What is Business Email Compromise (BEC)?


Business Email Compromise (BEC) is a way for cybercriminals to send emails under false pretences – which makes it seem like they’re coming from a trustworthy source.

Phishing attempts or social engineering tactics could lead to someone’s email being compromised – at which point the attacker might make requests for things such as fraudulent wire transfers.

The main difference between BEC and other types of phishing attacks is that there isn’t any malware contained in the messages—so most spam filters won’t catch them unless they’re specifically set up to do so.

Over 6,000 UK businesses are targeted by a business email compromise (BEC) attack each month.

5 Examples of Business Email Compromise 

Most attackers use some variation of 5 examples of business email compromise. These include:

1. False Invoice Schemes

In these scams, a cybercriminal will take over the employee email account used to process invoice payments and fund transfers. The attacker will then use the account to ask another employee to transfer the funds or pay an invoice to the fraudster’s account.

2. CEO Fraud

A cybercriminal steals the email account of a CEO or business owner and uses this to trick other users into giving up sensitive information or money. The hacker will send the victim an email with a subject line requesting a money transfer.

3. Account Compromise

One of the most common BEC attacks is where the hacker obtains access before mining the employee’s contact list for company vendors, partners, and suppliers. The attacker will then message these contacts requesting payments be sent to a fake account controlled by the cybercriminal.

4. Legal Impersonation

 This is when an attacker impersonates a lawyer or legal representative. Lower-level employees are commonly targeted through these types of attacks where one wouldn’t have the knowledge to question the validity of the request.

5. Data Theft

 These types of attacks typically target HR employees in an attempt to obtain personal or sensitive information about individuals within the company such as CEOs and executives. This data can then be leveraged for future attacks such as CEO Fraud.

Here’s an example of what a fraudulent email could look like. Note the slight variation in the email addresses.

How to Prevent BEC Attacks

Businesses can take some simple steps to prevent BEC from taking place. These include:

1. Raise awareness

Knowledge is power: educate your employees about the five types of BEC attacks. Use phishing simulations to teach employees how to identify BEC and phishing attempts. Deliver regular security awareness training and send ongoing communications about threats, keeping email security at the forefront of employee’s minds.

2. Social engineering

Be mindful of shared information: Attackers will sometimes use social media to gather information on their target. Limit the information you share both professionally and publicly.

3. Security procedures

Ensure that processes and procedures are in place. Any suspicious requests made over email should be verified in person with the user and escalated to higher management.

4. Protect your password

Ensure employees keep password information private and systems are set up to change passwords on a regular basis. This practice will decrease the risk of your accounts being compromised via password spray.

5. Enable two-factor or multi-factor authentication

Adding this feature to all of your organisation’s email accounts will add an extra layer of security. 

6. Invest in a multi-layered security solution

Email security depends on multiple defence features.  No single security feature alone is enough to defend email against advanced attacks. An effective business email security solution should include multiple features and technologies designed to work harmoniously to detect and block threats in real-time, building on each other to provide stronger, more effective protection than any of these features would on their own.

7. Update all infrastructure

Ensure all applications, operating systems, network tools, and internal software are up-to-date and secure. Install malware and anti-spam software.

Like all cyber threats that rely on manipulation, it only takes a single employee to make a misguided decision to click on a malicious link or hand over personal information before dealing with a data breach that impacts your entire business.

By arming employees with the knowledge and common examples of business email compromise attacks, you provide them with the tools they need to spot manipulative phishing emails. You also reduce the chance of an attacker being able to trick your users into giving up sensitive information.

Key stats*

  • 43% of organisations have experienced a security incident in the last 12 months, with 35% stating that BEC/phishing attacks account for >50% of the incidents.
  • 1 out of 4 organizations say 76-100% of malware they detect is delivered via email.
  • In the current work from home environment, 39% of organizations say they experience spear phishing on a weekly basis.
  • 65% of IT security pros say their organisation has experienced spear phishing in 2021, while 51% say it has increased in the last 12 months.
  • The good news – 69% say that their organisation is prepared to handle a cyberattack, and 71% believe their employees are prepared to identify a malicious email.

*Source: Helpnet security

The team at FTS are cyber security experts – get in touch today to find out how we can help your business not to be a victim to the fraudsters. 

Can your business afford not to be one step ahead of the fraudsters?

Ready to switch to an IT Service Provider who puts your business needs first?

Related Insights

Do you still save passwords in your browser? Here are some of the reasons why you should consider using a password manager…

We understand that saving passwords to the browser is easy. It allows you to save passwords that you would otherwise forget, and it’s convenient because it automatically saves the passwords and fills them in for you. While this is convenient and makes life easier, it is not secure. Never use your browser’s password manager Microsoft […]

Read More

Do you know how easy switching IT service providers can be?

Most people think that once they sign up with an IT Service Provider, they’re stuck for the long-haul. But here’s the thing… If your IT Service Provider isn’t meeting your needs, you’re not tied down to them.

Read More

February Focus Tech Insider

The latest Focus Tech Insider Newsletter.

Read More

What our clients say

Sign up today to be the first to receive Focus Tech Insider and Insights from FTS

Be the first to see FTS Insights