Business email compromise

Business email compromise (BEC)

What is business email compromise?

A business email compromise is a type of phishing attack that tricks unsuspecting executives or employees into transferring funds to fraudulent accounts.

What is business email compromise (BEC)?

A BEC scam is a form of cyberattack in which financially motivated bad actors trick unsuspecting executives and employees into sending money or sensitive data to fraudulent accounts. Attackers accomplish this using a variety of phishing techniques that manipulate users into transferring money or data.

The following examples will help you understand what business email compromise is and how it works.

A criminal sends an email that appears to come from a legitimate source, such as:

  • A regular supplier, requesting a rush order payment to a different bank account
  • The IT department, instructing employees to click a link and enter their login credentials to update their security settings
  • The CEO, requesting an urgent wire transfer to a new overseas account for a confidential investment opportunity

Business email compromise, formerly called man-in-the-email attacks, is notoriously difficult to prevent. Rather than employ malware, perpetrators rely on social engineering techniques and impersonation to trick victims into acting on the attacker's behalf. Traditional threat detection solutions that analyze email headers, links, and metadata often miss these attack strategies. That's why advanced email security solutions with integrated threat defense features are needed.

What is the difference between phishing and BEC?

Phishing is a broader category of cyberattacks in which cybercriminals use deceptive emails, messages, or websites to trick individuals into revealing sensitive information, such as login credentials or credit card numbers.

BEC is a targeted and specialized form of phishing. In BEC attacks, attackers often use spear phishing techniques to target specific individuals, impersonating a company’s high-level executives, partners, or suppliers to manipulate employees into making financial transactions, like wire transfers or sharing sensitive company data.

Both phishing and BEC attacks trick targets to steal money or data, but BEC attacks specifically exploit trust and authority within an organization, often causing significant financial loss for the company.

Whom do BEC attacks typically target?

BEC attackers carefully select their targets based on their roles and access within the organization to maximize their chances of success. They typically target employees within organizations who have access to financial resources or sensitive data. This includes:

  • High-ranking executives, such as CEOs or CFOs
  • Finance and accounting personnel
  • Human resources and payroll
  • Procurement and purchasing teams
  • IT and system administrators
  • Suppliers, vendors, and partners
  • Employees with access to sensitive data
Fig: New types of targeted email attacks utilize techniques that get past legacy email security controls

How common is business email compromise?

Business email compromise is on the rise. Deceptively simple, these low-tech scams are carried out through one of today's most relied upon forms of business communication: emails, your top threat vector. These attacks require minimal resources and technical skills but can lead to significant losses, making this a favored strategy among cybercriminals. According to the Cisco Secure Email Buyer's Guide, in 2021 wire-transfer BEC scams demanded average sums of a staggering US$75,000. Read our guide to better understand the vulnerability that common emails impose on your organization, and what you need from email security to protect what matters.


Cisco Secure Email Threat Defense

Email is your top vulnerability. Identify and counteract BEC attacks in real time with advanced email threat defense.


Cisco Secure Email Threat Defense demo

Discover what sets Cisco Secure Email Threat Defense apart from basic email security. See advanced features firsthand in the demo.


Advanced Email Threats For Dummies, Cisco Special Edition

The right email security solution protects one of the most valuable communication tools of all time. Learn how to respond quickly to keep your organization protected from advanced threats.

Why are BEC attacks so effective?

BEC attacks are highly effective because they exploit our weaknesses as humans, such as our tendency to trust authority, act impulsively, and respond emotionally to urgent requests. Moreover, BEC attacks are becoming increasingly easy to perpetrate, with information, tools, and resources necessary to launch a successful attack readily available on the dark web. For attackers, BEC represents a relatively low-risk, high-reward endeavor, as bulk email addresses are inexpensive to obtain and virtually free to send.

Fig: How a typical BEC attack works

Below is an outline of the typical progression of how a BEC attack works:

  • Research: Attackers identify and profile high-level targets.
  • Preparation: Attackers set up fake domains, create convincing emails, or hijack legitimate accounts.
  • Attack: Victims receive authoritative, urgent emails tricking them into sending money or data.
  • Dissemination: Stolen funds are quickly spread to multiple accounts for concealment.


