Key Takeaways:
- Business Email Compromise (BEC) is a type of cybercrime where an attacker impersonates a trusted individual within a company via email to commit fraud, typically for financial gain.
- Attackers use methods like email spoofing, gaining access to legitimate accounts, and creating lookalike domains (typosquatting) to deceive their targets.
- It’s a misconception that only large enterprises are targeted. Small and medium-sized businesses (SMEs), government agencies, and non-profits are equally vulnerable.
- The FBI has classified BEC as a “$26 billion scam,” with organizations losing billions of dollars annually. In 2020, BEC scams accounted for over $1.8 billion in losses.
- More than 70% of organizations worldwide are affected by BEC attacks, making it one of the most widespread and successful forms of cybercrime.
Business Email Compromise (BEC) is a sophisticated scam where an attacker spoofs a legitimate-looking company email or gains unauthorized access to a real account, impersonating the account holder to defraud the organization. Often called a “man-in-the-email” attack, this form of fraud targets commercial, government, and non-profit organizations of all sizes. Because these emails can appear to originate from a legitimate, trusted source, they are incredibly difficult to detect, creating significant challenges for email authentication systems that might require solutions like SPF flattening to manage complex email environments.
How Business Email Compromise Works
In a typical BEC attack, hackers impersonate employees or trusted partners through social engineering. They aim to convince the target victim to transfer funds, provide access to sensitive information, or change payment details.
Even though people are increasingly aware of BEC attacks, these attacks still succeed. This is because they are often designed in a very convincing way. Examples include campaigns by cyber gangs like Cosmic Lynx, which use extremely crafted phishing emails.
What’s worse, hackers always adapt to current trends; for example, during COVID-19, they started to exploit the rise of remote work by impersonating popular tools like Zoom to harvest login credentials.
BEC attacks are becoming more and more common; there was an 84% rise between the first and second halves of 2021. A typical BEC scam has four main stages:
- Targeting
First, hackers compile lists of potential victims. They gather email addresses from public sources like LinkedIn, company websites, and databases.
- Launching the Attack
They send well-crafted emails using spoofed or lookalike domains. They often impersonate reputable sender names, so the recipients trust the email and feel safe to open it.
- Social Engineering
In addition to establishing trust, hackers also often create a sense of urgency to manipulate the target into transferring money or sharing confidential data.
- Financial Gain
This is the final stage where the attacker successfully completes the financial theft or data breach.
Major Types of BEC Attacks
The FBI has identified several common forms of BEC scams:
The Bogus Invoice Scheme
An attacker, posing as a legitimate supplier or vendor, sends a fraudulent invoice to a company, often requesting payment to a bank account controlled by the criminal.
Attorney Impersonation
Hackers often pose as lawyers or representatives from a law firm. Then they contact the lower-level employees who. They claim to be handling a confidential or time-sensitive matter and demand an immediate fund transfer, using authority and secrecy to prevent the employee from verifying the request.
Data Theft
Hackers often aim to steal sensitive personal or corporate data. To do this, they impersonate an executive and target HR or finance departments. This method allows them to obtain employee records, which can then be used for identity theft. The records can also be sold on the dark web.
Tax Threats
Hackers impersonate government agencies, such as the IRS. They threaten legal action or penalties if the victim does not make an immediate payment for supposed tax liabilities.
Fake Charities
Attackers like playing with emotions; they create fake charities and solicit donations for a worthy cause. They often do this during natural disasters or holidays. These emails usually contain malicious attachments designed to infect the victim’s computer.
Travel Problems
A scammer might send an email impersonating a travel agency. For example, they might claim there is an urgent issue with an employee’s flight or hotel reservation. Then they ask for an immediate payment or personal information to ‘resolve the problem.’
How to Prevent BEC?
A successful BEC attack can have very unfortunate consequences for you. But you can prevent the financial and reputation damage if:
1. Use Email Authentication with DMARC, SPF, and DKIM
These protocols can help you stop domain spoofing.
- SPF lets you define which mail servers can send email from your domain. Companies like PowerDMARC offer SPF checkers and generators to ensure you are protected from both hackers and mistakes.
- DKIM adds a digital signature to emails; this helps check whether or not the message has been manipulated in transit. If you need help setting up DKIM for Office 365 or any other platform, hosted DKIM services can help.
- DMARC is the building built on the SPF-DKIM foundation. It allows domain owners to set a policy that tells receiving mail servers how they should deal with emails that fail authentication checks. To be effective, DMARC must be set to an enforcement policy:
- p=quarantine: Failed emails are sent to the spam folder.
- p=reject: Failed emails are blocked outright. This is the recommended policy for maximum protection against BEC.
2. Educate Your Employees
Educate your employees on BEC tactics. The training should cover information like recognizing urgent or unusual requests, impersonation techniques, and the importance of verifying payment instructions. Your employees should know how to report phishing immediately.
3. Establish Strict Payment Protocols
You should require multi-person approval for all wire transfers and changes to payment details. For any unusual or urgent financial request, require an out-of-band verification; these may include direct phone calls or in-person confirmation with the supposed sender.
4. Make Use of Technical Security Controls
Enable Multi-Factor Authentication
MFA can help you prevent account takeover even if credentials are stolen.
Use Anti-Phishing Solutions
Use email security gateways; these can help you scan incoming emails and detect malicious links, attachments, etc.
Label External Emails
You can configure your email system in a way that it automatically flags all messages that come from outside your organization. This will tell employees to double-check before opening.
Prohibit Automatic Email Forwarding
Disable the ability to automatically forward their emails to external addresses. Hackers like and abuse this feature quite often.
5. Boost Security with Additional Protocols
MTA-STS
This enforces TLS encryption for emails in transit and protects against eavesdropping.
BIMI
BIMI shows your company’s verified logo next to authenticated emails in supported clients. This gives a visual cue that the email is, in fact, from you and is therefore safe to open. BIMI requires a DMARC enforcement policy.
6. Report Fraud as Soon as You Sense It
If you believe you’ve spotted a BEC attack, act fast. Report it to law enforcement, like the FBI’s Internet Crime Complaint Center, IC3. If relevant, also inform your financial institution to freeze or recover funds.
Summing Up
The BEC threat is not trivial; the FBI has labeled BEC a “$26 billion scam.” Attackers earned over $1.8 billion in 2020 alone. This makes BEC one of the most financially damaging forms of cybercrime today. While it’s truly dangerous, BEC isn’t impossible to prevent. Email protocols like DMARC can help you boost your email security and stop hackers from compromising your business email.
Frequently Asked Questions
What is a Business Email Compromise attack?
It’s a scam where an attacker impersonates a trusted colleague via email. The aim is to trick employees into sending money or sensitive data.
Are only large companies targeted by BEC?
No, businesses of all sizes, including SMEs and non-profits, can fall prey to these attacks.
How do attackers make their emails look safe to open?
They use tactics like email spoofing, hacking real accounts, and creating very similar, lookalike domains.
How financially damaging are BEC attacks?
The FBI considers it a “$26 billion scam.”
Why are BEC attacks so effective and hard to detect?
They are effective because the fraudulent emails often appear to come from a completely legitimate and trusted internal email address.
