What Is a Business Email Compromise (BEC) Attack?

A Business Email Compromise (BEC), sometimes called a “BEC attack”, begins with threat actors compromising and spoofing emails to impersonate an organization’s CEO, heads of departments, executives, or vendors. It has several characteristics similar to spear-phishing attacks: emails targeted towards a specific individual, enterprise, or business to entice them into insecure actions. A well-crafted BEC email will look legitimate and authentic to an employee and often appear as an email sent from an authority figure or a close colleague. Hence, any unsuspecting employee will comply with the instructions received in the email, mainly to transfer money, leading to financial and reputational losses.
someone receiving a malicious email
(Image source – freepik.com)

Key Statistics on Social Engineering Attacks

Here are some key statistics that highlight the growing menace of social engineering tactics such as BEC attacks.
  • As per the GreatHorn Business Email Compromise Report of 2021, 34% of participants said that employees from finance are the most frequent target of spear-phishing attempts.
  • According to the FBI’s IC3 (Internet Crime Complaint Center) report, BEC attacks are the costliest cyberattacks, more expensive than ransomware.
  • As per Help Net Security, almost 71% of organizations worldwide have experienced BEC attacks in the past year alone.
  • As per Statista, BEC attacks have increased from 9708 attacks in 2017 to 17,607 attacks in 2020
chart showing an increase in BEC attacks since 2017
(Source: Statista.com)

How Organizations Fall Victim to BEC Attacks

Microsoft reported a large BEC attack against an organization in July 2021 after a customer complaint. Upon further investigation, Microsoft’s Digital Crimes Unit (DCU) unearthed 17 malicious domains used in their BEC campaign. Malicious actors used these homoglyph domain names to mimic legitimate Microsoft business ones to gain the confidence of unsuspecting Office 365 users. They cleverly created the domain names to provide a false sense of security like MICROS0FT.COM instead of MICROSOFT.COM. (Notice the zero symbol instead of the O character.) After gaining access to the Office 365 network, these threat actors started their BEC campaign by creating malicious emails targeted towards the customers, vendors, and agents asking for payment approvals, depositing funds, etc. Once the Microsoft DCU team investigated the scam, they immediately obtained a court order to remove the malicious domains. Quite a few organizations were successfully hit by BEC operations, including the ones below.

Ubiquiti Networks BEC (2015)

In 2015, malicious actors transferred funds aggregating $46.7 million held by Ubiquiti‘s subsidiary in Hong Kong to some other overseas accounts held by third parties.

Scoular Co. (2015)

Another such incident took place in the same year when Scoular Co (an employee-owned commodities trader) transferred $17.2 million to a bank in China. The emails were sent to the company’s corporate controller and seemingly came from Scoular CEO Chuck Elsea. Post the BEC attack, Scoular Co tightened its internal systems and security controls.

The City of Burlington (2019)

The City of Burlington witnessed another BEC attack resulting in a massive loss of $503,000. It happened when a city staff made a transaction to a “falsified bank account” after receiving a spoofed email requesting to change banking information for a well-known City vendor.

The Modus Operandi of BEC Attacks

BEC campaigns are carried out in various ways. One of the most common procedures is the following:
  • Malicious actors conduct detailed research on a specific organization.
  • Attackers browse all available information like organization profiles, social media accounts, and press releases to gather as many details on organizational hierarchy, official titles, etc.
  • Next, they try to gain access to the corporate network using some stolen credentials, phishing or other social engineering techniques.
  • Then the attackers use an executive’s email account to send a spoofed email to unsuspecting employees, vendors, customers, etc.
  • Malicious actors employ various spoofing tricks to disguise their email IDs to look legitimate and authentic. One of the prevalent methods is replacing a letter in the domain name of email addresses with a character, like www.PayPa1.com, instead of www.PayPal.com.
  • Their extensive research will help the perpetrators create a scam scenario, such as the organization’s executive sending an email to an employee to release funds immediately to a specific bank account.
  • Since the email looks legitimate and authentic, it does not raise much suspicion, and the employees tend to act as directed in the email, especially when pressure is applied

Why Employees Involved in Finance and Payments Are The Most Vulnerable?