BEC scams typically target high-level executives or employees entrusted with the organization's payment authorizations. Over the weeks or even within days, attackers perform deep reconnaissance, meticulously gathering contact information from online platforms, social networks, and the dark web. They construct a detailed profile of their target corporation, then narrow their focus to specific individuals within the organization. Often, these targets are CEOs, legal professionals, or accounts payable employees.


Unlike the spray-and-pray strategy typical of mass phishing campaigns, BEC scams appear to be highly credible and authentic and target specific individuals. To prepare for the attack, scammers forge email addresses, create domains that mimic genuine ones, or even take over the legitimate email accounts of a victim's superior.


The execution of a BEC attack may involve a single email or a series of emails, depending on the technique's efficiency. These interactions typically leverage elements of influence, insistence, and legitimacy to convince the victim. Indicators of a BEC attack often include:

  • A sense of urgency
  • Authoritative pressure
  • The need to bypass normal protocols
  • Unusual payment methods
  • Changes in financial arrangements

Once the attacker has the victim's trust or agreement, the criminal receives the requested data or issues wiring directions, guiding them to transfer funds into a deceptive account.


After the funds are transferred to the attacker's account, they are swiftly distributed among several accounts to minimize the possibilities of tracking and recovery.

Quick reaction times are essential in numerous cybersecurity events, BEC attacks included. If there's a delay in recognizing a successful BEC exploit, the likelihood of retrieving the stolen funds significantly diminishes.

Common types of BEC attacks

There are 10 common types of threats related to BEC attacks, including:

Email account compromise: This is a common type of BEC scam in which an employee's email account is hacked and used to request payments from vendors. The money is then sent to attacker-controlled bank accounts.

Employee impersonation: This type of BEC takes the form of an email scam, in which a bad actor impersonates a trusted internal employee or vendor to steal money or sensitive information through email.

VIP impersonation: This type of attack occurs when a malicious actor sends an email to an unsuspecting victim, using a compromised email of a legitimate company, individual or VIP, asking for payment or funds transfer.

External payment fraud: An email attack is sent to an unsuspecting victim impersonating trusted vendors for invoice payment requests. It is also known as Vendor Email Compromise (VEC).

Internal payment fraud: Using stolen credentials an attacker can gain access to internal payment systems such as payment platforms and set up fraudulent vendors, change payment recipients, or redirect payments to their accounts.

Payroll diversion fraud: Using stolen email credentials, an attacker emails an organization's payroll or finance department requesting a change to direct-deposit information.

Social engineering: Persuasion through psychology is used to gain a target's trust, causing them to lower their guard and take unsafe action such as divulging personal information.

Extortion: Threatening or intimidating action is used to obtain monetary or other financial gain, commonly used in vishing scams.

Malicious recon emails: This looks like legitimate email communication but is actually an email sent by an attacker with the purpose of eliciting a response prior to extracting sensitive user or organizational data.

Credential phishing: A bad actor steals login credentials by posing as a legitimate entity using emails and fake login pages. The bad actor then uses the victim's stolen credentials to carry out a secondary attack or extract data.

How to spot common BEC scams

BEC attacks rely on social engineering tactics and require minimal tools, making them straightforward yet effective. This simplicity and reproducibility make BEC appealing to cybercriminals. Below are five prevalent BEC scam methods that your team needs to recognize and guard against:

Exploiting trusted relationships

Attackers tactically use pre-existing trust to push victims towards immediate action on email directives. Social manipulations may appear normal or urgent, and highly convincing, such as vendors requesting payment, employees changing direct deposit accounts, or executives seeking Amazon gift cards for clients.

Mimicking routine workflows

Employees receive countless automated business emails every day, prompting them to execute routine processes. Accustomed to these patterns, employees often respond to them as if on autopilot. BEC scams cunningly mimic these routines, prompting staff to act reflexively without suspicion.

Suspicious email attachments

While typical email threats often involve malicious attachments, BEC scams opt for a subtler approach. They avoid malware to create an illusion of authenticity. Instead, emails can include attachments like forged invoices, financial statements, contracts, or other fraudulent documents to convince the recipient of the legitimacy of their request.

Urgent and familiar content

BEC strategies frequently use subject lines showing urgency or a personal touch to prompt immediate action. Examples of these terms are:

  • Urgent request
  • Payment overdue
  • Hello, First Name
  • Confidential
  • Immediate action required
  • Final notice

The email body mirrors this deceptive approach, using calculated phrasing to convince the victim to act. Rather than embedding malicious links, BEC attackers weaponize persuasive language to enhance the credibility of their scams. Emerging trends in BEC schemes leverage artificial intelligence (AI) to craft highly convincing messages that closely mimic legitimate communication styles, making the scam harder to detect.

