Directly jumping onto the definition of what is Business Email Compromise: Business Email Compromise (BEC) occurs when a hacker gains access to a company email account or spoofs a legitimate-looking one and assumes the account holder’s identity to commit fraud against the company. Targeting commercial, government as well as non-profit organizations, BEC attacks can lead to huge amounts of data loss, security breaches, and compromise of financial assets. It is a common misconception that cybercriminals usually lay their focus on MNCs and enterprise-level organizations; SMEs these days are just as much a target to email fraud as the larger industry players. Taking the victim’s email account is trustworthy. It can also be termed as an impersonation attack wherein an attacker aims to defraud a company, by posing to be people in authoritarian positions, such as the CFO or CEO, a business partner, or anyone else the target might implicitly trust.
An attacker would frequently set up an account with an email address nearly identical to one on the company network, often using techniques like typosquatting (e.g., amaz0n.com instead of amazon.com) or lookalike domains. BEC has also been called a “man-in-the-email attack.” Basic BEC attacks are dangerous as it’s quite challenging to detect them since they may appear to come from a company’s legitimate email address, making it difficult to trace back embedded links to questionable URLs used by hackers.
It’s hardly surprising that the FBI has classified the Business Email Compromise (BEC) as a “$26 billion scam,” given the average cost to businesses of $5.01 million per breach, and the threat is only growing. Business Email Compromise (BEC) attacks target employees who use fictitious or legitimate business email addresses. Over $1.8 billion was earned by BEC scammers in 2020, more than any other form of cybercrime, with the US being a prime hub for this impact. BEC attack affects more than 70% of organizations worldwide and leads to the loss of billions of dollars every year.
Key Takeaways
- Business Email Compromise (BEC) is a sophisticated impersonation attack targeting organizations of all sizes, aiming to defraud through deceptive emails posing as trusted entities.
- BEC relies heavily on social engineering, using tactics like CEO fraud, fake invoices, and lookalike domains to manipulate employees into transferring funds or divulging sensitive data.
- Implementing and enforcing DMARC (with SPF and DKIM) to a policy of `p=reject` is crucial for preventing domain spoofing and blocking unauthorized emails.
- A multi-layered defense strategy, including employee training, strict payment verification protocols, MFA, and vigilance against typosquatting, is essential.
- Leveraging additional email security protocols like MTA-STS for TLS encryption and BIMI for brand recognition can further enhance protection and trust.
What is Business Email Compromise and how does it work?
In a BEC attack, the threat actors pose as workers or reliable partners. They persuade the victim to do an action, like granting access to confidential information or sending money, often using sophisticated social engineering attacks like phishing, CEO fraud, fake invoices, and email spoofing. Threat actors continue to succeed despite increased knowledge of business email compromise. For example, the Russian cyber gang Cosmic Lynx has conducted numerous sophisticated BEC campaigns using well-written phishing emails, making detection difficult. Furthermore, cybercriminals exploit trends like remote work by sending fraudulent emails impersonating popular tools like Zoom to steal login credentials.
The frequency of these assaults targeting Abnormal consumers increased by an impressive 84% during the first and second halves of 2021. Despite this, in the second half of 2021, the assault rate increased to 0.82 per thousand mailboxes. Threat actors often follow specific stages to execute BEC scams:
- Email List Targeting: Malicious actors gather target emails from LinkedIn, databases, or websites.
- Launch Attack: They send emails using spoofed or lookalike domains and fake sender names.
- Social Engineering: Attackers impersonate trusted officials, creating urgency to solicit money transfers or data sharing.
- Financial Gains: The final stage where the financial theft or data breach occurs.
Simplify Security with PowerDMARC!
What are the Major Types of Business Email Compromise Attacks?
According to the FBI, major types of BEC scams are:
Fake Charities
In BEC attacks, one of the most common forms involves sending emails from fake charities that claim to be raising money for a worthy cause. These emails often include attachments that contain malicious software designed to infect computers with viruses and other malware.
Travel Problems
Another common BEC scam involves sending emails from fake travel agencies that claim there’s been a problem with your flight or hotel reservation — usually because someone has canceled their booking at the last minute. The email will ask you to update your travel brochure by clicking on an attachment or link included in the message. If so, you could inadvertently install malware on your computer or allow hackers access to sensitive data stored on your device.
