Email is a prime channel of communication for both internal and external exchange of information in any organization. This unequivocally makes it the top attack vector and a favorable means for adversaries to access your network.

Business email compromise (BEC) represents a sophisticated form of cybercrime where attackers target legitimate email accounts to conduct unauthorized fund transfers or steal sensitive data. In a business email compromise attack, cybercriminals often impersonate executives or trusted business partners to deceive employees into transferring money or sharing confidential information.

Which are the most common types of business email compromise scams?

Threat actors mainly attempt targeted attacks on corporate accounts. They leverage the unlimited attempts it offers to succeed and only need one unsuspecting user to gain a foothold of the corporate network. These scams aim to deceive employees and gain unauthorized access to networks, financial resources, or sensitive information. The most prevalent types include:

Impersonation of executives and trusted partners: Attackers target employees via emails that appear to be from a legitimate source, like a high-level authority from either within the company (aka CFO or CEO fraud) or outside (such as attorneys). The email often conveys urgency and confidentiality to prevent questioning and pressure employees to share sensitive information, authorize wire transfers,  or other financial actions like gift card purchases for client gifts.

False invoice schemes and payment fraud: Attackers gain access to a legitimate email account of a vendor or supplier, then alter invoice details or request invoice payments to fraudulent bank accounts. Unsuspecting businesses might unknowingly send funds to the attacker’s account, believing they’re paying a legitimate supplier.

Data theft: Rather than pursuing immediate financial gain, attackers may target HR or finance departments to obtain personally identifiable information (PII) or confidential financial records. This data is often used for additional attacks later on, such as identity theft, social engineering, or financial fraud.

How does a business email compromise attack work?

Business email compromise of BEC attacks occur when scammers carefully infiltrate an organization’s email network and deceive employees into unauthorized actions. Here’s how these attacks usually unfold:

  1. Reconnaissance and identity spoofing: The attackers begin by thoroughly researching their target. They study the organization’s structure, key personnel, and any publicly available details that can help them blend in. In some cases, they go as far as creating fake websites or even registering a dummy company with a similar name in another country to appear legitimate.
  2. Gaining access and monitoring communications: Once inside, either by hacking into an employee’s email account or by tricking someone into clicking on a malicious link, the attackers don’t act immediately. Instead, they observe. They read through emails, analyze payment processes, and look for patterns in conversation. This “silent surveillance” phase allows them to identify individuals who authorize fund transfers or handle sensitive financial transactions.
  3. Building trust and preparing for the scam: With a clear understanding of how the company communicates and who controls the money flow, the attackers then move to gain the target’s trust. Sometimes they initiate casual email exchanges or ask routine questions to establish a rapport. This process is calculated to make their eventual request for funds or sensitive information feel normal and credible.
  4. Execution via: impersonation and fraudulent requests: When the time is right, the attacker impersonates a trusted individual — often a senior executive like a company CEO, attorney, or vendor. They may use email spoofing techniques, where the sender’s email address is altered to look nearly identical to the legitimate one (for example, changing “jane@organization.com” to “jane@organisation.com” with an “s” instead of “z”). In other cases, they might send the email from the correct address but route it through a different domain, making it appear as if it’s coming from an external party.

With this disguise, the scammer makes a direct request, such as a wire transfer, gift cards, or confidential information.

BEC attacks are hard to detect because they don’t contain the typical red flags like malware, malicious links, or suspicious attachments that traditional security filters are designed to catch. Instead, these attacks rely on social engineering tactics that exploit human trust and familiarity with organizational hierarchies.

Another reason BEC attacks evade detection is their low volume and sophisticated setup. Unlike large-scale phishing attacks, which often flood inboxes and raise red flags, BEC scams are usually limited to one or two targeted emails. This low volume helps them fly under the radar, avoiding unusual spikes that might trigger email filters.

Attackers may even use domains or IP addresses with a clean or neutral reputation, making it harder for automated systems to block them. In some cases, they bypass security protocols like DMARC (Domain-based Message Authentication, Reporting and Conformance) by sending emails from legitimate accounts or by exploiting gaps in an organization’s DMARC configuration. This level of precision and personalization makes BEC attacks particularly challenging to identify and intercept.

Who gets targeted in a BEC attack?

