What is Business Email Compromise (BEC)?

Business Email Compromise Defined

Business Email Compromise (BEC) is a type of cybercrime where attackers infiltrate or spoof legitimate business email accounts to deceive organisations into transferring money or sensitive information. This scheme often involves extensive social engineering tactics to manipulate and exploit the trust within an organisation.

Attackers typically research their targets to impersonate senior executives, vendors, or trusted partners, sending fraudulent emails that appear authentic and urgent.

BEC attacks can result in significant financial losses and data breaches. These crimes exploit the lack of robust email authentication protocols and human vulnerabilities, making them difficult to detect. Common objectives include redirecting payroll, initiating wire transfers to fraudulent accounts, or obtaining confidential company information.

The success of BEC relies heavily on the credibility of the emails, often avoiding malware or links that could trigger security defences, focusing instead on simple, believable communication to achieve their aims. This subtlety and sophistication make BEC a highly effective and prevalent threat to businesses worldwide.

Start trial icon

Looking to protect against cyber attacks?

Talk to one of our experts about effective training now.

Book a Meeting

Types of BEC Attacks

Cyber security experts and law enforcement often identify five major types of BEC attacks, each targeting specific organisational roles and financial processes. Here's a breakdown of each type:

CEO Fraud (Executive Email Compromise):

Attackers impersonate high-level executives, such as CEOs or CFOs, and request urgent, confidential transactions. The emails typically target employees with the authority to handle wire transfers, instructing them to transfer funds to fraudulent accounts under the guise of pressing business matters.

Account Compromise:

In this type, a legitimate email account within the organisation is hacked. The compromised account is then used to request invoice payments or other financial transactions from vendors or business partners. Since the request originates from a legitimate account, it often bypasses suspicion and security checks.

Attorney Impersonation:

Cybercriminals pose as legal representatives, such as solicitors or barristers, handling confidential or time-sensitive matters. These attacks commonly occur at the end of the business day or during off-hours, adding a sense of urgency and reducing the likelihood of verification before action is taken.

Data Theft:

Instead of directly stealing money, attackers focus on obtaining sensitive information, such as tax statements, personally identifiable information (PII), or employee records. This data can be used for future attacks, identity theft, or sold on the dark web. Typically, HR departments or financial officers are targeted for this kind of information.

False Invoice Scheme:

Here, attackers compromise the email accounts of suppliers or business partners. They then send fraudulent invoices to the organisation, requesting payments to new, attacker-controlled bank accounts. Since the invoices appear to come from trusted partners, they often pass through standard checks without raising alarms.

Identifying BEC Attacks

To identify BEC attacks, be vigilant about several key indicators:

  1. Email Anomalies: Look for subtle discrepancies in email addresses, such as slight misspellings or changes in domain names. Verify any unexpected or unusual requests directly through known, trusted communication channels.
  2. Urgency and Pressure: Be cautious of emails that create a sense of urgency or pressure to act quickly, especially if they deviate from normal business procedures.
  3. Unusual Payment Requests: Scrutinise requests for atypical payment methods, changes in payment instructions, or payments to unfamiliar accounts. Cross-check with the supposed sender via a different communication method.
  4. Content and Tone: Pay attention to the tone and language used in the email. An unexpected level of formality or informality, or phrases that don't match the sender's usual communication style, can be red flags.
  5. Missing Information: Be wary of emails lacking usual details, such as incomplete signatures or missing company logos, which might indicate a spoofed email.
  6. Unexpected Attachments or Links: Avoid opening attachments or clicking on links in unsolicited emails, even if they appear to come from a known contact. Verify their legitimacy first.

By maintaining a healthy scepticism and verifying details through established, secure channels, employees can better identify and prevent BEC attacks.

Start trial icon

Try our Training for Free!

Start Now

What is the Difference Between Phishing and BEC?

Traditional phishing broadly targets individuals by sending deceptive emails designed to steal personal information or infect systems with malware. It often includes generic messages and malicious links or attachments.

In contrast, BEC is a highly targeted attack focusing on specific individuals within an organisation, such as executives or financial officers. BEC relies on social engineering to impersonate trusted figures and requests legitimate business transactions or sensitive information, usually without using malicious links or attachments, making it more sophisticated and difficult to detect.

Read More: The Anti-Phishing Insights Every CISO Should Know

What is the First Stage of a BEC Attack?

The first stage of a Business Email Compromise (BEC) attack is the reconnaissance and initial compromise phase. During this stage, attackers gather detailed information about the target organisation and its employees. They often use social engineering techniques, such as researching the company's hierarchy, understanding business processes, and identifying key personnel through public sources like company websites, LinkedIn, or social media.

Next, attackers compromise an email account within the organisation or create a spoofed email that closely mimics a legitimate address. They may use phishing emails, malware, or brute force attacks to gain access. This initial foothold allows them to monitor email communications, study internal language and procedures, and plan their fraudulent activities to increase the likelihood of success without raising suspicion.

