BEC Attacks: What They Are, How to Spot Them, and What to Do

Business email compromise (BEC) is a form of phishing in which cybercriminals impersonate or gain access to email accounts in order to pose as senior executives, employees, or trusted vendors. These attacks are designed to trick employees into authorizing fraudulent wire transfers, making unauthorized purchases, or disclosing sensitive financial information.

The impact of BEC attacks is significant. The FBI’s Internet Crime Complaint Center (IC3) has reported billions of dollars in total losses globally over recent years, making it one of the costliest forms of cybercrime. Attackers often exploit moments of disruption or urgency — such as major business changes or global crises — to increase the likelihood of success.

7 Common BEC Attack Patterns

BEC groups are master manipulators who use clever social engineering ploys to throw email recipients off kilter just long enough to respond to an email request before ever thinking to confirm its legitimacy. The FBI warns businesses to be on the lookout for red flags that include:

1. Payment Fraud: Late-minute emails, often late in the day, appearing to be sent by a senior executive who's "traveling," or "stuck in a Zoom meeting," and in need of help with a favor: An urgent purchase or payment to a new vendor.
2. Payroll Diversion: Attackers target HR or accounting personnel by posing as employees in emails requesting last-minute changes to direct deposit details in time for the next pay period.
3. Vendor Email Compromise: Fraudsters use stolen credentials to infiltrate corporate email accounts, spy on email conversations, and then impersonate the organization's employees in emails requesting that payment for invoices be sent to bank accounts the imposters secretly control.
4. Gift Card Scams: Fraudsters impersonate senior managers asking admins and other employees to purchase gift cards for upcoming staff appreciation efforts. In these cons, perpetrators request the gift card number and the PIN on the back of the cards, which can then be sold in online cryptocurrency exchanges.
5. Aging Financial Accounts Scams: Here, cybercriminals assume the identity of a senior executive seeking aging accounts receivable reports from one company, and then use that information gleaned from those reports to target the company's customers with requests that payment on legitimate, past-due invoices.
6. Transaction Diversion: Shysters infiltrate email accounts at VC firms, law offices, real estate offices, or other organizations involved in large transactions to surveil email conversations. At the most opportune moment, they send an email instructing the purchasing entity to wire funds to the thieves' own accounts.
7. Advanced Payment Schemes: Con artists masquerading as new or existing partners or vendors suddenly request advanced payment on goods or services that not previously required.

Top Identity Deception Techniques

Recognizing incoming attacks can be very difficult, thanks to the sophisticated identity deception techniques used to fool recipients.

• BEC phishing messages sent from Office 365 and Gmail can easily evade detection due to the reputation and ubiquity of these cloud-based platforms.
• Lookalike domains can be nearly indistinguishable from legitimate domains.
• Messages sent from pirated email accounts (sometimes called email account compromise) can be virtually impossible to detect, especially since most employee-to-employee email isn't even scanned.

In the past, many BEC cases might have involved a malicious link to a phishing site or a malware-infected download, which traditional email security controls can spot a mile away. Today, the most successful BEC attacks often leverage blended attack modalities combined with context-accurate information that most recipients would assume could only be known by the party being impersonated. This can include:

• Sensitive intel gathered from ongoing and archived email conversations in compromised email accounts.
• Accounts receivable reports acquired in one email attack that is then used to scam others.
• Info from out-of-office reply emails, including key contact details and responsibilities in the person's absence.

How Can BEC Attacks Be Stopped?

There is no one cure-all defense that organizations can deploy to eliminate the threat posed by BEC attacks. A multi-layered approach is required to outsmart these scams. Key steps organizations can take:

• Tighter accounting controls: Stricter and more formalized accounting controls should be put in place to verify the legitimacy of payment requests and payment approvals.
• Multi-Factor Authentication (MFA): Requiring MFA to log into email accounts that can be used to reduce the likelihood fraudsters can compromise email accounts from which to lodge attacks against other employees or customers.
• Identity-based Anti-Phishing Controls: Modern, identity-based phishing defenses capable of recognizing BEC in all its forms, including attacks launched from compromised accounts or spoofed within cloud-based email environments.
• DMARC-based Protection: Deploying domain-based message authentication, reporting, and conformance (DMARC) can help reduce the chances an organization's own domains can be weaponized against them by impersonators targeting employees. Some forward-leaning companies are making this a requirement for business partnerships.
• Phishing Awareness Training: Business email compromise training can help employees be vigilant against common BEC tactics and foster healthy skepticism about the legitimacy of requests that can signal fraud.

The goal of these measures is to prevent BEC attacks from ever reaching employee inboxes and to eliminate weaknesses in accounting workflows and internal communications that attackers can exploit if they bypass initial defenses.

What's the Best Way to Recover from a BEC Attack?

Cybercriminals send millions of malicious emails every minute, and even with strong defenses and BEC training in place, it is unrealistic to assume that every attack will be fully prevented. Some threats will inevitably bypass initial security controls.

While many organizations allow employees to report suspicious emails, a significant portion of those reports — up to 60% in some cases — are false positives. This can overwhelm security operations center (SOC) teams and make it harder to prioritize real threats.

Data from Fortra indicates organizations using advanced phishing response workflows can detect and remediate substantially more verified malicious emails than those relying solely on employee reporting.

If a BEC attack is successful, organizations should act quickly. This includes contacting their financial institution immediately to request a funds recall if possible and report the incident to the FBI's Internet Crime Complaint Center (IC3).