What Is Business Email Compromise (BEC)?

Among the myriad of threats targeting small and medium-sized businesses (SMBs) today, business email compromise is a particularly growing concern. And for good reason.

Just last year, BEC attacks resulted in $2.7 billion in actual losses. To make matters worse, that’s a 12.5% increase from 2021.

As these threats manipulate their way into inboxes, it’s clear that businesses of all sizes need to be ready. So, let’s dive into the world of business email compromise, explore what BEC is and how it works, and learn practical tips for defending against BEC attacks.

What Is Business Email Compromise?

Business email compromise (BEC) is a type of cybercrime where threat actors seek to manipulate or compromise email accounts within an organization to commit fraudulent activities, such as wire fraud, data and credential theft, and phishing scams. BEC attacks work by impersonating high-level executives or trusted vendors through email in order to trick employees or organizations into sending money or sensitive information.

How Do BEC Attacks Work?

BEC attacks typically follow these steps:

Research and Reconnaissance: Attackers gather information about their targets, such as names, roles, and relationships within the organization.
Email Compromise or Account Takeover: Adversaries gain access to and essentially “take over” an email account. This is often done through tactics like phishing, social engineering, or exploiting software vulnerabilities.
Impersonation: The attacker impersonates a trusted individual within the organization, such as a CEO, CFO, or a vendor, using a spoofed or compromised email account.
Deception: Threat actors send convincing emails to trick employees into performing actions like transferring money, sharing sensitive information, or downloading malicious attachments.

As highlighted in the infographic below, BEC attacks rely heavily on social engineering techniques. As a result, these attacks are difficult to detect or prevent with traditional security tools or spam filtering.

What Are Examples of BEC Attacks?

BEC attacks can take many forms, but some common tactics include:

Invoice Scams: Attackers compromise a supplier's or vendor's email account and send altered invoices or payment instructions to customers. The altered details direct payments to the attacker's account, resulting in payments being diverted away from the legitimate vendor.
CEO Fraud: Attackers impersonate a high-level executive and request urgent wire transfers or sensitive data from employees. Employees are tricked into making payments or even purchasing gift cards, believing it's a legitimate request from their superiors.
Payroll Diversion: Attackers pose as HR personnel and request changes to an employee's direct deposit information. As a result, the employee's salary is redirected to the attacker's account.

How Can I Combat BEC Attacks?

Since BEC attacks are generally human-centric, the methods of protection and prevention must also be human-centric.

Security awareness training can be an effective preventive measure against BEC scams. Conducting regular cybersecurity awareness training can help educate employees about the dangers of BEC attacks and how to recognize them and avoid falling victim to them.

However, prevention alone isn’t going to stop BEC attacks. There are tools and technology that can help bolster your defenses. One example is multi-factor authentication (MFA). MFA adds an extra layer of security to email accounts, making it more challenging for attackers to gain access. Another example is managed detection and response (MDR). MDR solutions proactively monitor for and detect anomalies, including looking for behavioral indicators of BEC, like suspicious inbox rules or login attempts from unusual locations.

While the BEC threat is real, it's not insurmountable. By understanding the tactics of attackers and implementing proactive measures, SMBs can be better prepared to face off against today’s email- and identity-based attacks.