What Is BEC (Business Email Compromise) and How to Prevent It

Business Email Compromise: The Most Costly Cyber Crime

Business Email Compromise (BEC) is a sophisticated form of email fraud that targets organizations to steal money or sensitive data. Unlike broad phishing campaigns, BEC attacks are carefully researched and targeted — often focusing on specific employees with the authority or access to execute financial transactions.

The FBI's Internet Crime Complaint Center consistently reports BEC as the highest-loss cybercrime category. Losses from BEC run into billions of dollars annually, affecting companies of every size across every industry.

How BEC Attacks Work

A typical BEC attack follows a pattern:

Phase 1 — Research:
The attacker researches the target organization. They identify executives (typically from LinkedIn), financial officers, accounting staff, and key vendors. They study organizational structure, vendor relationships, and communication patterns — often from publicly available information.

Phase 2 — Account Compromise or Impersonation:
The attacker either compromises an actual email account (through phishing) or creates a convincing impersonation — using a lookalike domain (company-corp.com instead of companycorp.com) or display name manipulation.

Phase 3 — The Request:
The attacker sends a carefully crafted email impersonating an executive, vendor, or colleague. The request creates urgency and often includes instructions not to verify through normal channels.

Phase 4 — Transfer:
If successful, the target executes a wire transfer, changes payment details, or provides access credentials. The funds go to attacker-controlled accounts, often moved internationally within hours.

The Five Types of BEC

CEO Fraud (Executive Impersonation):
An email appearing to come from the CEO, COO, or another senior executive requests an urgent wire transfer or sensitive information. Often targets a financial officer. Creates urgency and instructs the recipient not to follow normal procedures.

Vendor/Invoice Fraud:
The attacker impersonates a known vendor, supplier, or business partner. The email requests that payment be made to updated bank account details. The new details belong to the attacker.

Payroll Diversion:
An email appearing to come from an employee requests that their direct deposit information be updated before the next payroll run. The new account belongs to the attacker.

Attorney/Legal Impersonation:
An attacker poses as an attorney handling a confidential matter — often around acquisitions, legal disputes, or regulatory issues. Requests funds or information urgently, with instructions that the matter is confidential and should not be discussed with others.

Data Theft (Non-Financial BEC):
Instead of requesting money, the attacker requests sensitive data — employee W-2 forms, personnel records, customer databases — that can be monetized or used in follow-on attacks.

Why BEC Succeeds

BEC attacks are effective because they exploit human psychology rather than technical vulnerabilities:

Authority: Requests appear to come from senior leadership or trusted partners — people the target would not normally question.

Urgency: Time pressure ("must be completed today," "CEO is traveling and needs this done before close of business") reduces the likelihood of verification.

Confidentiality: Instructions not to tell colleagues eliminate peer verification.

Contextual accuracy: Research enables attackers to reference real people, projects, vendors, and situations — making the request appear entirely legitimate.

These social engineering elements are more difficult to block technically than malware or phishing links.

Prevention Measures

Verification Procedures for Financial Transactions:
Establish a firm policy that all wire transfers, payment changes, and bank detail updates require verbal verification through a previously established contact number — never through information provided in the same email chain.

Dual Authorization:
Require two approvals for wire transfers above a specific threshold. The second approver adds a verification layer that catches single-point social engineering.

Email Authentication (SPF, DKIM, DMARC):
Implement DMARC with a reject policy on your domain. This prevents direct spoofing of your domain by external attackers.

External Email Banners:
Configure email systems to clearly label messages from external senders. This visual indicator helps recipients identify emails claiming to be internal but originating externally.

Vendor Portal Processes:
For payment detail changes, implement a formal process through your accounts payable system rather than accepting changes via email alone.

Employee Training:
Regular BEC awareness training that specifically covers the scenarios described above. Employees should know they will never be penalized for slowing down to verify a request, regardless of apparent urgency.

What to Do If BEC Succeeds

Time is critical. If a fraudulent transfer is made:

1. Contact your bank immediately to attempt recall of the wire transfer
2. File a complaint with the FBI's Internet Crime Complaint Center (IC3)
3. Contact your local FBI field office
4. Preserve all relevant email evidence
5. Notify affected parties (vendors, partners) if their impersonation was used

Wire transfer recovery is possible but not guaranteed — success rates decrease rapidly after the first few hours.

FAQ:

Q: How do BEC attackers find information about our organization?
A: Primarily through LinkedIn (organizational structure, employee roles), company websites (vendor announcements, partner relationships), and publicly filed documents. Limiting public organizational information reduces attack surface.

Q: Can email filtering catch BEC attacks?
A: Standard filtering catches some BEC attempts — particularly those using known malicious domains. Sophisticated BEC using lookalike domains or compromised legitimate accounts is harder to filter. Human vigilance and verification procedures are essential complements to technical filtering.

Q: Is BEC covered by cyber insurance?
A: Many cyber insurance policies cover BEC losses, though coverage varies by policy. Review your policy specifically for social engineering and funds transfer fraud coverage.

Conclusion:

Business Email Compromise is a human-layer attack that exploits trust, authority, and urgency rather than technical vulnerabilities. Technical controls (domain authentication, email filtering, external banners) reduce exposure, but verification procedures and employee training are the essential defenses. A culture where financial requests received by email are always verified verbally through independent channels prevents the vast majority of BEC fraud.