Business Email Compromise (BEC) attacks are one of the most financially devastating cyber threats out there. BEC scams manipulate a person’s trust, and use email to trick them into transferring funds or giving away sensitive information.
Companies of any size can be targeted, so understanding how BEC attacks work is crucial to preventing financial and reputational damage.
What is a BEC Attack?
A Business Email Compromise (BEC) attack is a type of cybercrime. Cybercriminals impersonate someone the victim trusts – a CEO, vendor, lawyer, or business partner – to trick an employee into making a fraudulent payment or providing sensitive data. Unlike traditional phishing attacks that rely on mass emails and malware, BEC attacks are highly targeted and usually don’t contain malicious links or attachments. This makes them more difficult to detect.
To pull off BEC attacks, cybercriminals use psychological deception techniques including extensive research, social engineering, and email spoofing. Common BEC scam tactics include sending fake invoices, impersonating a high-ranking executive, and asking an employee to change a vendor’s banking details. Since BEC attacks rely on human error rather than malware, they can often get through email security filters.
BEC Attack Meaning
The damage from a BEC attack can be catastrophic, and some companies never recover. The U.S. Federal Bureau of Investigation (FBI) reports that BEC scams cost businesses more than $ 55 billion from 2013 to 2023. And according to IBM, BEC scams are the second most expensive type of security breach, costing companies nearly $ 5 million per attack on average.
How BEC Attacks Work
BEC attacks are growing increasingly complex and use a growing array of tactics. However, there is a general structure to how these crimes unfold:
Step 1: Research Attackers gather information about the target using publicly available information (LinkedIn, company websites, social media, etc.). They identify key employees involved in financial transactions and their communication patterns.
Step 2: Compromising or Spoofing Emails Cybercriminals either hack into a legitimate email account or create a lookalike email address that resembles a trusted contact.
Account compromise: Gaining access to a real executive’s or vendor’s email account through phishing or credential theft.
Email spoofing: Creating an email that looks like it’s from a real person, but it’s actually coming from a spoofed domain that closely resembles the real one. Example: jane.doe@yourcompany.com (real) vs. jane.doe@yourc0mpany.com (spoofed).
Step 3: Manipulation Attackers write convincing emails that request an urgent action such as transferring funds, changing payment details, or sharing sensitive data. These messages often use:
Authority: Impersonating high-ranking executives to exploit a person’s natural tendency to comply with authority figures.
Urgency: Insisting that something needs to be done immediately to lessen the chance of scam detection.
Secrecy: Requesting discretion or that the recipient avoid contact with the impersonated sender. For example, writing "I’m in a meeting, so don’t call me right now" to discourage communication with the real person.
Step 4: Fraud Execution If the target falls for the scam, they unknowingly transfer funds to the attacker's bank account or share confidential information.
Step 5: Monetization and Cover-up Attackers quickly move the stolen funds to offshore accounts or convert them into cryptocurrency, making recovery difficult. In some cases, they may continue manipulating the victim for extended periods of time, extracting as much money as possible before being detected.
BEC Attack Identifiers
While BEC attacks can be highly sophisticated, there are usually subtle clues that give away the scam. Recognizing these indicators can help prevent becoming a victim:
Unusual Email Addresses: The sender’s email address may have minor misspellings or domain alterations. For example: @company.com vs. @cornpany.com).
Urgent or Confidential Requests: Emails that pressure employees to act quickly without verifying the request.
Changes in Communication Style: Messages that deviate from the sender’s typical tone, grammar, or email structure.
Requests to Change Payment Information: Sudden updates to vendor bank details without prior notice.
Emails from Traveling Executives: Impersonation of a CEO or CFO claiming to be unreachable by phone and demanding immediate wire transfers.
Unusual Payment Instructions: Requests for payments to new accounts, offshore banks, or via cryptocurrency.
What to Look Out for When Working at a Small Business
Small businesses are particularly vulnerable to BEC attacks because they typically have fewer security controls and less cybersecurity education. Employees at small companies should be extra cautious about:
Emails requesting financial transactions: Always verify payment changes via phone or in person.
Overly formal or poorly worded emails: Attackers often struggle to mimic a person’s authentic communication style.
Lack of secondary verification: Small businesses should implement dual-approval for financial transactions.
Unusual timing: Emails sent at odd hours may indicate a compromised account.
Real-World Examples and Attacks
BEC attacks have caused billions of dollars in financial losses worldwide. Here are some notable cases of successful BEC scams:
Google and Facebook - $ 121 Million Loss One of the most famous BEC attacks occurred between 2013 and 2015, when Lithuanian cybercriminal Evaldas Rimasauskas tricked employees at Google and Facebook into wiring over $ 100 million to him by posing as a legitimate vendor. Rimasauskas eventually pled guilty to his crimes and was sentenced to five years in prison.
Toyota - $ 37 Million Loss The Toyota Boshoku Corporation, a subsidiary of the Toyota Motor Corporation, was defrauded out of $ 37 million in 2019 when attackers tricked an employee into changing the account information on an electronic funds transfer.
City of Lexington, Kentucky - $ 4 Million Loss Governments fall victim to BEC attacks as well. In 2022, Lexington officials discovered that funds sent to a nonprofit were not actually being received by the organization. A BEC scammer had tricked an employee into changing the non-profit’s bank account information to instead direct money to a private account.
How to Prevent BEC Attacks
The chances of recovering funds after a BEC attack are slim. A better approach is to focus on preventing these cybercrimes before they happen.
Employee Training and Awareness: BEC attacks depend on human error, so the most important step you can take is to provide training to help employees recognize BEC attack attempts.
Email Security Measures: Use email filters and authentication protocols (such as SPF, DKIM, and DMARC) to prevent email spoofing. These tools can help keep BEC attack attempts from reaching employees.
Strict Financial Transaction Rules: Require multi-person approval for financial transactions and always verify payment changes via phone call or in-person confirmation, not just over email.
Strong Email Access Controls: Enforce multi-factor authentication (MFA) for company email accounts and regularly update and monitor employee access privileges.
BEC Attack Response Planning: Create a BEC attack response plan to minimize damage if an attack occurs. Report the crime to the correct authorities as quickly as possible – the Internet Crime Complaint Center (IC3) in the U.S. and to ActionFraud in the U.K.
A combination of employee training, email security, verification processes, and strict access controls can significantly reduce a company’s risk of falling victim to a BEC attack. Awareness is the first line of defense. Stay informed, stay vigilant, and make sure your employees do too.
Want more information on how to protect your company against cyberthreats? Read this article next: Preventing Data Breaches and Staying Secure Online