How phishing opens the door to business email compromise


Phishing is a precursor to BEC—here’s why it’s vital to know how they work together (especially with AI now in play)…

In our Great eXpeltations annual threat report for last year, business email compromise (BEC) ranked as the top threat to our customers, accounting for half of all incidents. Fifty-three percent of organizations experienced at least one BEC attempt, and one organization was targeted 104 times throughout the year. Starting in July 2022, our security operations center (SOC) identified BEC attempts, across multiple customer environments, targeting access to human capital management systems—specifically, Workday. The goal of these attacks? Payroll and direct deposit fraud.

Phishing has long been a cybercriminal go-to, but in recent years, attackers have cultivated BEC, a more targeted and dangerous variant email scam. BEC shares similarities with typical phishing emails, but the two are distinct in some important ways. Understanding the differences is crucial for organizations working to bolster their defenses and protect against financial loss and reputational damage.

What is business email compromise?

BEC begins with a phishing attack, but they have very different purposes and targeted audiences.

  • Phishing emails aim to fool recipients into divulging sensitive information, such as passwords, credit card details, or personal data.
  • BEC attacks try to trick businesses and their employees into making fraudulent transactions, typically involving wire transfers or unauthorized payments. The primary objective of BEC attacks is financial gain through social engineering and manipulation. BEC can result from phishing attacks where adversaries have compromised the account through credential harvesting tactics; once in the account they’ll establish persistence by setting up malicious inbox rules.

While phishing emails often rely on generic, scattershot tactics to hit as many potential victims as possible, BEC attacks employ sophisticated, highly targeted social engineering techniques that are carefully crafted to exploit specific knowledge about the target organization and its employees. Attackers conduct extensive reconnaissance to gather information on targets, including their roles, relationships, and communication patterns. This knowledge helps them impersonate high-ranking executives or trusted partners, making their requests seem legitimate.

Impersonation of trusted parties

One key difference between BEC and phishing is the degree of impersonation involved. Phishing emails often pretend to be from reputable larger sources, such as banks or online platforms, but BEC attackers go a step further, masquerading as specific trusted individuals within the target organization—such as the CEO, CFO, or other senior executives. It’s this personalization that makes BEC so dangerous.

Contextualized messages

Typical phishing emails tend to rely on generic templates and mass distribution, in stark contrast to BEC attacks, which are customized and contextually relevant. BEC attackers carefully tailor their messages to align with the organization’s ongoing activities (which are harvested from the research and recon noted above). They may reference recent business deals, significant ongoing initiatives, or internal processes, lending the communication a sense of authenticity and urgency that enhances the attacker’s credibility and boosts the chances that the victim will comply. Simply put, these emails know a lot about their target.

BEC attacks, which frequently request wire transfers, changes to account details, or payments to fraudulent accounts, also often present with a sense of urgency, emphasizing the need for immediate action (thus bypassing normal scrutiny).


Many people are probably wondering what effect, if any, artificial intelligence (AI) will have on cyberattacks like phishing and business email compromise. And for good reason. Attackers are already using AI to improve the credibility and effectiveness of phishing emails and other social engineering attacks.One legal industry security chief says phishing emails have historically been fairly easy to detect because they simply aren’t very well-written.

In particular, phishing emails created by a hacker unfamiliar with a certain language [have] tended to be easy to spot due to poor grammar, illogical vocabulary, and bad spelling. Such glaring errors were easy to pick up by automated defenses as well as reasonably careful people…

AI, though, helps these not-so-good-writers construct grammatically correct and convincing text for social engineering scams, driving up the risk of potential victims clicking on a malicious link.

The good news is that security teams have access to the same tools, and there’s a good argument to be made that AI will prove to be a net win for the good guys. Regardless, there’s no substitute for awareness and diligence by those likely to be targeted.

Phishing continues to be (and will continue to be) a significant problem for SOCs, but BEC attacks have added a new layer of complexity to the (already daunting) task facing cybersecurity pros. Step one to safeguarding the organization is understanding the advanced social engineering techniques used in BEC attacks and communicating them to employees.

For more on understanding your BEC risk (and minimizing it), have a look at this Techopedia analysis, authored by Jon Hencinski, our VP of SecOps. (Jon also contributed to this helpful CSO Magazine guide on preventing phishing.)

If you have questions or comments, drop us a line.