Business Email Compromise (BEC)

Business email compromise (BEC) is an email information-seeking scam in which an attacker targets a business to defraud a company. Business email compromise is a large and growing problem that targets organisations of all sizes across every industry around the world. BEC scams have amassed over $55 billion in exposed losses over the past decade, making it one of the most financially damaging forms of cyber crime.

Email account compromise (EAC), or email account takeover, is a related threat that is accelerating in an era of cloud-based infrastructure. EAC is often associated with BEC because compromised accounts are used in a growing number of BEC-like scams (though EAC is also the basis of other kinds of cyber-attacks). A 2024 report shows that BEC attacks have surged by 1,760% from 2022, largely due to the widespread adoption of generative AI tools that enable attackers to craft more convincing and personalised fraudulent emails.

BEC and EAC are difficult to detect and prevent, especially with legacy tools, point products, and native cloud platform defences. Modern BEC attacks have evolved beyond simple email spoofing to incorporate sophisticated social engineering tactics, AI-generated content, and multi-channel approaches that combine email, phone, and video communications.

The FBI defines 5 major types of BEC scams:

• CEO Fraud: Here, the attackers position themselves as the CEO or executive of a company and typically email an individual within the finance department requesting funds to be transferred to an account the attacker controls. These attacks often occur during periods when executives are travelling or unavailable and frequently involve urgent requests that bypass standard security protocols.
• Account Compromise: An employee’s email account is hacked and used to request vendor payments. Payments are then sent to fraudulent bank accounts owned by the attacker. Attackers typically lurk in compromised accounts for weeks, studying communication patterns and internal processes before launching their attack.
• False Invoice Scheme: Attackers commonly target foreign suppliers through this tactic. The scammer acts as if they are the supplier and requests fund transfers to fraudulent accounts. This scheme has evolved to include vendor email compromise (VEC), which increased by 66% in H1 2024.
• Attorney Impersonation: An attacker impersonates a lawyer or legal representative and typically targets lower-level employees who wouldn’t know to question the request’s validity. These BEC attacks frequently coincide with significant corporate events like mergers, acquisitions, or legal proceedings to appear more credible.
• Data Theft: These attacks typically target HR employees to obtain personal or sensitive information about individuals within the company, such as CEOs and executives. This data can then be leveraged for future attacks like CEO Fraud. Attackers often pose as new employees or third-party vendors requiring immediate access to sensitive information.

Modern BEC attacks have evolved to include new emerging variants:

• Voice Cloning Attacks: Cyber criminals use AI technology to clone executive voices for virtual meetings or phone calls. These attacks often combine email correspondence with voice confirmation calls to bolster their schemes’ legitimacy.
• Quishing: This technique combines traditional phishing with QR codes, where attackers embed malicious QR codes in emails that appear to be from legitimate business partners or internal departments. When scanned, these codes direct victims to credential-harvesting sites.
• Conversation Hijacking: Attackers monitor legitimate email threads between businesses and their partners, then insert themselves at a crucial moment using nearly identical domain names. They leverage the existing context and trust to redirect payments or extract sensitive information.

In a BEC scam, the attacker poses as someone the recipient should trust—typically a colleague, boss, or vendor. The sender asks the recipient to make a wire transfer, divert payroll, change banking details for future payments, and so on. These requests often leverage urgent situations or time-sensitive business operations to pressure victims into quick decisions.

BEC attacks are difficult to detect because they don’t use malware or malicious URLs that can be analysed with standard cyber defences. Instead, BEC attacks rely on impersonation and other social engineering techniques to trick people into interacting on the attacker’s behalf. Modern attacks increasingly utilise AI-generated content to create more convincing impersonations and communications.

Because of their targeted nature and use of social engineering, manually investigating and remediating these attacks is challenging and time-consuming.

BEC scams use various impersonation techniques, such as domain spoofing and lookalike domains. These attacks are effective because domain misuse is a complex problem. Attackers now employ sophisticated techniques like typosquatting, homograph attacks using international characters, and subdomain abuse to create convincing domain variations. Stopping domain spoofing is hard enough—anticipating every potential lookalike domain is even harder. And that difficulty only multiplies with every outside partner’s domain that could be used in a BEC attack to exploit users’ trust.