Who do BEC Attacks Typically Target?

BEC attacks typically target individuals within an organisation who have the authority to conduct financial transactions or access sensitive information. This includes executives like CEOs and CFOs, finance department employees, accounts payable or receivable staff, and occasionally HR personnel.

Additionally, they may target trusted external partners or vendors whose compromised accounts can be used to send fraudulent requests.

How to Protect Against BEC Attacks

To protect against Business Email Compromise (BEC) attacks, organisations must implement multi-layered defences and foster a culture of vigilance. Here are key strategies to enhance protection:

  1. Employee Training: Regularly educate employees about BEC tactics and red flags, such as urgent requests from executives, unusual payment instructions, or emails that bypass normal channels. Encourage them to verify requests via alternative communication methods.
  2. Email Authentication: Implement robust email authentication protocols like DMARC, DKIM, and SPF to reduce the risk of email spoofing.
  3. Multi-Factor Authentication (MFA): Require MFA for accessing email accounts and sensitive systems. This adds an extra layer of security even if login credentials are compromised.
  4. Advanced Email Security Solutions: Deploy email security tools that use artificial intelligence to detect suspicious patterns, phishing attempts, and malicious content.
  5. Regular Security Audits: Conduct periodic security assessments and audits to identify vulnerabilities and ensure that security policies are up-to-date and effective.
  6. Incident Response Plan: Develop and maintain a comprehensive incident response plan to swiftly address and mitigate any BEC attempts.
  7. Monitor Financial Transactions: Implement checks and balances for financial transactions, such as dual approval processes for wire transfers and large payments, to reduce the risk of fraudulent transactions.

By combining these strategies, organisations can create a robust defence against BEC attacks, safeguarding both financial assets and sensitive information.

Improving Security with Employee Awareness Training

Organisations must invest in employee awareness training to combat Business Email Compromise (BEC) attacks effectively. BEC exploits human behaviour through sophisticated social engineering tactics, making educated employees the first line of defence. Trained employees can recognise warning signs, such as unusual requests and email discrepancies, preventing fraudulent transactions and data breaches.

Moreover, this training is a cost-effective way to enhance security. The financial and reputational damage from successful BEC attacks can be extensive, so proactive prevention is crucial. Regular training fosters a culture of security awareness, ensuring employees are vigilant and proactive in identifying threats.

This vigilance not only strengthens the organisation's security posture but also ensures compliance with industry standards, reducing legal and regulatory risks. Ultimately, knowledgeable employees are vital for protecting the organisation's assets and reputation.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


What is the Impact of Security Awareness Training?

What is the Impact of Security Awareness Training? - Hut Six

Discover the Impact of Security Awareness Training: Prevent breaches, foster culture, & build trust.

What is Personal Data? Definition & Types

What is Personal Data?

Learn about personal data, its types, and significance in data protection. Explore general and special category data, as well as pseudonymised and anonymised data under the GDPR.

GDPR Applications

Who Does GDPR Apply To?

Who Does GDPR Apply To? And Other Data Protection Questions/ Information Security blog by Information security awareness provider Hut Six Security.

Do AI Chatbots like ChatGPT Pose a Cybersecurity Risk?

Does ChatGPT Pose a Cybersecurity Risk

In this blog post, we explore whether AI chatbots like ChatGPT pose a cybersecurity risk. We delve into the potential vulnerabilities and threats posed by chatbots, and discuss measures that can be taken to mitigate these risks. Read on to discover how you can ensure the security of your organisation's chatbot interactions.

How to get Cyber Essentials Certification

How Do I Get Cyber Essentials Certified?

Learn how to obtain Cyber Essentials certification and enhance your organization's cybersecurity posture with our comprehensive guide. Our expert insights will help you navigate the certification process to meet the requirements for Cyber Essentials.

5 Essential Steps for Security Awareness Training

Essential Steps for Security Awareness Training

Starting a security awareness training campaign? Here are 5 essential steps to help ensure information security success.

Malicious Insider Threats

Malicious Insider Threats - Meaning & Examples

Malicious insider threats can cause massive problems. Here we examine some of the motivations behind attacks and methods of detection organisations can use to reduce risk.

What are the Biggest Breaches of 2022 (So Far)

5 Biggest Breaches of 2022 (So Far)

Five of the biggest and most significant data breaches, hacks, and information security attacks of 2022 (so far).

How to Audit for GDPR Compliance?

Auditing for GDPR Compliance

Questions to consider when auditing your business or SME for General Data Protection Regulation (GDPR) compliance.

Ideas to Improve Employee Cyber Security?

Improving Employee Cyber Security

With human error responsible for many breaches and attacks, we offer some helpful areas for improving employee security compliance.

Speak to us about your Cyber Awareness