without stopping to consider whether this request could potentially harm them in any way.

BEC schemes take advantage of human trust to flourish; this can be addressed with effective email protection and education for employees. A multi-layered security approach can prevent these attacks before they become costly – as evidenced by the FBI IC3 report showing two of the world’s biggest tech companies, Facebook and Google, lost millions to fraudsters posing as suppliers using false names like Quanta Computer with fraudulent contracts that made it appear that they were dealing with genuine hardware suppliers.


Email phishing has come a long way since its origins as Nigerian prince scams of years past. Today’s email phishers have become much more sophisticated, targeting executives and employees with access to both money and private data, using various social engineering tactics such as impersonation or spoofing to get employees to transfer funds or reveal sensitive data.

Attackers typically launch spear phishing attacks to compromise employee email accounts and gain insight into company processes and correspondence habits – such as frequent wire transfers to third-party vendors, discussions with legal counsel or communication between employees within an organization. Once compromised, attackers gain knowledge of these details which they use against them later.

BEC attacks can be devastating for organizations, costing millions. Attackers may make the attack look legitimate and convince victims to transfer large sums of money that is later converted to crypto currency or sent through untraceable channels, only for it later to reach its intended recipient. Victims may take days before realizing they sent their hard-earned funds somewhere other than intended.

One of the best ways to combat business email compromise (BEC) attacks is educating your workforce about these attacks and how they work. By creating security protocols and training them on recognizing suspicious emails, as well as conducting mock phishing tests, you can help your employees recognize suspicious email communications more quickly and identify suspicious ones more easily.

Remember, BEC attacks can be much more than financial: they can compromise intellectual property and personal data as well. A successful attack puts your organization at risk of fines or noncompliance with regulations like HIPAA or PCI DSS.

BEC attacks typically consist of impersonating an executive and demanding money transfers from employees. Skilled hackers usually spoof an email from a trustworthy source with urgency or fear tactics to lower employee defenses. Bad actors also will spoof the source of funds transfers using different domains than is usual for this type of transaction, demanding secrecy while using unusually large attachments as warning signals.


Criminals gaining access to company email systems often launch Business Email Compromise attacks by impersonating high-ranking executives, business partners or other trusted individuals in order to request money transfers or disclose sensitive data. Attackers typically conduct extensive research prior to impersonating someone to gain insight into ongoing business relationships and gather intelligence on possible victims.

As with phishing, one effective way to combat BEC is through employee education on its signs. This may involve reminding employees how important it is to confirm authenticity when requests for funds come through by calling or texting directly instead of just using general email addresses as contact points. A robust email security solution with natural language processing may also offer protection from common attacks.

Financial BEC attacks can often be stopped quickly if reported quickly enough. If it involves wire transfers, employees can contact their bank or those charged with handling the incident to ask that their transaction be reversed while still pending at an institution.

Non-financial BEC attacks can be more difficult to combat, so businesses should remain aware of potential attacks. Attackers might pose as vendors and send invoices with unusually late due dates that fool employees into sending money directly into an account controlled by criminals.

As BEC attacks become more sophisticated and targeted, the best defense against it lies with a robust cyber threat protection platform that incorporates multiple cybersecurity techniques – risk analysis, dark web monitoring, cloud app security and 24/7 incident response services – such as risk assessments and dark web monitoring. Furthermore, an email security solution with employee training programs and automated tools for filtering suspicious or potentially harmful emails should also be in place to combat BEC.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.