What is business email compromise (BEC)?

In a BEC attack, a cybercriminal (or cybercriminal gang) sends employees of the target organization emails that appear to be from a fellow employee, a vendor, partner, customer or other associate. The emails trick the employees into paying fraudulent invoices, wiring transfers to bogus bank accounts, or divulging sensitive information such as customer data, intellectual property or corporate financials.

In rare cases, BEC attackers try to spread ransomware or malware by asking victims to open an attachment or click a malicious link. They also carefully research the employees they target and the identities they impersonate to make their emails appear legitimate. Social engineering techniques, such as email address spoofing and pretexting, help them craft convincing attack emails that look and read as if they were sent by the impersonated sender.

Sometimes, scammers hack into and hijack the sender’s email account, making the attack emails even more believable, if not indistinguishable from legitimate email messages. Business email compromise attacks are some of the costliest cyberattacks.

According to the IBM Cost of a Data Breach 2022 report, BEC scams are the second most expensive type of breach, costing an average of USD 4.89 million. According to the FBI Internet Crime Complaint Center’s Internet Crime Report, BEC scams cost US victims a total of USD 2.7 billion in 2022.

Cybersecurity experts and the FBI identify six main types of BEC attacks.

The BEC attacker pretends to be a vendor that the company works with, and sends the target employee an email with a fake invoice attached. When the company pays the invoice, the money goes straight to the attacker. To make these attacks convincing, the attacker might intercept actual vendor invoices, and modify them to direct payments to their own bank accounts.

Notably, courts ruled that companies that fall for fake invoices are still on the hook for their real counterparts.

One of the biggest fake invoice scams was carried out against Facebook and Google. From 2013 through 2015, a scammer who posed as Quanta Computer, a real hardware manufacturer both companies work with, stole USD 98 million from Facebook and USD 23 million from Google. While the scammer was arrested and both companies recovered most of their money, this outcome is rare for BEC scams.

Scammers pretend to be an executive, usually a CEO, and ask an employee to wire money somewhere. This request is often under the guise of closing a deal, paying an overdue invoice, or even purchasing gift cards for fellow employees.

CEO fraud schemes frequently create a sense of urgency, pushing the target to act quickly and rashly, for example, "This invoice is overdue, and we’re going to lose service if we don’t pay it immediately." Another technique is creating a sense of secrecy to prevent the target from consulting coworkers, for example, "This deal is confidential, so don’t tell anyone about it."

In 2016, a scammer posing as CEO of the aerospace manufacturer FACC used a fake acquisition to trick an employee into transferring USD 47 million. As a result of the scam, the company’s board fired both the CFO and the CEO for “violating” their duties.

Scammers take over a nonexecutive employee’s email account and then send fake invoices to other companies or trick other employees into sharing confidential information. Scammers often use EAC to phish the credentials of higher-level accounts they can use for CEO fraud.

Scammers pose as a lawyer and ask the victim to pay an invoice or share sensitive information. Attorney impersonation scams rely on the fact that people tend to cooperate with lawyers, and it’s not odd if a lawyer asks for confidentiality.

Members of the Russian BEC gang Cosmic Lynx often pose as lawyers as part of a dual impersonation attack. First, the target company’s CEO receives an email introducing the CEO to a ‘lawyer’ assisting the company with an acquisition or other business deal. Then the fake lawyer emails the CEO requesting them to wire a payment to close the deal. On average, Cosmic Lynx attacks steal USD 1.27 million from each target.

Many BEC attacks target HR and finance employees to steal personally identifiable information (PII) and other sensitive data with which to commit identity theft or cybercrimes.

For example, in 2017, the IRS warnedof a BEC scam that stole employee data. Scammers posed as a company executive and asked a payroll employee to send copies of employees’ W-2s (which include employees’ social security numbers and other sensitive information). Some of the same payroll employees received ‘follow-up’ emails requesting that wire transfers be made to a fraudulent account. The scammers assumed that targets who found the request for W2s to be credible were excellent targets for a wire transfer request.

In early 2023, the FBI warned of a new type of attack in which scammers pose as corporate customers to steal products from the target company. Using fake financial information and posing as employees in another company’s purchasing department, the scammers negotiate a large purchase on credit. The target company ships the order—usually construction materials or computer hardware—but the scammers never pay.

Technically, BEC is a type of spear-phishing—a phishing attack that targets a specific individual or group of individuals. BEC is unique among spear-phishing attacks, targeting the employee or associate of a business or organization, and the scammer pretends to be a colleague whom the target knows or is inclined to trust.

While some BEC attacks are the work of lone scammers, others are initiated by BEC gangs. These gangs operate like legitimate businesses, employing specialists such as lead-generation specialists who hunt for targets, hackers who break into email accounts, and professional writers who ensure phishing emails are error-free and convincing.

