While email phishing scams cast wide nets, business email compromise (BEC) is a highly focused, targeted, and sophisticated form of cybercrime. Fraudsters use stolen or spoofed credentials to gather deep intelligence over time about people and operations. Armed with this information, they then send highly convincing—but fraudulent—business emails that trick recipients into sharing data, revealing sensitive information, or sending money to their bank accounts.
How business email compromise works
Think of BEC as a phishing attack, but more sophisticated and aimed at a high-level, specific target—like a CEO or VP at a specific organization. A business email compromise attack usually starts with research: The attacker gathers data from sources such as LinkedIn or even simple Google searches to pinpoint influential people at an organization and obtain their email addresses.
Email phishing scams often use general methods to reach as many people as possible. BEC attacks use advanced, very specific social engineering techniques that are carefully designed to take advantage of specific knowledge about the target organization and its employees. Attackers conduct extensive reconnaissance to gather information on targets, including their roles, relationships, and even communication patterns. This knowledge helps them impersonate high-ranking executives or trusted partners, making their requests seem legitimate.
All that preparation results in highly believable emails that convince a target to take a desired action. For example, an attacker targeting a CFO’s assistant might use a spoofed version of the CFO’s email address to ask the assistant to send an urgent wire payment. Such a request would seem reasonable to the recipient—and, thanks to details gleaned from reconnaissance, the fraudster could include references to personal events or even what happened the week before at the company picnic. The employee would have no reason to suspect anything was amiss.
It may come as no surprise that BEC operators have begun using artificial intelligence (AI) to improve their tactics. Phishing attacks of the past were known to contain giveaways like poor grammar and misspellings, but today’s attackers can use AI to correct these mistakes, or even have AI write their messages for them.
Are business email compromise attacks successful?
Yes. BEC is highly effective, and it’s on the rise, according to many industry threat reports. Publicly reported payouts are also reaching new heights, including $100 million for one BEC campaign that took place over three years.
It’s important to note that large, high-profile organizations aren’t the only targets of BEC scammers. Small businesses, government agencies, educational institutions, and nonprofits have all been victimized in recent years. Why? It only takes one click for fraudsters to get what they want—and ruin a business.
How to prevent business email compromise
Business email compromise doesn’t need to be inevitable for your organization. By taking these steps, you can reduce the chances of employees receiving spoofed emails, and strengthen their ability to recognize and respond to suspicious messages.
Strengthen email security solutions
Many companies still use basic email protocols, like internet message access protocol (IMAP) and post office protocol version 3 (POP3). These protocols don’t support modern authentication technologies. Instead, turn on multi-factor authentication (MFA).
Require a physical paper trail for wire transfers
For financial transactions over a certain size, require someone to put their signature on paper.
Adopt modern detection and response systems
Managed detection and response (MDR) solutions learn the patterns of an organization’s operations and communications to detect anomalous activity.
Conduct education and awareness training
If employees learn what a BEC attempt looks like and they understand the types of messages that may slip through defenses, they’re more likely to stop and think before following the email’s directions. Provide people with instructions for reporting suspicious emails for investigation by the SOC.
Add a secure payment platform
It may be hard to believe, but many organizations still send invoices, follow-ups, payment confirmations, and other billing correspondence via regular email. But today there are numerous state-of-the-art systems available that have been specifically designed to facilitate secure billing and payments.
How BEC incidents can be detected
Once attackers begin sending emails, there are certain activities that set them apart from legitimate email users. Here’s some of the suspicious activity your security technology should surface:
- Inbox rules that automatically forward emails to hidden folders
- Inbox rules that automatically delete messages
- Inbox rules that redirect messages to an external email address
- Inbox rules that contain BEC keywords such as “Urgent/Immediate action,” “Verify your account,” “Private request”
- New mailbox forwarding to an external address
- Successful mailbox logins within minutes of denied login
- New mailbox delegates
- Logins from proxy or VPN services
Revealing BEC attacks before they do damage
Your organization’s employees may be whip-smart and highly receptive to security guidance, but that doesn’t mean they’ll be 100% savvy about increasingly sophisticated BEC attacks. (The criminals wouldn’t use BEC if it didn’t work successfully.) Ideally, BEC activity needs to be detected before the emails reach employees, using automation to generate alerts and tip off analysts to BEC-type behavior.
Conclusion
Business email compromise represents a sophisticated evolution in cybercrime that combines detailed reconnaissance, social engineering, and increasingly advanced technologies like AI. While its success rate and potential financial impact make it a serious threat to organizations of all sizes, BEC attacks can be effectively countered through a multi-layered approach. This includes implementing robust technical controls like MFA and secure payment platforms, establishing strict financial procedures, deploying advanced detection systems, and providing comprehensive security awareness training. The key is to both prevent malicious emails from reaching employees and ensure that when they do, staff are equipped to recognize and properly handle these sophisticated attempts at deception. As BEC tactics continue to evolve, organizations must remain vigilant and adaptable in their defense strategies.