A BEC attack targets individuals or departments that have direct access to financial assets or sensitive company information. The primary targets include:

  • Finance departments handling fund transfers and invoice payments.
  • Human resources dealing with personally identifiable information (PII).
  • High-level executives such as CEOs and CFOs, whose email accounts can be impersonated for financial gain.
  • External vendors and suppliers requesting fund transfers who may be manipulated to request fake payments.

Focusing on these high-value targets allows BEC attackers to maximize their chances of a successful scam.

What impacts do BEC schemes have on businesses?

BEC scams can have severe financial and reputational consequences for businesses. Some of the significant impacts include:

  • Direct financial impact: Organizations face significant losses from fraudulent wire transfer requests.
  • Operational disruption: Companies must dedicate substantial resources to investigation and recovery.
  • Reputational damage: There may be a loss of trust from partners and customers after data theft.
  • Regulatory consequences: Potential fines may be incurred for failing to protect sensitive information.
  • Long-term security costs: Investment in enhanced phishing protection and security measures will impact future financial planning.

These effects highlight the severe consequences of BEC for businesses beyond just financial losses.

Business email compromise examples

Here are some examples of BEC scams to illustrate their variety and impact:

The urgent payment demand

A member of the finance department receives what appears to be an email from their supplier’s account controlled by attackers. The message claims an outstanding payment needs an urgent wire transfer, complete with modified banking details. The attack leverages both urgency and the existing business relationship, often including previous email threads to appear legitimate.

Vendor account change notice

A regular vendor emails to notify you that their banking details have changed, requesting that all future payments be made to a new account. While the email seems routine, it’s actually from a fraudster who has hijacked the vendor’s account or spoofed their identity. Without verifying this change through alternate channels, businesses can end up paying large sums to scammers instead of legitimate vendors.

Lease renewal request

A cybercriminal hacks into a real estate company’s email system and sends messages to clients, notifying them that their lease is up for renewal. The email includes instructions for payment, directing the recipient to a fraudulent account. In one recent case, this tactic cost a company over half a million dollars.

Executive SMS authentication scam

Attackers compromise a senior executive’s email account and contact employees requesting their phone numbers for “secure authentication.” Once they obtain the number, they switch to SMS communication to request wire transfers or sensitive data, exploiting the perceived security of text messaging.

Tips for protection against BEC exploits

Implementing robust BEC protection requires a well-crafted strategy combining technology, processes, and people.

Multi-step email security and defense

To fully protect their email system, businesses need a solution that verifies email in several basic steps. The checklist includes:

  • Reputation of the sender’s IP address
  • SPF/DMARC/DKIM records for the sender’s domain
  • Presence of the email recipient in the organization
  • Sender’s presence in the anti-spam databases
  • Phishing markers
  • Links and files from the attachments checked with the help of a Malware Detonation Platform

After all these steps, if the verification is completed successfully, the email is delivered to the recipient and the email protection system keeps a log of each email for the reports.

Educate employees on warning signs

Staff training should focus on recognizing social engineering red flags and verifying unusual requests through secondary channels. Employees must understand that urgent requests for sending money or sensitive information require verification, especially when they bypass standard procedures.

Require multifactor authentication (MFA)

Implementing MFA provides an additional security layer beyond passwords, making it significantly harder for attackers to compromise accounts. This BEC cybersecurity measure is crucial for account compromise prevention, especially for users with access to financial systems or sensitive data.

Cost-free tests

Phishing simulations and security assessments can increase awareness and resilience among employees. In order to make sure corporate email is properly secure, Group-IB developed Trebuchet free tests. This tool can be used to test email and network protection.

Enable complete security with Group-IB’s Business Email Security

Organizations want their email communications to be agile, confidential, and business-driven. This may also lead them to overlook security protocols, which, in turn, exposes the businesses to a number of cyber risks.

To not compromise on either of the two —, business agility and security — organizations can leverage our Business Email Compromise (BEC) protection solution to enable comprehensive protection, reducing the need for manual intervention to track and minimize errors.

Business email protection (BEP) is an advanced malware detonation platform that offers real-time, automated protection and visibility into email threats, and the source of attacks. It integrates seamlessly and secures corporate email accounts, both on-prem and in-cloud against one-source, blended (email and web-based) attacks. Learn about how BEP maps threat actors and detonates even the most sophisticated attacks.