Advanced phishing

What is business email compromise (BEC)?

by Egress
Published on 20th Oct 2023

Business email compromise, or BEC, is the most financially damaging form of cybercrime that organizations face. The goal of a BEC attack is to defraud an organization, most frequently through the transfer of funds or the payment of gift cards. A form of advanced phishing, BEC attacks are highly targeted and utilize impersonation and other social engineering tactics to manipulate victims.

What is BEC?

BEC attacks do not typically contain malicious attachments, links, or malware and are often sent from compromised accounts of trusted sources. Attackers rely on social engineering tactics designed to pressure victims and psychologically manipulate them into performing a transaction. This means it can be difficult for traditional email security like secure email gateways (SEGs) to detect them, leading to more successful attacks.

The number of successful BEC attacks is continuing to rise each year, which presents a growing problem for organizations of all sizes. Egress’ 2023 CISO Strategy Guide to Business Email Compromise noted statistics from the FBI’s Internet Crime Report that show BEC attacks cost organizations a total of $2.7bn in 2022. The guide also notes that this represents a 47% increase in lost funds since 2020, making it the second costliest form of cybercrime.

In this article, we’ll explain how to spot the signs of a BEC attack and how to prevent them.

What do business email compromise (BEC) attacks usually contain?

These types of phishing attacks have a high success rate because the cybercriminal has typically spent time developing a strong understanding of the target’s ecosystem. This makes the attacks highly tailored for the target recipient. In addition, the attacks include social engineering tactics that are designed to psychologically manipulate targets by creating a sense of urgency. This encourages the target to act quickly and irrationally without consulting others.

Therefore, all employees in an organization must be aware of what to look out for. Here are some of the most common signs of a BEC attack:

  1. Unusual requests from senior leaders: Many employees reply quickly to an email that's come from a manager or member of the C-suite. However, it's important that they take the time to consider their request. If the message is asking an employee to transfer money or provide confidential information, they should treat it with caution.
  2. Attempts to sidestep normal channels: Most businesses have a centralized system for processing all payments, regardless of their urgency. Impostors will try to bypass this step. For example, if they're asking for money, they may claim that it needs to be wired over immediately.
  3. Confidentiality requests: BEC attacks will often try to incite panic or urgency, which means that recipients may not take the time to verify attackers’ requests. However, if the sender is specifically asking employees to keep these messages to themselves, it might be an attack.
  4. Unusual content issues: Encourage employees to take a close look at the main body of emails to make sure they appear to come from the alleged sender. For example, if the emails are written in broken English despite the sender having English as a first language, they should flag this to a manager.
  5. 'Reply-To' addresses that don't match the sender address: The impostor's 'Reply-To' email address may not be the same as the one it's come from. Sometimes this is hard to spot because they regularly use lookalike domains to fool recipients - e.g., instead of

What is a BEC attack example?

The Puerto Rican government fell victim to a business email compromise (BEC) attack in 2020 when the country was recovering from an earthquake.

A cybercriminal hacked into a computer belonging to a finance employee at Puerto Rico’s Employment Retirement System and took over their email account. The bad actor then used the compromised account to send an email requesting a change to the account associated with remittance payments. An employee fell victim to the attack, updated the banking details and completed the transaction. The incident only came to light later when someone at the retirement agency asked why they hadn’t received the funds.

The attack cost the government $2.6m, and three employees were suspended. The police confirmed that the attack also targeted Puerto Rico’s Tourism Company, which sent $1.5m.

How to prevent a business email compromise attack

The most effective way to prevent a business email compromise attack is to implement an integrated cloud email security (ICES) solution, such as Egress Defend, which uses AI, natural language understanding (NLU) and natural language processing (NLP) as part of its detection capabilities. Both NLU and NLP analyze the language used in phishing emails to detect the type of attack, particularly those that don’t contain a known malicious payload and therefore evade detection by traditional perimeter security such as secure email gateways (SEGs).

In addition to implementing an ICES solution, there are other ways organizations, and their employees can decrease their chances of falling victim to a BEC attack:

  • Increase awareness training: Invest in training designed to increase employees’ awareness of BEC attacks and help them to understand what to look for. For example, training should remind employees not to reply to emails directly if they can’t verify the authenticity of the sender. Rather, they should contact the sender using an alternative channel to make sure the sender is who they say they are.
  • Set up processes to follow when transferring funds: Businesses should have robust processes in place to reduce the risk of human error. For example, it should be mandatory for employees to confirm email requests with someone internally before making wire transfers or supplying confidential information.
  • Encourage employees to learn clients’ processes: Taking the time to learn clients’ business practices means employees are less likely to be caught out if something goes wrong and a client email account is compromised. For example, if a client suddenly starts signing off their email with ‘thanks’ instead of ‘kind regards,’ this should be treated with suspicion. Employees should find another way to contact the client to ensure the emails are legitimate.

How to design business email compromise training

Designing the most impactful cybersecurity training takes time and an intimate knowledge of the nature of your business as well as the way your employees use company technology. BEC training should have four components at the core:

  • Company guidelines and data protection rules
  • Employee and customer interaction patterns
  • Best practice procedures
  • Awareness of phishing trends and tactics used in your industry

All of the above factors will help you build training procedures that resonate with your employees and address concerns and pressure points within their daily tasks. Making sure your cybersecurity training is specific to your employees and the daily operations of your business is key to ensuring your training is successful.