Business Email Compromise (BEC) is one of the most financially devastating cyberattack categories — the FBI reports billions in losses annually. Unlike ransomware (which is loud and obvious), BEC attacks are quiet, targeted, and social: attackers manipulate employees into sending wire transfers, gift cards, or sensitive data through convincing email impersonation. No malware required — just a convincing email and a targeted employee.
BEC Attack Types
CEO Fraud (Executive Impersonation)
The classic BEC attack: an attacker impersonates a CEO or senior executive, sending an urgent wire transfer request to a finance employee.
Example:
From: john.smith@company.co (not company.com — one character off) To: sarah@company.com (finance) Subject: Urgent - Confidential Wire Transfer
Sarah, I’m in a board meeting and need you to process an urgent wire transfer of $48,000 to close an acquisition. This is time-sensitive and confidential — please process immediately and I’ll explain when I’m out of the meeting. Do not discuss with anyone.
Best, John Smith CEO
The urgency, confidentiality request, and authority figure combination override normal verification instincts.
Invoice Fraud
Attackers compromise a vendor’s email account (or spoof it convincingly) and send a legitimate-looking invoice with modified bank details:
From: billing@vendor.com (compromised or spoofed)
Please note our bank details have changed effective this quarter. Please update your records and use the new account for payment of invoice #4521.
The next payment goes to the attacker instead of the vendor.
Payroll Diversion
Targeting HR or payroll:
From: employee@company.com (compromised account) To: hr@company.com
I need to update my direct deposit information. Please change my account to [attacker-controlled account] effective next pay period.
Attorney/Legal Impersonation
Impersonating a law firm or legal counsel requesting confidential information, urgent transfers, or sensitive documents related to a (fictitious) legal matter.
Data Exfiltration Variants
Not always about money: some BEC targets W-2 tax forms, employee PII, or M&A documents — valuable for identity theft or corporate espionage.
How Attackers Execute BEC
Reconnaissance
Before attacking, adversaries research:
- Company org charts (LinkedIn, company website)
- Executive names and email formats (firstname.lastname@company.com)
- Upcoming events: board meetings, acquisitions, tax season — timing attacks to plausible contexts
- Employee names in finance, HR, or executive support roles
Domain Spoofing Techniques
- Lookalike domains:
company.covs.company.com,cornpany.comvs.company.com - Subdomain abuse:
company.com.attacker-domain.com— showscompany.comin the display name - Display name spoofing: From: “John Smith CEO” random-email@gmail.com — email clients show only the name
Account Compromise
The most convincing BEC uses actually compromised accounts. An attacker who has access to the CEO’s real email account can send authentic emails, reply to existing threads, and monitor responses.
Initial access often comes via credential stuffing, spear phishing, or exploiting public-facing apps.
Real-World Impact
- Average BEC loss per incident: $125,000+ (FBI IC3 2023 report)
- Total US losses: $2.9 billion annually (FBI IC3)
- Manufacturing company: $8M wire transfer lost — one email from “CFO” to finance employee
- City of Murfreesboro, TN: $6.7M in fraudulent wire transfers
Detection: Red Flags
Employees handling payments or sensitive data should recognize:
- Unusual urgency: “Do this immediately”, “can’t explain now”, “time-sensitive”
- Requests for secrecy: “Don’t tell anyone”, “this is confidential”
- Changed payment details: Vendor changed bank account info
- Unusual requests from executives: CEO asking directly for a wire transfer (shouldn’t bypass normal processes)
- Reply-to address differs from From address: Replies go to attacker-controlled address
- Slight email address differences: Scrutinize sender domain carefully
- Requests outside normal procedure: Any payment request that bypasses established approval workflows
Organizational Defenses
Technical Controls
Email authentication (SPF, DKIM, DMARC): Prevents domain spoofing from external senders. DMARC at p=reject makes it impossible for attackers to send email that appears to come from your domain.
Anti-spoofing rules: Configure your email gateway (Microsoft 365, Google Workspace) to flag or quarantine emails where the display name includes executive names but the sending domain is external or suspicious.
External email banners: Add a banner to all external emails: “EXTERNAL: This email originated outside [Organization]”. Dramatically reduces CEO fraud effectiveness.
Process Controls
Callback verification: Mandatory phone verification (to a known number, not one in the email) for any wire transfer request over a threshold amount — no exceptions for “urgency.”
Dual authorization: Wire transfers require approval from two separate individuals.
Out-of-band verification: New banking information from vendors must be verified via a known phone number before updating records.
Invoice approval workflows: Changes to vendor payment details require formal approval through the financial system, not email alone.
Training and Awareness
Regular training specifically covering BEC scenarios — not just generic phishing awareness. Teach employees to:
- Question urgency
- Verify payment changes through known contacts
- Report suspicious emails without fear of criticism
BEC succeeds because it exploits authority and urgency — psychological manipulation more than technical exploitation. Combined technical and procedural controls are the only effective defense.