In EAC, the attacker gains control of a legitimate email account, allowing them to launch like a BEC. But in these cases, the attacker isn’t just trying to pose as someone—the attacker is that person. Once inside, attackers often set up elaborate email rules to conceal their activities and maintain persistent access.

Because BEC and EAC focus on human frailty rather than technical vulnerabilities, they require a people-centric defence that can prevent, detect, and respond to a wide range of BEC and EAC techniques.

PHASE 1 – Email List Targeting

The attackers begin by building a targeted list of emails. Common tactics include mining LinkedIn profiles, sifting through business email databases, or even going through various websites in search of contact information. Attackers also leverage data from previous breaches and use OSINT tools to build detailed profiles of their targets.

PHASE 2 – Launch Attack

Attackers begin rolling out their BEC attacks by sending out mass emails. It’s difficult to identify malicious intent at this stage since attackers utilise tactics such as spoofing, lookalike domains, and fake email names. Modern attacks often start with low-risk communications to establish credibility before escalating to financial requests.

PHASE 3 – Social Engineering

At this stage, attackers impersonate individuals within a company, such as CEOs or individuals within finance departments. It’s common to see emails that request urgent responses. Attackers frequently target social media accounts to reference real events or relationships in their communications.

PHASE 4 – Financial Gain

Once trust is established, attackers execute their endgame, which may include fraudulent wire transfers, credential theft, or data exfiltration. They often use multiple accounts and money mules to quickly move and obscure stolen funds.

The global impact of BEC attacks continues to escalate, transforming what was once considered a regional cyber crime issue into a worldwide epidemic affecting organisations across every continent. Manufacturing, healthcare, and real estate sectors have emerged as prime targets, with construction and engineering industries experiencing the highest targeting rates.

In the manufacturing sector, attackers exploit the industry’s reliance on frequent, large-value transactions and complex supplier networks. Healthcare organisations face unique vulnerabilities due to their diverse networks of facilities, professionals, and third-party vendors, making them particularly susceptible to sophisticated impersonation attempts.

Recent data shows a concerning 24% increase in malicious attacks per user in early 2024, with BEC attacks rising by 42% compared to the previous year. This surge has prompted global cybersecurity agencies to emphasise the implementation of advanced email authentication protocols and AI-powered detection systems.

The international response has intensified, exemplified by successful law enforcement operations like Interpol’s arrest of a Nigerian BEC gang leader whose organisation, SilverTerrier, had targeted thousands of companies worldwide. Regional variations in attack patterns have emerged, with European organisations experiencing notable spikes in BEC attempts during summer months when employees are more likely to be distracted by vacation schedules.

As BEC attacks evolve, organisations face an increasingly complex landscape of legal obligations and regulatory requirements to protect sensitive data and financial assets while holding cyber criminals accountable.

• Due Diligence Requirements: Organisations must demonstrate they’ve implemented reasonable security measures and followed established verification procedures, with courts increasingly evaluating liability based on whether parties exercised “ordinary care” in preventing BEC fraud.
• GDPR Compliance: European regulations require organisations to report BEC-related data breaches within 72 hours and maintain detailed documentation of their incident response procedures.
• CCPA Obligations: California’s privacy law mandates regular security assessments and prompt notification of affected parties when personal information is compromised through BEC attacks.
• Financial Institution Duties: Banks and financial institutions must implement specific fraud detection measures and maintain enhanced customer verification procedures for high-risk transactions.
• Cross-Border Considerations: Organisations operating internationally must navigate multiple regulatory frameworks while maintaining consistent security standards across their global operations.
• Documentation Requirements: Companies must maintain detailed records of their BEC prevention measures, incident response procedures, and employee training programmes to demonstrate regulatory compliance.
• Contract Management: Organisations should implement clear contractual provisions regarding payment verification procedures and liability allocation for BEC incidents, particularly in vendor and partner agreements.

The sophistication and financial impact of BEC attacks continue to grow, as evidenced by several high-profile cases that demonstrate the evolving nature of these threats.

Facebook and Google Case

A BEC scheme targeting tech giants Facebook and Google resulted in losses of $121 million between 2013 and 2015. Evaldas Rimasauskas created a fake company mimicking a legitimate hardware supplier and used counterfeit contracts and lawyers’ letters to convince banks to accept fraudulent transfers.