Once the scammer or gang has chosen a business to rob, a BEC attack typically follows the same pattern.

Almost any business, nonprofit or government, is a suitable target for BEC attacks. Large organizations with lots of money and customers—and enough transactions that BEC exploits might go unnoticed among them—are obvious targets.

But global or local events may lead BEC attackers to more specific opportunities—some more obvious than others. For example, during the COVID-19 pandemic, the FBI warned that BEC scammers posing as medical equipment and supply vendors were invoicing hospitals and health care agencies.

At the other (but no less lucrative) end of the spectrum, in 2021 BEC scammers took advantage of well-publicized education and construction projects in Peterborough, NH and diverted USD 2.3 million in town funds to fraudulent bank accounts.

Next, scammers start researching the target organization and its activities to determine the employees who will receive the phishing emails, and the identities of the senders the scammers will spoof (impersonate).

BEC scams typically target mid-level employees—e.g., finance department or human resource (HR) managers—who have authority to issue payments or who have access to sensitive data, and who are inclined to comply with such requests from a senior manager or executive. Some BEC attacks may target new employees who may have little or no security awareness training and limited understanding of proper payment or data-sharing procedures and approvals.

For a sender identity, scammers choose a coworker or associate who can credibly request or influence the action the scammer wants the target employee to take. Coworker identities are typically high-level managers, executives or lawyers within the organization.

Outside identities can be executives from vendor or partner organizations, but they might also be peers or colleagues of the employee target—for example, a vendor the employee target works with regularly, a lawyer advising on a transaction, or an existing or new customer.

Many scammers use the same lead-generation tools that legitimate marketing and sales professionals use—LinkedIn and other social media networks, business and industry news sources, prospecting and list-building software—to find potential employee targets and matching sender identities.

Not all BEC attackers take the step of hacking into the target and sender organizations’ networks. But those who do behave like malware, observing targets and senders and accumulating information and access privileges for weeks before the actual attack. This may enable attackers to:

• Choose the best employee targets and sender identities based on observed behaviors and access privileges.
  
  

• Learn more details about how invoices are submitted and how payments or sensitive data requests are handled to better impersonate requests in their attack emails.
  
  

• Determine due dates for specific payments to vendors, lawyers, etc.
  
  

• Intercept a legitimate vendor invoice or purchase order and alter it to specify payment to the attacker’s bank account.
  
  

• Take control of the sender’s actual email account, enabling the scammer to send attack emails directly from the account, and sometimes even insert them into ongoing legitimate email conversations, for the ultimate in authenticity.

A convincing impersonation is key to BEC success, and scammers craft their attack emails for maximum authenticity and credibility. If they haven’t hacked into the sender’s email, the scammers create a fake email account that spoofs the sender’s email address to appear legitimate. (For example, they might use creative name or domain name misspellings, such as jsmith@company.com or jane.smith@cornpany.com for jane.smith@company.com). They can also add other visual cues, such as a signature with the sender’s company logo or a detailed (and fake) privacy statement.

A key component of the attack email is the pretext—a false but plausible story written to gain the target’s trust and convince or pressure the target into doing what the attacker wants them to do. The most effective pretexts combine a recognizable situation with a sense of urgency and implication of consequences. A message from a manager or CEO that reads, "I’m about to get on a plane—can you help me out by processing this invoice (attached) to avoid late fees?" is a classic example of a BEC pretext.

Depending on the request, scammers may also set up fake websites, register fake companies, or even staff a fake phone number the target can call for confirmation.

BEC scams are among of the most difficult cybercrimes to prevent because they rarely use malware that security tools can detect. Instead, scammers rely on deception and manipulation. Scammers don’t even need to breach their target company.

They can fleece victims out of massive sums by breaching, or even just impersonating, a vendor or customer. As a result, BEC attacks take an average of 308 days to identify and contain, according to the Cost of a Data Breach report—the second-longest resolution time of all breach types.

That said, companies may take the following steps to defend against these scams:

• Cybersecurity awareness training can help employees understand the dangers of oversharing on the social media platforms and apps that scammers use to find and research their targets. Training can also help employees spot BEC attempts and adopt best practices like verifying large payment requests before complying.

• Email security tools may not catch every BEC email, particularly those coming from compromised accounts. However, they can help spot spoofed email addresses. Some tools can also flag suspicious email content that might signal a BEC attempt.

• Two-factor or multi-factor authentication can make it more difficult for BEC attackers to hack into email accounts.

• Enterprise security tools can help security teams stop BEC attacks faster by identifying attempts to exploit network vulnerabilities and flagging activity on endpoints, in email accounts and elsewhere that may point to hackers doing reconnaissance. These tools include:
  • security orchestration
  • automation and response (SOAR)
  • security information and event management (SIEM)
  • endpoint detection and response (EDR) 
  • extended detection and response (XDR)