Business email compromise (BEC)
Business email compromise is a targeted social engineering attack that uses email impersonation and trust exploitation to divert payments, steal sensitive data, or manipulate business processes.
5 min read
What it is#
Business email compromise (BEC) is a class of targeted email attacks where an adversary impersonates a trusted party (an executive, vendor, attorney, or colleague) to manipulate the recipient into transferring funds, sharing sensitive data, or taking some other action that benefits the attacker. BEC adapts long-standing payment and trust fraud to email workflows; the underlying mechanics are social engineering rather than technical exploitation. The FBI's Internet Crime Complaint Center (IC3) has consistently ranked BEC as the costliest category of cybercrime, with reported losses measured in billions of dollars annually across both domestic and international cases.
The impersonation can happen through a compromised account, a lookalike domain, display name spoofing, or even a free email address with a convincing sender name. What unifies BEC attacks is the reliance on authority, urgency, and trust rather than malware or malicious links.
Public reporting often highlights data breaches and ransomware; BEC draws less sustained media attention but remains a major source of direct financial loss and theft of trade secrets or other confidential material.
Reconnaissance and preparation#
BEC campaigns typically begin well before the first fraudulent message. Attackers conduct in-depth reconnaissance using both public sources and, when possible, compromised mailboxes. Phishing and spear-phishing serve as common entry points, sometimes combined with credential harvesting to gain mailbox access that fuels later impersonation.
Reconnaissance targets typically include:
- Supplier and customer relationships
- Reporting structures and authority chains
- Active projects, funding rounds, or upcoming transactions
- Travel schedules and leave for executives and finance staff
That context shapes whom to impersonate, whom to target, and when to send so that urgency feels plausible. The attacker then waits for the right moment, such as an executive traveling or a deal nearing close, before launching a swift, targeted message.
Common variants#
CEO fraud. An attacker impersonates a senior executive and sends an urgent request to a finance team member, typically for a wire transfer, gift card purchase, or confidential data. The message emphasizes secrecy ("Don't discuss this with anyone until it's finalized") and time pressure.
Vendor/invoice fraud. The attacker impersonates a known vendor or supplier and sends updated payment instructions, a new bank account for upcoming invoices. This variant often follows reconnaissance of real vendor relationships, sometimes obtained from a previously compromised mailbox.
Legal or M&A-themed requests. An attacker poses as outside counsel or deal counsel and references a confidential transaction, closing timeline, or sensitive financial documents to pressure finance or legal staff into action.
Payroll redirect. An attacker impersonates an employee and requests that HR or payroll change direct deposit information. The request often arrives from a lookalike domain or a compromised account.
W-2/data theft. Seasonal attacks targeting HR departments, where the attacker requests employee tax records or personally identifiable information en masse.
Gift card scams. The attacker requests that the victim purchase gift cards and send the redemption codes, often framed as a last-minute request for a client or team reward.
Why technical controls alone are insufficient#
DMARC enforcement prevents direct domain spoofing but does not stop cousin domains, free email impersonation, or compromised accounts. Complementary records like SPF and DKIM strengthen sender verification but share the same limitation. They authenticate the sending domain, not the sender's identity or intent. Email security gateways can flag some BEC patterns (urgency language, payment references, first-time sender), but sophisticated BEC messages are conversational, low-volume, and lack the malicious attachments or URLs that trigger traditional filters.
Attackers routinely bypass authentication by registering typosquatted domains that pass SPF and DKIM checks on the attacker-controlled domain, or by sending from a legitimately compromised account that inherits the victim organization's own authentication posture.
BEC fundamentally exploits business processes rather than technology. An organization with strong email authentication but no out-of-band payment verification procedure remains vulnerable.
Process controls#
- Callback verification. Any request to change payment details, wire funds, or redirect payroll must be verified through a pre-established phone number or known in-person channel, not contact details supplied in the email itself
- Dual approval. Financial transactions above a threshold require sign-off from two authorized individuals
- Vendor onboarding procedures. Payment detail changes from vendors follow a documented verification workflow
- Internal awareness. Finance, HR, and executive assistant teams receive targeted training on BEC patterns and escalation procedures
These controls are not glamorous, but they are the most reliable defense against an attack that deliberately circumvents technical layers.
Detection signals#
- Emails from first-time senders that reference payment, wire transfer, or urgency
- Messages from lookalike domains with slight character variations, including homoglyph substitutions or combosquatting patterns
- Replies to threads where the sender address has silently changed
- Requests that break normal approval workflows or reporting chains
Many BEC campaigns use lookalike domains registered specifically to impersonate the target organization or its vendors. Domain monitoring for new registrations that resemble a protected brand, partner names, or executive names provides early warning of BEC infrastructure being staged. Pairing domain threat intelligence with WHOIS or RDAP lookups and certificate transparency monitoring helps surface impersonation domains before they reach inboxes. Combined with DMARC aggregate report analysis, these signals form a layered early-warning system against BEC infrastructure.
More from Email security
View allEmail authentication
Email authentication combines SPF, DKIM, and DMARC into a layered defense that verifies sender identity and prevents domain spoofing, with BIMI emerging as a visual trust indicator built on top.
What is adversary-in-the-middle (AiTM) phishing?
AiTM phishing uses reverse-proxy tools to relay credentials and capture session tokens in real time, allowing attackers to bypass multi-factor authentication and hijack authenticated sessions.
What is DKIM?
DKIM uses cryptographic signatures to verify that an email's headers and body haven't been tampered with in transit, tying the message to a specific sending domain through DNS-published public keys.