Children’s Healthcare of Atlanta

In an alarming case, attackers targeted a paediatric healthcare provider by spoofing a construction company’s domain and impersonating their CFO. The scammers successfully redirected $3.6 million by submitting fraudulent payment instructions on counterfeit letterhead.

Toyota Boshoku Corporation

The Japanese automotive supplier fell victim to a sophisticated BEC attack, resulting in a $37 million loss. The attackers exploited the company’s large size to make substantial transfer requests without raising immediate suspicion, demonstrating how criminals can leverage organisational complexity to their advantage.

Key Lessons Learned:

• Size doesn’t matter: Even the largest technology companies with sophisticated security measures can fall victim to well-crafted BEC schemes that exploit human trust and business processes.
• Verification is critical: Traditional email security measures alone are insufficient; organisations need robust verification processes that operate independently of email communications.
• Complex organisations are vulnerable: Larger organisations with multiple departments and complex approval chains can be particularly susceptible to BEC attacks due to communication gaps and process complexity.
• Industry knowledge is power: Attackers invest significant time to understand industry-specific operations, enabling them to craft persuasive impersonation attempts.
• Speed enables crime: The rapid pace of business operations and pressure to process payments quickly can be exploited by attackers who count on urgency to bypass normal security protocols.

BEC and EAC are complex problems that require multi-layered defences. In today’s AI-enhanced threat landscape, effectively stopping these exploits means:

• Stopping the wide range of BEC/EAC tactics.
• Getting visibility into malicious activities and user behaviour—both within your environment and in the cloud.
• Automating detection and threat response.
• Implementing AI-powered detection systems that can identify sophisticated impersonation attempts.

An effective BEC/EAC defence secures all the channels attackers exploit. These include corporate email, personal webmail, business partners’ email, cloud apps, your web domain, the web, and user behaviour. Modern defence strategies must also account for emerging attack vectors like voice cloning and conversation hijacking.

Because BEC and EAC rely on a willing (though unwitting) victim, attack visibility, email protection, and user awareness are critical to an effective defence.

Technical Controls

• Deploy email authentication protocols (SPF, DKIM, DMARC) to validate email authenticity and prevent domain spoofing.
• Implement AI-driven email filtering solutions that analyse behavioural patterns and detect anomalies in communication.
• Enable multifactor authentication (MFA) across all email accounts and critical systems.
• Use user and entity behaviour analytics (UEBA) to detect unusual access patterns or suspicious activities.

Security Awareness and Training

Train your users to look for these signs that the email may not be what it seems:

• High-level executives asking for unusual information: How many CEOs actually want to review W2 and tax information for individual employees? While most of us will naturally respond promptly to an email from the C-suite, it’s worth considering whether the email request makes sense. A CFO might ask for aggregated compensation data or a special report, but individual employee data is less likely.
• Requests to not communicate with others: Impostor emails often ask the recipient to keep the request confidential or only communicate with the sender via email.
• Requests that bypass normal channels: Most organisations have accounting systems through which bills and payments must be processed, no matter how urgent. When these channels are bypassed by an email directly from an executive requesting, for example, that an urgent wire transfer be completed ASAP, the recipient should be suspicious.
• Language issues and unusual date formats: Some lure emails have flawless grammar, and some CEOs write emails in broken English. But the presence of European date formats (day month year) or sentence construction that suggests an email was written by a non-native speaker is common in many of these attacks.
• Email domains and “Reply To” addresses that do not match sender’s addresses: BEC emails often use spoofed and lookalike sender addresses that are easy to miss if the recipient isn’t paying attention. (yourc0mpany.com instead of yourcompany.com, for example).

Process Controls

• Establish strict verification procedures for payment changes and wire transfers.
• Implement a callback verification process using pre-established contact information.
• Create an incident response plan specifically for BEC attacks.
• Regularly audit and monitor email systems for suspicious activities.

Robust email security, domain authentication, account protection, content inspection, and user awareness must work together holistically. This integrated approach should leverage AI and machine learning capabilities to adapt to evolving threats while maintaining strong human oversight of critical financial processes.