Leveraging free software

Scammers often turn to free online tools and services to make their BEC attacks seem real and to avoid security filters. For example, they often:

  • Send fraudulent emails with Mailchimp, allowing attackers to bypass some email server restrictions
  • Create phising sites with Google Sites or Weebly
  • Steal sensitive information using SurveyMonkey or Google Forms
  • Host malicious content on storage sites like Dropbox, Box, or Google Drive

How to protect your business from BEC

BEC phishing scams are becoming increasingly difficult to detect, but a multifaceted approach using best practices and security technologies can help minimize the frequency and impact of BEC attacks. Here's how you can fortify your defenses:

Enforce MFA on your accounts and workflows

Securing sensitive company data in today's threat landscape requires more than just a strong password. Multi-Factor Authentication (MFA) is no longer optional—it's a necessity. This secure access tool requires two or more verification factors, such as a fingerprint or token, to access resources. Adding an extra layer of verification can help keep attackers out who are armed with only a password.

To defend against BEC scams targeting critical employees, enforce MFA across your entire organization, especially for roles like senior executives, financial approvers, system administrators, and human resources personnel.

Invest in advanced email security solutions

Today's increasing standard of hybrid work models often means relying more on digital communication, making email security more vital than ever. While email platforms offer fundamental, built-in protections, these measures aren't foolproof.

To defend against BEC, phishing, and malware attacks, look for a comprehensive email security solution like Cisco Secure Email Threat Defense that delivers:

  • Global threat intelligence with real-time updates for proactive defense against emerging threats
  • Forged email detection that blocks customized attacks exploiting executive accounts
  • Advanced spam and phishing protection with a high accuracy rate in filtering harmful emails
  • URL scanning and filtering to protect users from malicious links
  • Domain-based message authentication, reporting, and conformance (DMARC) automated email authentication, which shields your company’s email domains from impersonation and potential abuse
  • Dynamic malware defense tools with continuous threat analysis, file sandboxing, and automatic breach remediation
  • Data loss prevention (DLP), complying with regulations to safeguard sensitive outbound information
  • User-behavior training modules with threat simulations and education on best practices

Empower employees with continuous security education

BEC attackers exploit busy routines, relying on employees overlooking deceptive emails during their busy workday. Though challenging, it's crucial to cultivate a culture of security mindfulness across all levels of your organization.

Train employees to look for these signs of a business email compromise scheme:

  • Deadlines emailed at short notice that involve sending money or sensitive data
  • Unusual purchase requests, even when they come from senior officials or trusted colleagues
  • Emails from employees sharing new direct deposit details
  • Requests to keep information confidential or bypass normal communication channels
  • Requests for wire transfers that must be completed hastily or without proper authorization
  • Misspellings, grammar, or language that is unusual for the sender
  • Something that feels "off" or doesn't look right

Employees should trust their instincts and not be afraid to investigate. When in doubt, they should call the sender or send a separate email rather than replying to the one sent.

BEC fraud thrives on superficiality and haste. To stay head, foster a thoughtful, security-conscious culture and arm your staff with up-to-date knowledge and resources.

Establish escalation protocols and promote open communication

In the fight against BEC, quick, organized responses to threats are vital. Set clear escalation protocols so employees can immediately report unusual activities, helping to stop BEC attempts in their tracks. This structured approach is essential but works best when paired with an open company culture.

Encourage a workspace where everyone feels responsible for security and is comfortable raising suspicions, even if they're unsure. This open dialogue often catches inconsistencies that formal procedures might miss.

To reinforce this approach, encourage team members to:

  • Speak up if something seems even slightly amiss, knowing it's better to be safe than sorry.
  • Share insights or reservations about requests that deviate from the norm, as these could be invaluable in recognizing new scamming tactics.
  • Understand that vigilance and questioning are signs of proactivity and responsibility, not distrust or paranoia.

Business email compromise attacks exploit human trust to steal data and millions of dollars from organizations. Though strong email protection is the first line of defense against BEC phishing, an educated, empowered, and confident workforce is crucial to identifying and stopping these attacks.