top of page

Demystifying Business Email Compromise (BEC)

In a previous blog we have talked about phishing in a general sense. This article will discuss another prevalent cybersecurity threat which is a form of phishing but is more refined. It is one of the most prevalent and damaging threats facing businesses today, Business Email Compromise (BEC).

This insidious form of cybercrime involves attackers using social engineering tactics to manipulate employees into performing fraudulent actions, often resulting in financial losses, data breaches, and reputational damage. Here, we delve into the intricacies of BEC attacks, explore common variants, and provide actionable strategies for organizations to defend against this pervasive threat.


Understanding BEC

At its core, Business Email Compromise refers to a type of cyberattack where threat actors impersonate trusted entities, such as company executives, vendors, or colleagues, to deceive employees into taking unauthorized actions. These actions typically involve wire transfers, divulging sensitive information, or making changes to financial or operational processes.


BEC attacks exploit human psychology and trust/hierarchical relationships within organizations to bypass traditional security measures, making them particularly challenging to detect and mitigate.


Anatomy of a BEC Attack

BEC attacks typically unfold through a series of carefully orchestrated steps:


1.     Research and Targeting 

BEC scammers conduct thorough reconnaissance to gather intelligence about their target organization, including key personnel, business processes, and communication channels.

They don't send mass emails indiscriminately to millions of people, as is often the case in standard phishing emails, but meticulously research their targets, focusing on employees with access to finances or confidential data. Targets could be executives, accounts, finance departments, or anyone authorized to make payments.

Sometimes they create fake websites imitating legitimate ones or even register a company with the same name in a different country. Once they have obtained access, scammers monitor emails to figure out who might send or receive money. They also look at conversation patterns and invoices to best arm themselves for the next phase.

2.     Email Spoofing and Impersonation

Armed with this information, cybercriminals craft convincing emails that appear to originate from trusted sources, such as executives, vendors, or colleagues and can be even harder to detect. They often spoof email addresses and employ persuasive language to manipulate recipients into complying with their requests.

3.     Deception and Coercion

The fraudulent emails typically contain urgent requests for wire transfers, changes to payment details, or the disclosure of sensitive information. Attackers exploit urgency, authority or fear to coerce recipients into taking immediate action without questioning the legitimacy of the request.

4.     Execution and Exploitation

If successful, BEC attacks result in financial losses, data breaches, or other detrimental outcomes for the targeted organization. Attackers may exploit compromised accounts to launch further attacks, perpetuating the cycle of deception and exploitation.

Common Variants of BEC Attacks


BEC attacks manifest in various forms, each with its own tactics and objectives:

1.     CEO Fraud: In CEO fraud schemes, attackers impersonate high-ranking executives, such as CEOs or CFOs, to request urgent wire transfers or sensitive information from employees responsible for financial transactions.

2.     Vendor Email Compromise: In this variant, cybercriminals compromise legitimate vendor accounts or impersonate trusted suppliers to request changes to payment details, invoice redirection, or other fraudulent activities.

3.     Employee Impersonation: Attackers may impersonate lower-level employees or colleagues within the organization to request payroll changes, or other sensitive data.

4.     Lawyer Impersonation: In some cases, cybercriminals pose as legal representatives or external counsel to coerce employees into divulging confidential information or transferring funds.



Defending Against BEC Attacks


Mitigating the risk of BEC attacks requires a comprehensive approach that addresses both technical vulnerabilities and human factors:


1.     Employee Training and Awareness 


·       tactics used in BEC attacks

·       common red flags to watch for (e.g., urgent requests, unusual payment instructions)

·       best practices for verifying the authenticity of emails.


An email may look authentic but is the design and quality what you would anticipate or is it a little off? Make sure to check carefully and not take for granted it’s legitimate because it has the company logo.


2.     Email Authentication Protocols 

Protocols such as SPF, DKIM, and DMARC detect and prevent email spoofing and domain impersonation.


3.     Verification Procedures 


·       Establish clear procedures for verifying payment requests, changes to financial information, or other sensitive transactions.

·       Implement dual authorization mechanisms and require additional verification for high-risk activities.

·       Ensure that all important email requests are verified using another method (such as SMS message, a phone call, logging into an account, or confirmation by post or in-person).


Don’t take their word for it!


4.     Continuous Monitoring and Detection

Regularly monitor email traffic, financial transactions, and other communication channels for suspicious activities or anomalies. Implement email security solutions that leverage behavioural analysis and machine learning algorithms to detect and flag potential threats.


5.     Vendor Risk Management

·       conduct due diligence on suppliers.

·       implement secure communication channels.

·       establish clear protocols for validating vendor requests.



Great advice taken from the NCSC (National Cyber Security Centre):

Make yourself a harder target!


Information about you that's easily viewed on your work and private websites (including social media accounts) can be used by criminals to make their phishing emails appear more convincing.


·       Review your privacy settings and think about what you post across your social and professional accounts.

·       Be aware what your friends, family and colleagues say about you online, as this can also reveal information that can be used to target you.

·       If you spot a suspicious email, flag it as spam/ junk in your email inbox. Tell your IT department that you've identified it as potentially unsafe.


On the other hand, will the emails you send get mistaken for phishing emails? Consider telling customers what they should look out for (such as 'we will never ask for your password').



What do if you have already clicked?


The key, as always, is don’t panic!


If you have an IT department then tell them as soon as possible, they will have the knowledge to help in situations like this and the quicker the information gets to them the quicker they can help.


If your organisation is too small to have an IT department, follow this sequence:


1. Disconnect from the Internet: If possible, immediately disconnect the affected device from the internet to prevent further communication with the attacker's infrastructure.


2. Scan for Malware: Use reputable antivirus or antimalware software to scan the device for any signs of malicious software or compromise. Quarantine or remove any detected threats.


3. Change Passwords: Change passwords for all online accounts, especially those associated with sensitive information or financial transactions. Use strong, unique passwords for each account.


4. Monitor Financial Accounts: bank accounts, credit card statements, and other financial accounts should be scrutinised for any unauthorized transactions or suspicious activity. Report any fraudulent charges to the respective financial institutions.


5. Notify Relevant Parties: If the incident involves a potential compromise of sensitive information, notify relevant parties such as law enforcement authorities.


6. Educate Others: If the incident occurred in a work environment, inform colleagues and employees about the incident and raise awareness about the importance of cybersecurity hygiene, including identifying and reporting suspicious emails.


7. Seek Professional Assistance: If the situation escalates or if you're unsure how to proceed, consider seeking professional assistance from cybersecurity experts, IT consultants, or incident response teams who can provide guidance and support.


8. Prevent Future Incidents: Take proactive measures to prevent future incidents, such as implementing email security solutions, conducting regular cybersecurity training for employees, and implementing multi-factor authentication for sensitive accounts.


It is crucial to act swiftly and decisively in response to a potential cyber incident to minimize the impact and prevent further harm. If in doubt, err on the side of caution and seek assistance from knowledgeable professionals or relevant authorities.





Business Email Compromise represents a significant and evolving threat to organizations worldwide, exploiting trust and human vulnerability to perpetrate fraudulent activities. By understanding the nuances of BEC attacks, recognizing common variants, and implementing proactive defence measures, businesses can bolster their resilience against this pervasive threat. Through a combination of employee training, technical controls, and robust policies, organizations can mitigate the risk of financial losses, data breaches, and reputational harm, safeguarding their assets and sensitive information in an increasingly hostile digital landscape.


Useful Links:


Infographic on BEC by NCSC:


Cyber essentials by IASME:


Article on BEC:


What is SPF?


What is DKIM?


What is DMARC?



1 view0 comments


bottom of page