What Is Business Email Compromise?

You could compare usual email phishing to painting with a broad brush: “You’ve inherited a million dollars” or “Your account has been compromised, ACT NOW!”

In contrast, Business Email Compromise [BEC] is like skillful calligraphy. BEC is craftier because it pays attention to your organization’s practices and waits for the right opportunity. It can be degrees harder to spot BEC attackers’ impersonations.

What is Business Email Compromise?

Not scattershot, laser

Business Email Compromise (BEC) is a sophisticated type of cyberattack that targets organizations by impersonating a trusted party through email. These attacks are designed to trick employees, executives or financial departments into transferring funds or sensitive information to con-artists. Unlike typical phishing schemes, BEC often relies on careful social engineering, where attackers research their targets thoroughly to make their emails appear legitimate and trustworthy. Successful attacks can be devastating.

Not obvious, subtle

There is no one-size-fits-all description of BEC. But as a rule attackers make their approach with studied emails that imitate a known contact like a CEO, vendor or client. Sometimes attackers use a compromised email account on your organization’s server or they use domains that look nearly identical to legitimate ones. The requests are often urgent, instructing the recipient to process payments quickly or send confidential information with an appeal that emotionally stresses the recipient. These malicious emails are meant to blend undetected into an organization’s day-to-day operations.

Not laughable, knowledgeable

Typical phishing attempts can seem too glaring to be real, like Nigerian prince scams. While we can’t know the minds of individual scammers, it’s thought that using outlandish claims or bad spelling and grammar might be a way for them to quickly weed out sophisticated targets.

But whatever their reasoning, BEC attackers are trying for a big payday and so invest the time in learning about an organization and then operate undetected until it’s too late.

Here are some examples:

• a sudden change in a client’s payment instructions
• an email from an executive requesting personal account details
• a requested wire transfer to an unfamiliar destination

These should all be red-flag kinds of messages. Unfortunately they are not usually blatantly obvious because the scammers often hide the requests in emotional baggage. But as a start organizations can protect themselves by training employees to recognize the patterns of BEC attacks and implement a verification process for any financial or sensitive information requests.

Real-world attacks

Barracuda (a Bryley email-protection partner) cites some recent examples, in one famous case, deepfake audio was used to trick a British CEO into believing his German boss had requested a €220,000 money transfer. In another, a bank manager from the UAE was conned into transferring $35 million at the request of a ‘customer’ … One recently spotted attempt tried to trick a victim organization into transferring $36 million in funds.¹

And the FBI offers this development in BEC:

• An organization gets an email that seems to come from a legitimate company with a legitimate-looking request for goods.
• The sender’s email domain has been spoofed, and the sender’s name may be actual buyers’ names at the company.
• The criminals provide false credit references and tax forms in order to secure 30- or 60-day credit terms.
• Once the criminals have received the goods, they disappear leaving the supplier to bill a company that never knew about this request for goods.
• The victim only realizes they’ve been defrauded days later.

The important thing to remember is not that BEC follows any of these scripts, but that it is an attacker operating discretely, gaining trust and when the attacker feels the time is right, making the fraudulent request.

^{1 https://blog.barracuda.com/2023/04/11/new-wave-bec-attacks}