Business Email Compromise

Business Email Compromise (BEC) is a type of spear phishing attack in which a person impersonates a well-known contact of an employee in an attempt to have them transfer funds, reveal sensitive information, or carry out other harmful actions.

Examples of business email compromise

BEC typically targets a single individual, usually someone who has influence within the organization or directly manages the budget. A successful attack relies on the targeted individual engaging with a seemingly legitimate email from an internal supervisor or colleague, or an external partner or vendor, and either clicking a link or providing login credentials to the perpetrator.

Although it comes in many forms, some common examples of business email compromise include:

Gift card fraud: In this attack, the hacker asks an employee to purchase gift cards for staff or customers. Often, the hacker will ask for secrecy and direct the employee to send screenshots of the back of the gift cards, rather than the actual gift cards.

CEO fraud: One of the most expensive forms of business email compromise, this attack involves CEO or executive impersonation. Again, the hacker will ask for secrecy and urge the employee to take some kind of action, usually financially. In many cases, the hacker will ask the employee to wire a large sum of money.

Vendor compromise: In this attack, a hacker compromises a vendor’s account and then uses that account to phish or spear phish the vendor’s customers. This is a popular scheme that allows hackers to receive a quick payout from victims who believe they are paying vendor invoices.

Tax fraud: In this scheme, a hacker typically impersonates an employee and reaches out to a member of an HR team, requesting a copy of a W2 or other income statement form.


Consequences of a successful BEC attack

Between 2019 and 2021, the FBI reported that global exposed losses from BEC attacks increased by 65 percent. This equates to $43 billion in losses in less than three years. Naturally, the financial losses of a successful BEC attack are what drive most organizations to take preventative action.

Often overlooked consequences include damaged consumer trust, as well as a diminished brand reputation. When word gets out that your company’s security posture isn’t adequate, prospective clients won’t hesitate to look elsewhere for assistance.


Protecting your business

In order to minimize the likelihood of your organization falling prone to business email compromise, educate your employees on BEC awareness and prevention. An effective cybersecurity awareness training program can help build a culture of cyber vigilance and risk mitigation. On top of that, implementing anti-spear phishing solutions that use a core set of AI technologies like Natural Language Processing and sender spoofing algorithms can help safeguard against spear-phishing attacks and strengthen your front-line defenses.