Here are a few tips to protect against BEC and EAC scams and keep organisations safe in the face of these increasingly common attacks:

• Be suspicious. Asking for clarification, forwarding an email to IT, or checking with a colleague is better than wiring hundreds of thousands of dollars to a fake company in China. Verify all unusual requests through established out-of-band communication channels.
• If something doesn’t feel right, it probably isn’t. Encourage employees to trust their instincts and ask, “Would my CEO actually tell me to do this?” or “Why isn’t this supplier submitting an invoice through our portal?” Document and share examples of real BEC attempts within your organisation to help employees recognise similar patterns.
• Slow down. Attackers often time their campaigns around our busiest periods of the day for good reason. If a human resources manager quickly scans through emails, they are less likely to pause and consider whether a particular request is suspect. Create standardised procedures that require mandatory cooling-off periods for urgent financial requests.

Enhanced Security Protocols

• Implement dual-control approval processes for financial transactions above a certain threshold.
• Establish clear communication protocols for executive requests, especially those involving financial transactions or sensitive data.
• Regular security awareness training that includes simulated BEC attacks and real-world examples.

Employee Training Best Practices

• Conduct role-specific training focusing on departments most targeted by BEC attacks (Finance, HR, Executive Assistants).
• Use micro-learning sessions and periodic refresher courses to maintain awareness.
• Create a clear escalation path for reporting suspicious emails and requests.

Technology Integration

• Deploy AI-powered email security solutions that can detect subtle changes in communication patterns.
• Implement automated flagging systems for high-risk keywords and unusual request patterns.
• Regular testing of security controls through red team exercises and penetration testing.

The evolution of BEC attacks is rapidly accelerating, driven by technological advancements and changing business practices. Several key trends are emerging that will shape the threat landscape:

AI-Powered Sophistication

The integration of generative AI in BEC attacks is transforming the threat landscape, with 40% of BEC emails now being AI-generated. These tools enable attackers to create highly personalised, grammatically perfect communications that are increasingly difficult to distinguish from legitimate messages.

Multi-Channel Attack Expansion

BEC attacks are evolving beyond email to incorporate sophisticated social engineering tactics across multiple communication channels. Attackers are using AI-generated voice cloning for video calls and integrating QR codes to bypass traditional email security measures.

Vendor Ecosystem Exploitation

The rise of Vendor Email Compromise (VEC) represents a significant emerging threat, with 41% of organisations experiencing weekly VEC attacks. This trend particularly impacts industries with complex supply chains, such as retail and construction sectors, where nearly 70% of businesses have experienced at least one VEC attack.

Advanced Conversation Hijacking

The future of BEC attacks includes more sophisticated conversation-hijacking techniques, which have shown a 70% increase in recent periods. These attacks involve criminals monitoring and inserting themselves into ongoing email threads, making detection increasingly challenging.

Automated Attack Scaling

Combining AI tools and social engineering enables attackers to dramatically scale their operations. What once took weeks of preparation can now be accomplished in hours, allowing cyber criminals to launch more sophisticated attacks at unprecedented levels.

To prepare for these evolving threats, organisations must focus on implementing AI-driven defence systems that detect behavioural anomalies rather than relying on traditional rule-based security measures. The future of BEC defence will require a combination of advanced technology and enhanced human awareness to combat these increasingly sophisticated attack methods.

Business Email Compromise represents one of the most significant cybersecurity challenges facing organisations today, combining advanced social engineering with cutting-edge technology to create increasingly convincing attacks. As BEC schemes continue to evolve, incorporating AI-generated content, voice cloning, and multi-channel approaches, organisations must adapt their security strategies to address these emerging threats while maintaining robust protection against traditional attack vectors.

The key to effective BEC defence lies in implementing a comprehensive, multi-layered security approach that combines advanced technical controls with enhanced user awareness and training. By staying informed about emerging threats, maintaining strong security protocols, and partnering with experienced cybersecurity providers like Proofpoint, organisations can better protect themselves against the financial and reputational damage BEC attacks can cause.

Proofpoint’s multi-layered email security platform delivers unmatched protection against business email compromise attacks through advanced AI-powered detection, real-time threat intelligence, and automated remediation capabilities. This powerful solution analyses over 200 behavioural signals to identify and stop sophisticated impersonation attempts, malicious URLs, and social engineering tactics before they reach your users.

With Proofpoint’s integrated defence approach, organisations gain comprehensive visibility into their email threat landscape while protecting their most targeted employees through adaptive controls and automated quarantine features. Proofpoint combines advanced technology with contextual warning tags and user awareness tools, enabling businesses to build a robust defence against evolving BEC threats while maintaining operational efficiency.