Learn what Business Email Compromise (BEC) is, how these sophisticated financial scams work, and the strategies organizations can use to defend against them.
Business Email Compromise (BEC) is a type of cybercrime where an attacker compromises legitimate business email accounts to conduct unauthorized transfers of funds. Unlike traditional phishing, which often relies on malicious links or attachments, BEC relies heavily on pure social engineering and impersonation.
BEC is consistently ranked as one of the most financially damaging types of cybercrime. According to the FBI, BEC scams have cost businesses billions of dollars globally. For current data on per-incident losses across different sectors, see our BEC Industry Benchmarks.
How BEC Works
A typical BEC attack involves several distinct phases:
- Reconnaissance: The attacker researches the target organization, often via LinkedIn, company websites, and social media. They look for executives, finance personnel, and established vendor relationships.
- Compromise or Impersonation: The attacker either gains unauthorized access to a legitimate email account (often through a prior credential phishing attack) or creates a lookalike domain that closely mimics a legitimate one (e.g.,
[email protected]instead of[email protected]). - Monitoring (if compromised): If a real account is taken over, the attacker spends time silently reading emails. They study payment cycles, vendor names, and the writing style of the compromised user.
- The Ask: The attacker sends an email requesting an urgent wire transfer, a change in payment routing details, or the purchase of gift cards. The message is carefully timed and crafted to sound entirely natural.
Common Types of BEC Scams
The FBI identifies several major variations of BEC:
- CEO Fraud: The attacker impersonates the CEO or another high-ranking executive and emails the finance department, requesting an urgent, confidential wire transfer.
- Vendor Email Compromise (VEC): The attacker compromises a vendor's email account and sends fake invoices to the vendor's clients, directing payments to the attacker's bank account.
- Account Compromise: An employee's email account is hacked and used to request invoice payments to fraudulent accounts.
- Attorney Impersonation: The attacker pretends to be legal counsel handling a secret, time-sensitive matter that requires immediate funding.
Why BEC is Difficult to Detect
BEC attacks are notoriously hard for technical security controls to block because they often do not contain the typical "red flags" of a cyberattack:
- No Malware: There are usually no malicious attachments or links for antivirus software to flag.
- Trusted Sender: If an account is compromised, the email comes from a completely legitimate sender and domain.
- Plausible Context: Attackers leverage real-world context (like a known, upcoming invoice) to make the request seem normal.
Defending Against BEC
Protecting your organization from BEC requires a combination of technical controls, rigid financial processes, and employee awareness.
1. Implement Out-of-Band Verification
The single most effective defense against BEC is a policy that requires out-of-band verification for any changes to payment details or high-dollar wire transfers. If an email requests a change in bank routing numbers, the employee must call the vendor using a pre-established, trusted phone number (not the number listed in the email) to verbally confirm the change.
2. Enforce Multi-Factor Authentication (MFA)
Require MFA for all email accounts. While MFA is not a silver bullet (and can be bypassed), it significantly raises the difficulty for attackers trying to compromise an account to use for BEC.
3. Strengthen Financial Controls
Require multiple approvals for wire transfers above a certain threshold. Separation of duties ensures that no single person can authorize and execute a large payment without secondary review.
4. Provide Targeted Security Awareness Training
Employees need to be trained specifically on what BEC looks like. Generic phishing training is not enough. Staff, particularly those in finance, HR, and executive roles, should understand the tactics used in CEO fraud and VEC.
5. Configure Email Defenses
Implement SPF, DKIM, and DMARC to prevent spoofing of your own domain. Configure email gateways to flag emails from domains that are visually similar to your own or known partners. Use warnings for external emails to remind employees when a sender is outside the organization.
Related Learning
More Learning Resources
View all learning resourcesWhat Is Security Awareness Training?
Learn what security awareness training is, why it matters, and how it helps organizations reduce cyber risk caused by human error.
Security Awareness Compliance
Understand how security awareness training helps organizations meet cybersecurity compliance requirements.
How to Run a Phishing Simulation
A step-by-step guide to running phishing simulations and measuring employee security awareness.
Ready to stop phishing attacks?
Run realistic phishing simulations and high-impact security awareness training with PhishSkill's automated platform.