What is business email compromise (BEC)?

by Egress
Published on 14th Jun 2023
What Is Bec

Business email compromise, or BEC, is the most financially damaging form of cybercrime that organizations face. The goal of a BEC attack is to defraud an organization, most frequently through the transfer of funds or the payment of gift cards. A form of advanced phishing, BEC attacks are highly targeted and utilize impersonation and other social engineering tactics to manipulate victims.

BEC attacks do not typically contain malicious attachments, links, or malware and are often sent from compromised accounts of trusted sources. Attackers rely on social engineering tactics designed to pressure victims and psychologically manipulate them into performing a transaction. This means it can be difficult for traditional email security like secure email gateways (SEGs) to detect them, leading to more successful attacks.

The number of successful BEC attacks is continuing to rise each year, which presents a growing problem for organizations of all sizes. Egress’ 2023 CISO Strategy Guide to Business Email Compromise noted statistics from the FBI’s Internet Crime Report that show BEC attacks cost organizations a total of $2.7bn in 2022. The guide also notes that this represents a 47% increase in lost funds since 2020, making it the second costliest form of cybercrime.

In this article, we’ll explain how to spot the signs of a BEC attack and how to prevent them.

What do BEC attacks usually contain?

Business email compromise (BEC) attacks have a high success rate because the cybercriminal has typically spent time developing a strong understanding of the target’s ecosystem, which means the attacks are highly tailored to the recipient. In addition, the attacks include social engineering tactics that are designed to psychologically manipulate targets by creating a sense of urgency. This encourages the target to act quickly and irrationally without consulting others.

Therefore, all employees in an organization must be aware of what to look out for. Here are some of the most common signs of a BEC attack:

  1. Unusual requests from senior leaders: Many employees reply quickly to an email that's come from a manager or member of the C-suite. However, it's important that they take the time to consider their request. If the message is asking an employee to transfer money or provide confidential information, they should treat it with caution.
  2. Attempts to sidestep normal channels: Most businesses have a centralized system for processing all payments, regardless of their urgency. Impostors will try to bypass this step. For example, if they're asking for money, they may claim that it needs to be wired over immediately.
  3. Confidentiality requests: BEC attacks will often try to incite panic or urgency, which means that recipients may not take the time to verify attackers’ requests. However, if the sender is specifically asking employees to keep these messages to themselves, it might be an attack.
  4. Unusual content issues: Encourage employees to take a close look at the main body of emails to make sure they appear to come from the alleged sender. For example, if the emails are written in broken English despite the sender having English as a first language, they should flag this to a manager.
  5. 'Reply-To' addresses that don't match the sender address: The impostor's 'Reply-To' email address may not be the same as the one it's come from. Sometimes this is hard to spot because they regularly use lookalike domains to fool recipients - e.g., instead of

Example of a business email compromise (BEC) attack

The Puerto Rican government fell victim to a business email compromise (BEC) attack in 2020 when the country was recovering from an earthquake.

A cybercriminal hacked into a computer belonging to a finance employee at Puerto Rico’s Employment Retirement System and took over their email account. The bad actor then used the compromised account to send an email requesting a change to the account associated with remittance payments. An employee fell victim to the attack, updated the banking details and completed the transaction. The incident only came to light later when someone at the retirement agency asked why they hadn’t received the funds.

The attack cost the government $2.6m, and three employees were suspended. The police confirmed that the attack also targeted Puerto Rico’s Tourism Company, which sent $1.5m.

How to prevent business email compromise

The most effective way to prevent a business email compromise (BEC) attack is to implement an integrated cloud email security (ICES) solution, such as Egress Defend, which uses AI, natural language understanding (NLU) and natural language processing (NLP) as part of its detection capabilities. NLU and NLP analyze the language used in phishing emails to detect all types of attack, particularly those that don’t contain a known malicious payload and therefore evade detection by traditional perimeter security such as secure email gateways (SEGs).

In addition to implementing an ICES solution, there are other ways organizations, and their employees can decrease their chances of falling victim to a BEC attack:

  • Increase awareness training: Invest in training designed to increase employees’ awareness of BEC attacks and help them to understand what to look for. For example, training should remind employees not to reply to emails directly if they can’t verify the authenticity of the sender. Rather, they should contact the sender using an alternative channel to make sure the sender is who they say they are.
  • Set up processes to follow when transferring funds: Businesses should have robust processes in place to reduce the risk of human error. For example, it should be mandatory for employees to confirm email requests with someone internally before making wire transfers or supplying confidential information.
  • Encourage employees to learn clients’ processes: Taking the time to learn clients’ business practices means employees are less likely to be caught out if something goes wrong and a client email account is compromised. For example, if a client suddenly starts signing off their email with ‘thanks’ instead of ‘kind regards,’ this should be treated with suspicion. Employees should find another way to contact the client to ensure the emails are legitimate.

Learn more about how to prevent business email compromise

Read out CISO Strategy Guide to Business Email Compromise to learn more about the components of a BEC attack, why these attacks are difficult to detect with traditional technology and how AI-driven and behavior-based security can help protect your organization.

CISO Guide BEC Comp

CISO guide

CISO strategy guide: How to stop the multi-billion dollar problem of BEC

Get your copy

You might also be interested in ...

Why UK Universities are spear phishing targets for state actors

State sponsored cyber actors have stepped up their attacks against UK leading universities - learn what to watch out for.

What are phishing, smishing, and vishing attacks?

You've heard of phishing - now learn about the scams that arrive via SMS, voice call, and QR code. 

Ransomware: 2023's top attacks and need-to-know stats

Learn more about the 2023 stats surrounding ransomware.