In a BEC attack, a cybercriminal (or cybercriminal gang) sends employees of the target organization emails that appear to be from a fellow employee, a vendor, partner, customer or other associate. The emails trick the employees into paying fraudulent invoices, wiring transfers to bogus bank accounts, or divulging sensitive information such as customer data, intellectual property or corporate financials.

In rare cases, BEC attackers try to spread ransomware or malware by asking victims to open an attachment or click a malicious link. They also carefully research the employees they target and the identities they impersonate to make their emails appear legitimate. Social engineering techniques, such as email address spoofing and pretexting, help them craft convincing attack emails that look and read as if they were sent by the impersonated sender.

Sometimes, scammers hack into and hijack the sender’s email account, making the attack emails even more believable, if not indistinguishable from legitimate email messages. Business email compromise attacks are some of the costliest cyberattacks.

According to the IBM Cost of a Data Breach 2022 report, BEC scams are the second most expensive type of breach, costing an average of USD 4.89 million. According to the FBI Internet Crime Complaint Center’s Internet Crime Report, BEC scams cost US victims a total of USD 2.7 billion in 2022.