One of the main reasons the personnel involved in the finance and payments departments in an organization are targeted the most is that they are the ones that manage the funds and finance requirements of the organization. Their responsibilities include paying bills to suppliers, distributing salaries to employees, and taking care of various miscellaneous expenses of the organization. And most BEC emails are designed to extract funds from an organization. Hence, finance and accounts personnel form the most appealing BEC targets in an organization

Steps Employees Can Take to Detect and Respond to a BEC Attack

Like all cyberattacks, BEC also has its characteristic features. Proper awareness can help an employee detect and identify a BEC attempt whenever there is one. They must also be prudent in handling emails and taking further action when a BEC attempt is suspected. The below steps show how to detect and respond to BEC incidents appropriately.

How to Detect a BEC Attack?

Following are specific characteristics of BEC attack attempts. The recipients of BEC emails and communication can identify them on close examination. It can help avoid and report such incidents before they lead to undesirable consequences.
  • Payment-fraud: BEC attack emails often arrive late in the day and on Fridays, posing as an important email from a senior executive asking for an urgent favour, such as sending a payment to a vendor.
  • Change of Bank Details: All malicious actors performing this type of attack will have to change bank details at some point in the process. HR personnel will receive spoofed emails by threat actors pretending to be employees. They will suddenly ask for a change in bank details for the salary to be paid the next day.
  • Vendor Payments: Attackers use stolen credentials to impersonate employees of the organization, sending emails to the finance department to clear invoices and make payments to bank accounts of the imposters.
  • Gift Card Scams: Fraudsters trick senior executives by requesting to buy gift cards for staff appreciation and asking to reply with the card numbers and PINs.

How to Respond to a BEC Attack?

Here are a few tips for employees to prevent themselves from being the next target of a BEC attack:
  • Be Suspicious: Always be cautious and suspicious about emails related to finance, especially following a bank account change and when pressure is applied to process the transaction quickly.
  • Double-Check: Check with superiors or colleagues using face-to-face or voice communications before sending thousands of dollars to an imposter’s bank account.
  • Slow Down: Don’t panic or respond immediately to a payment request. Slow down and only take action after clarifying that a transaction is being made to the correct account

Final Words

BEC attack emails are often created to impersonate an authority figure or organization’s top executive an employee trusts and trick them into sending sensitive data or money to the imposter’s bank account. User awareness is critical in reducing the risk of a successful BEC attack. Performing annual training and ongoing phishing simulations are excellent ways to ensure users are vigilant with online exchanges. DeepCode has assisted multiple organizations in preventing and investigating BEC attacks and offers a review of security controls on Microsoft 365 to reduce the risk of fraud attempts. You can get in touch with us you need help protecting yourself against such attacks or others.


  1. Johnson, J. (2021, April 28). Global CEO fraud volume 2017–2020. Statista. https://www.statista.com/statistics/820912/number-of-attempts-of-bec-scams-ceo-fraud/
  2. (2021, July 20). Microsoft removes domains: Office 365 BEC scam. https://www.cybertalk.org/2021/07/20/microsoft-removes-domains-office-365-bec-scam/
  3. ATB Financial. (2021, March 12). Understanding business email compromise (BEC). https://www.atb.com/commercial/good-advice/cybersecurity-and-fraud-protection/fraud-prevention-understanding-business-email-compromise-bec/
  4. Cole, I., Portilla, O. (2021, September 2). Why Financial Services is more vulnerable than ever, and what cyber threats to defend against. Atos.https://atos.net/en/blog/why-financial-services-is-more-vulnerable-than-ever-and-what-cyber-threats-to-defend-against
  5. BEC Attacks: What They Are and How to Protect Yourself. https://www.weststarbank.com/our-info/bec-attacks–what-they-are-and-how-to-protect-yourself
  6. HelpNet Security. (2021, June 25). 71% of organizations experienced BEC attacks over the past year. https://www.helpnetsecurity.com/2021/06/25/bec-attacks-past-year/
  7. Cybersecurity Insiders. (2021). BUSINESS EMAIL COMPROMISE REPORT. https://info.greathorn.com/hubfs/Reports/2021-Business-Email-Compromise-Report-GreatHorn.pdf
  8. FBI Internet Crime Complaint Center. (2020). Internet Crime Report.https://www.ic3.gov/Media/PDF/AnnualReport/2020_IC3Report.pdf