Security challenges

What's the goal of business email compromise (BEC)?

Published on 9th Jul 2021

What is BEC?


The goal of a business email compromise (BEC) attack, generally, is to defraud an organisation or individual of funds. Occasionally, hackers may also use BEC to steal sensitive data, including personally identifiable information or intellectual property.

Over 6,000 UK businesses are targeted by a business email compromise (BEC) attack each month. The frequency of these attacks makes the UK one of the most targeted countries (29%), coming second only to the US (39%).

Therefore, it's essential that you know what business email compromise is and the main reasons a cybercriminal may choose to target your company.

In this article, we'll explore how business email compromise happens and the typical motivations behind BEC attacks.

How does business email compromise happen?

BEC attacks often occur as the result of a cybercriminal impersonating a senior business leader, via email spoofing, to trick employees into handing over sensitive data or wiring across money.

In some cases, cybercriminals may instead choose to carry out a BEC attack via supply chain compromise. 

Say, for instance, Alice at Company A enters her credentials into a fraudulent website. The hackers take these credentials and use them to compromise Alice's account and monitor her emails. In doing so, the cybercriminals learn that Bob at Company B is a client who pays Alice for services.

The cybercriminals send Bob an email, posing as Alice, saying he needs to either change the bank account details on his payments or pay invoices with new bank details already on them.

A real-life example of a BEC attack

The world-famous toy manufacturer, Mattel, fell victim to a business email compromise attack in 2015. 

The hackers had conducted in-depth research on the company structure before committing the crime. Subsequently, they knew who to target and what their payment patterns were. Posing as new CEO, Christopher Sinclair, cybercriminals emailed a finance executive who had the authority to approve large cash transfers. 

Having convinced the finance executive that their request was legitimate, the impostors managed to steal $3 million (£2.2 million).

Why do cybercriminals carry out business email compromise attacks?

There are many motivations behind a business email compromise attack, which we'll explore below:

1. Financial gain

BEC attacks are one of the most lucrative forms of cybercrime, making them popular amongst cybercriminals. On average, hackers can expect to make £57,492 per successful scam.

Cybercriminals can steal money in a number of ways:

  • Wire transfer: Often, a hacker will impersonate a senior business leader to convince a member of staff to send a large sum of money to an account that they control. 
  • Vouchers: Gift card scams are becoming increasingly frequent. Frequently, a scammer will pose as a CEO and ask an employee to purchase a voucher as a 'surprise' for a client or colleague. Once the cybercriminal has received the voucher code, they can use it for money laundering purposes or convert it to cryptocurrency.
  • Selling data: If a cybercriminal gains access to company data, they can sell it on the dark web for a profit.

2. High success rate

Not only are BEC attacks financially rewarding, but they're also notoriously difficult for traditional anti-phishing filters to detect.

Instead of using suspicious links or attachments which will usually get flagged by Secure Email Gateways (SEGs), cybercriminals employ social engineering techniques to trick victims into willingly handing over sensitive data or money.

Hackers will spend time up-front to research the company structure, build up a strong email sender reputation and sometimes even build rapport with victims (also referred to as 'grooming') so they can fly under the radar until the damage has been done.

As a result, a BEC scam presents the perfect opportunity for a cybercriminal to pull off a high reward, high success crime with relatively low effort or risk.

3. Easily-scammed victims

Although businesses are becoming increasingly aware of the importance of cybersecurity training, employees are - surprisingly - getting worse at detecting email attacks. To make matters worse, a study from Lloyd's Bank revealed that 25% of staff who fell victim to BEC scams admitted to concealing their error. 

Employee negligence, therefore, creates the perfect environment for a cybercriminal to strike. Not only can they catch out their victims easily, but hackers are aware that many employees will be too embarrassed to own up to the incident, leaving them free to continue conning other members of staff.

Learn more about business email compromise attacks and how to protect your organisation

Cybercrime is constantly evolving, so you must stay in the know. 

Visit the Egress phishing hub to read expert advice and learn more about the latest email scams. Protect yourself and your data today.

You might also be interested in ...

Security challenges
What is phishing; The Ultimate Guide

Everything you need to know about phishing in one place

Security challenges
How to stop phishing becoming business email compromise

Don't let a phishing attack turn into business email compromise. Follow our guide on the actions to take if you ever find yourself the victim of phishing. 

Security challenges
Human cost of phishing: A workday attack example Part 2

Find out what happened to the rest of our characters after disaster struck a fictional law firm.