Business Email Compromise (BEC) is a cyberattack involving the hacking, spoofing, or impersonation of a business email address. The victim of a BEC attack receives an email that appears to come from a trusted business. The email looks and feels genuine. But it typically contains a phishing link, a malicious attachment, or a request to transfer money to the attacker.
In this article, we’ll look at why cybercriminals use BEC, how it works, and why it remains a serious problem.
Looking for exampels of BEC attacks or information about how to prevent business email compromise instead? Check out these pages instead:
BEC is a tried-and-tested cyberattack method that costs consumers and businesses billions every year. So what makes BEC such a prevalent cybercrime technique?
Simply put: cybercriminals use BEC as a way to make social engineering attacks more effective.
A social engineering attack is any form of cybercrime involving impersonation. The attacker pretends to be a trusted person so that the target does what they’re told.
Here are some examples of social engineering attacks that can involve BEC:
All these social engineering attacks involve some sort of impersonation. Fraudsters use every tool available to make their impersonation more convincing. And one of the best tools available is a genuine — or genuine looking — business email address.
BEC attacks target both individuals and businesses and the attacker will (generally) use BEC to gain access to one of the following:
Now you know why cybercriminals launch BEC attacks, we’re going to look at how they do it.
There are various competing definitions of BEC — so before we explain the process, let’s clarify what we mean when we use this term.
A BEC attack is any phishing attack where the target believes they have received an email from a genuine business. There are several methods that a cybercriminal can use to achieve this, including:
Let’s look at each of these techniques.
Email impersonation is where the attacker sets up an email account that looks like a business email account. Here’s an example:
In this case, we can imagine Leon Green really is Tess’ boss and that an invoice for Amazon really is due to be paid. This information is easy enough to find online. But, note that the sender’s email address is “[email protected]”.
If you look carefully, you’ll see Microsoft is misspelled.
Many people miss small details like this. Worse still, mobile email clients typically only show the sender’s display name and hide their email address.
Email spoofing is where the attacker modifies an email’s envelope and header. The receiving mail server thinks the email came from a corporate domain and the recipient’s email client displays incorrect sender information.
You can read more about email spoofing – and see an example of a spoofed email header – in this article: What is Email Spoofing? How Does Email Spoofing Work?
In account takeover (ATO), the attacker gains access to a corporate email account, whether via hacking or by using stolen account credentials. They gather information about the user’s contacts, email style, and personal data — then they use the account to send a phishing email.
We know BEC is a common cyberattack method. But how many businesses are affected, and how badly? Because many BEC attacks go unnoticed — and because different organizations use different definitions of BEC — there’s no simple answer.
So what do we know about the prevalence of BEC? The best source of cybercrime statistics comes from the FBI’s Internet Crime Complaint Center (IC3), which reports that:
We’ve looked at the different types of BEC, how a BEC attack works, and how serious and pervasive this form of cybercrime has become.
Next, let’s look at examples of BEC attacks. This will help you learn from the experiences of other organizations.