Business email compromise is a sophisticated social engineering attack in which an attacker impersonates a trusted figure (typically a senior executive, vendor, or business partner) to trick an employee into making a fraudulent wire transfer, sharing sensitive data, or redirecting payments. BEC attacks rely on social manipulation rather than malware or malicious links..
What is Business Email Compromise (BEC)?
Business email compromise is a sophisticated social engineering attack in which an attacker impersonates a trusted figure (typically a senior executive, vendor, or business partner) to trick an employee into making a fraudulent wire transfer, sharing sensitive data, or redirecting payments. BEC attacks rely on social manipulation rather than malware or malicious links.
How BEC Works
Attackers research the target organization to understand reporting structures, vendor relationships, and payment processes. They then send an email that appears to come from the CEO, CFO, or a known vendor, requesting an urgent wire transfer, invoice payment, or data transfer. The email may come from a spoofed address, a compromised account, or a lookalike domain. Because BEC messages contain no links or attachments, they bypass most email security tools.
Why BEC Matters
The FBI's Internet Crime Complaint Center identified BEC as the costliest form of cybercrime, with reported losses exceeding $2.9 billion in 2023 alone. BEC attacks are difficult to detect because they don't trigger traditional security tools. There is no malicious payload to scan for. The attack succeeds entirely through social manipulation.
How to Protect Against BEC
- Simulate BEC scenarios that test employees in finance and executive assistant roles
- Require multi-person approval for wire transfers above a threshold
- Implement email authentication (DMARC, SPF, DKIM) to prevent domain spoofing
- Train employees to verify payment and data requests through a separate channel
- Monitor for lookalike domains registered against your organization
Frequently Asked Questions
Why is BEC so costly compared to other cyberattacks?
BEC directly results in financial loss through wire transfers or invoice fraud, unlike phishing which often just harvests credentials. Losses in 2023 exceeded $2.9 billion according to the FBI, making it the costliest cybercrime by a wide margin.
Why do most email security tools fail to detect BEC?
BEC emails contain no malicious links or attachments, only text requesting a payment or data transfer. Email filters scan for payloads and malicious URLs but cannot detect social manipulation, so BEC bypasses these technical controls entirely.
What verification method is most effective against BEC?
The most effective control is requiring employees to verify any wire transfer or sensitive data request through a separate communication channel (phone call to a known number, not a callback number provided in the email). This simple step breaks the attacker's chain because they cannot intercept an out-of-band channel.
How do attackers research an organization to craft convincing BEC emails?
Attackers use LinkedIn to understand reporting structures, monitor company news for vendor relationships, and review employee social media profiles for personal details. They may also access previously leaked company data or purchase employee lists from data brokers.