The FBI dropped a bombshell: BEC attacks cost companies over $43 billion globally between 2016 and 2022. Yeah, you read that right… billion. These aren’t just stats on a spreadsheet. These represent real businesses getting blindsided by a single email. Let’s talk about the telltale signs that could save you from becoming a victim.

Suspicious sender behavior

First rule of thumb: don’t trust just the name in the “From” field. BEC attackers are experts in domain spoofing, so they’ll make the email look like it’s from a legit source. Here’s what to look for:

• Domain tweaks: Attackers might change a single character in a domain. Think “bank.com” versus  “b8nk.com.”

• Display name tricks: You might see "CEO Janet Smith" pop up, but when you check the email address, it’s off by a mile. 

• Reply-to changes: If you hit “reply” and the response goes to some strange email address, you might be walking into a trap. 

• Fresh domains: If a domain was registered in the last 30 days, raise an eyebrow.

Watch an episode of our Tradecraft Tuesday where Huntress Security Research expert Matt Kiely demonstrates several methods of gaining access to an M365 identity. 

Timing and contextual red flags

Business email compromise detection isn’t a high-tech magic trick. These scammers don’t just wing it. They strike when you’re most vulnerable. That’s why timing and context matter big time. Watch for these red flags:

• Urgent requests: “Act now! Wire transfer must be made immediately!” If an email is pushing you to do something in a hurry, slow down. 

• CEO authority: If the email says “the CEO needs this right now” or “I’m unavailable by phone,” be suspicious. It’s a classic trick. 

• Off-hours chaos: Getting emails at 2 AM asking for large sums of money? That’s a red flag.

• Breaking standard procedures: If the process to approve payments or changes gets bypassed, don’t just approve. Double-check.

Linguistic and stylistic warning signs 

If you want to detect BEC attacks, you’ve got to think like a con artist and read between the lines. These scams don’t always scream “fraud” at first glance. Sometimes, the giveaway is buried in the tone, the grammar, or a weird word choice that just doesn’t sit right. Keep your eyes peeled for:

• Grammatical errors: Your CEO wouldn’t send an email that had typos, spelling errors, or weird phrasing. 

• Tone shifts: If the way someone writes changes suddenly, that’s not normal.

• Overuse of authority: Excessive language like “This is urgent!” or “Don’t tell anyone about this” is a hallmark of BEC attacks.

• Cultural misalignment: If the phrasing doesn’t match the sender’s typical style, it’s worth investigating.

If you’re diving deep into BEC detection, sometimes it’s the hidden metadata that will spill the beans.

• Email header inspection: Look at the email's behind-the-scenes info (headers). If something doesn’t add up, like a mismatch in SPF/DKIM records, a weird server route, or an IP address that doesn’t match where it’s supposed to come from, call BS.

• Account behavior: If someone suddenly logs in from a new country or tries to access their account in the middle of the night, that’s a problem. Likewise, any weird forwarding rules in an inbox could mean an attacker is hijacking the account.

BEC attacks come in all shapes and sizes. But here are a few classic setups that’ll help you identify them faster.

CEO fraud source

This is the granddaddy of BEC scams. The attacker impersonates the CEO or high-ranking exec and pressures the target into making financial transactions

Red flags: Requests to wire funds quickly, subtle email address changes, or “CEO unavailable by phone” messages.

Vendor fraud 

Here, attackers spoof vendor emails to get you to pay them instead of your regular supplier.

Red flags: Sudden requests to change payment details or new contacts claiming to represent a trusted vendor.

HR and employee targeting 

BEC isn’t always about money. Sometimes, attackers are after sensitive employee info.

Red flags: Requests for direct deposit changes or compensation info.

Okay, so how do you fight back? You need a defense plan that’s got the chops to deal with this stuff. Here’s how:

Tech armor

1. DMARC, SPF, and DKIM: These email authentication protocols are the first line of defense. They tell you whether an email really came from the person it says it did. 

2. AI-powered filters: Use advanced email filters that analyze patterns and flag suspicious messages. 

3. Multi-factor authentication: Ensure email accounts are protected with more than just a password. 

4. Endpoint protection: Stop credential harvesting before it starts with Huntress’s managed detection, investigation, and response for your endpoints.

Human armor

1. Phishing simulations: Run mock BEC attacks to see how your employees react. You can either run them on your own or invest in simulated phishing training for employees. 

2. Security training: Train everyone, but especially those in high-risk departments (finance, HR, IT), on spotting these attacks. Huntress Managed Security Awareness Training is loved by learners and hated by hackers.

3. Verification culture: Make it standard practice to verify any financial transactions or requests through a secondary communication channel.

Process armor

1. Verification for payments: Always get secondary approval for big transfers. 

2. Escalation paths: Have clear procedures for when things don’t add up. 

3. Regular security drills: Test your defenses regularly and update your procedures as needed. Huntress Managed Security Awareness Training can help with that.

BEC is evolving. Attackers are always finding new ways to trick you, but so are defenders. Keep an eye out for:

• AI writing analysis: Detecting odd phrasing and anomalies using AI. 

• Behavioral biometrics: Recognizing how legit users interact with systems. 

• Zero Trust security model: Assuming every request is suspect, even if it looks like it’s coming from a trusted source. 

We understand what threats like credential theft and unauthorized access mean for your business, and we’re here to help. Huntress has you covered with Managed ITDR, protecting identities across your organization 24/7. For more in-depth solutions on preventing BEC attacks, check out our Business Email Compromise resources.