How do Business Email Compromises Occur?

Business Email Compromise (BEC) is a sophisticated and highly effective cyberattack where an adversary impersonates a trusted figure within an organization—like a CEO or a vendor—to trick an employee into transferring funds or divulging sensitive information. Unlike broad phishing campaigns that spray and pray, a BEC attack is a targeted, low-volume scam that relies on social engineering and exploits human trust rather than technical vulnerabilities. According to the FBI, it's one of the most financially damaging online crimes, costing organizations billions of dollars annually. Understanding how these attacks unfold is the first step toward building a robust defense.

The Anatomy of a BEC Attack

A successful BEC attack isn't a single event but a carefully orchestrated campaign. Attackers follow a methodical process to build credibility and execute their scam, often moving through several distinct phases.

Phase 1: Reconnaissance and Target Selection

Before an attacker ever sends an email, they do their homework. This reconnaissance phase is all about identifying the perfect target and gathering the intelligence needed to craft a believable scam.

Attackers will:

• Study your organization: They use public sources like your company website, press releases, and social media profiles (especially LinkedIn) to understand your organizational structure.
• Identify key personnel: They look for employees in departments like finance, accounting, or human resources who have the authority to make payments or access sensitive data.
• Learn your processes: They try to understand your typical workflows for things like vendor payments, invoicing, and executive communications. This information helps them time their attack for maximum impact.

Phase 2: Setting Up the Attack

Once a target is chosen, the attacker needs a way to impersonate a trusted entity. They typically do this in one of two ways:

• Email Spoofing: The attacker creates a fraudulent email address that looks nearly identical to a legitimate one. This often involves using a lookalike domain (e.g., ceo@yourc**0**mpany.com instead of ceo@yourc**o**mpany.com) or a deceptive display name that hides the true sending address.
• Email Account Compromise (EAC): This is a more advanced and dangerous method. The attacker gains unauthorized access to a legitimate corporate email account, often through a separate phishing attack or by using stolen credentials. From inside a real mailbox, they can monitor conversations, learn communication styles, and wait for the perfect moment to strike.

Phase 3: Execution and Social Engineering

This is where the scam is put into motion. The attacker, now posing as a trusted individual, sends a carefully crafted email to the target employee. The message is designed to manipulate the victim by exploiting common psychological triggers:

• Authority: The request comes from a CEO, CFO, or another senior leader, making the employee less likely to question it.
• Urgency: The attacker insists the task must be completed immediately, pressuring the victim to bypass standard security procedures. Phrases like "I'm in a meeting, can't talk, just get this done" are common.
• Confidentiality: The request is framed as a secret or sensitive matter, such as a confidential acquisition, discouraging the employee from discussing it with colleagues.

Phase 4: The Payout

If the social engineering is successful, the employee complies with the request. They might initiate a wire transfer to a bank account controlled by the attacker, purchase and send gift card codes, or email a file full of sensitive employee data. The attacker then moves quickly to launder the funds or sell the data, making recovery extremely difficult.

Common Types of BEC Attacks

The FBI has identified several common variations of BEC scams, each with a slightly different approach but the same underlying goal.

False Invoice Scam

An attacker poses as an established vendor and sends an invoice to the accounts payable department. The invoice looks legitimate, but it includes new bank account details. The attacker often claims the company has "updated its payment information."

CEO Fraud

This classic BEC attack involves an adversary impersonating a C-level executive. They email an employee in the finance department with an urgent request to wire funds for a confidential purpose, like closing an acquisition or settling a legal matter.

Email Account Compromise (EAC)

After gaining access to an employee's email account, the attacker uses it for malicious purposes. They might intercept legitimate invoices and change the payment details, or they might email HR to have the employee's direct deposit information changed to their own account.

Attorney Impersonation

The attacker pretends to be a lawyer or a representative from a law firm handling a time-sensitive and confidential issue. They use legal jargon and the threat of legal consequences to pressure the employee into making a quick payment.

Data Theft

Not all BEC attacks are after money directly. Some target HR or finance personnel to steal Personally Identifiable Information (PII), tax records, or other sensitive corporate data. This information can then be sold or used to launch future attacks.

How to Defend Against BEC Attacks

Because BEC attacks target people and processes, defending against them requires a multi-layered strategy that combines technology, policy, and user education.

Technical Controls

• Email Authentication: Implement email authentication standards like SPF (Sender Policy Framework), DKIM (DomainKeys Identified Mail), and DMARC (Domain-based Message Authentication, Reporting, and Conformance). These protocols help verify that an email is actually from the domain it claims to be from, making it much harder for attackers to spoof your domain.
• Multi-Factor Authentication (MFA): Enforce MFA across all accounts, especially email. MFA acts as a critical barrier, preventing attackers from accessing an account even if they manage to steal a password.
• Advanced Threat Detection: Traditional email gateways often miss BEC attacks because the emails don't contain malware or malicious links. Modern security platforms can analyze email content and communication patterns, apply message-level access controls, and detect indicators of account compromise to help identify and contain a BEC attack before a fraudulent payment is made.
  

Process and Policy Controls

• Verification Procedures: Establish and enforce a strict policy for verifying any requests for fund transfers or changes to payment information. This verification must happen through a secondary channel, like a phone call to a pre-approved number or an in-person conversation.
• External Email Tagging: Configure your email system to automatically add a banner or tag to all emails that originate from outside your organization (e.g., [EXTERNAL]). This provides a clear visual cue for employees to be more cautious.

The Human Layer

• Security Awareness Training: Conduct regular, ongoing training that teaches employees how to recognize the signs of a BEC attack. Use real-world examples and phishing simulations to make the training engaging and effective.
• Foster a Security Culture: Create an environment where employees feel empowered to question suspicious requests without fear of getting in trouble. The mantra should be, "When in doubt, check it out."

Business Email Compromise is a persistent and costly threat that preys on your most valuable asset: your people. While no single solution is a silver bullet, a layered defense that hardens your technology, refines your processes, and empowers your employees can dramatically reduce your risk.

Traditional email security isn't enough to stop sophisticated BEC attacks that live inside your cloud office suite. See how Material Security provides a fundamentally different approach to detecting and responding to threats by protecting your most sensitive data and communications in Microsoft 365 and Google Workspace.