Tax Threats
This attack involves a government agency’s threat of legal or official action if victims do not pay money. These scams often involve fake invoices and requests for payment to avoid legal consequences.
Attorney Impersonation
These emails claim that an attorney needs your help with a legal issue — either they’ve been arrested or trying to collect money owed by someone else. In these cases, scammers ask for your personal information so they can “help” with the legal matter in question (like sending money back).
The Bogus Invoice Scheme
In this scam, a business sends an invoice to another business, usually for a significant amount. The invoice will state that the receiver owes money for services or items they haven’t received. They may be asked to wire money to pay off the bogus invoice.
Data Theft
This scam involves stealing sensitive data from your company and selling it to competitors or other interested parties. The thieves may also threaten to publish your data if you don’t comply with their demands.
How Do BEC Attacks Work?
Here’s how BEC attacks work:
- Spoofed email account or website – The attacker will spoof an email address or website that appears legitimate, sometimes using techniques like typosquatting or lookalike domains. They’ll send out one or more phishing emails from this account asking for financial information, such as bank account numbers and PINs, or requesting fund transfers. Using email authentication protocols like DMARC, SPF, and DKIM can help you to prevent hackers from spoofing your domain.
- Spear Phishing emails – Spear Phishing emails are highly targeted emails sent directly to specific employees, often those in finance or HR. They’re often disguised as internal communications from someone within the company (i.e., an executive), containing subject lines such as “urgent wire transfer” or “urgent invoice” that request sensitive data or immediate action.
- Using malware – Attackers can install malicious software (malware) on a victim’s computer, often via malicious links or attachments in phishing emails. They use malware to track activity, capture keystrokes (keyloggers), take screenshots, or gain persistent access to the system and network.
What to prevent Business Email Compromise?
A successful BEC attack might cost a business a lot of money and cause significant harm. However, you can prevent these attacks by following a few simple steps, such as:
1. Protect Your Domain with DMARC, SPF, and DKIM
Email authentication protocols like Domain-based Message Authentication, Reporting and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) are essential. SPF allows you to specify which mail servers are authorized to send email for your domain. DKIM adds a digital signature to emails, allowing receivers to verify that the email hasn’t been tampered with.
DMARC builds on SPF and DKIM. An organization can identify which sources are sending emails on behalf of their domain through sender verification and domain alignment by using the protocol, along with enhanced visibility into their email channels. DMARC allows domain owners to specify how receivers should handle emails that fail SPF or DKIM checks.
To effectively prevent BEC, you need to implement DMARC with an enforcement policy. The policies are:
p=none: Monitors email traffic without affecting delivery. Provides no protection against BEC.p=quarantine: Sends suspicious emails to the recipient’s spam or junk folder.p=reject: Blocks emails that fail authentication checks entirely. This is the recommended policy for maximum BEC protection.
Implementing DMARC requires publishing correctly formatted SPF, DKIM, and DMARC records in your DNS. A recommended DMARC record for enforcement might look like: v=DMARC1; p=reject; rua=mailto:aggregate@yourdomain.com; ruf=mailto:forensic@yourdomain.com; fo=1; This policy rejects failing emails and sends aggregate (rua) and forensic (ruf) reports to specified addresses for monitoring. Only an enforcement policy of reject effectively minimizes BEC by preventing spoofed emails from reaching recipients’ inboxes. While anti-spam filters protect against inbound phishing, DMARC protects your domain from being used in outbound phishing and spoofing attacks.
Regular monitoring via DMARC reports (aggregate and forensic) is crucial to track email flow, identify authentication issues, and spot potential impersonation attempts.
2. Anti-Phishing Protections
Use anti-phishing software and email security gateways that scan incoming emails for malicious links, attachments, and signs of social engineering to block threats before they reach users.
3. Separation of Duties & Payment Protocols
Ensure that critical functions, especially financial transactions like wire transfers, are not performed by one person alone. Develop strict protocols for payment approvals, requiring multiple authorizations and secondary confirmation (e.g., phone call or in-person verification) for requests, especially urgent ones or those involving changes to payment details.
4. Labeling External Emails
Configure your email system to clearly label emails originating from outside your organization. This helps employees quickly identify potentially suspicious messages that try to impersonate internal senders.
5. Carefully Examine Email Addresses and Details
Train employees to carefully examine the sender’s email address for subtle differences, typosquatting, or lookalike domains. Check if the ‘reply-to’ address matches the ‘from’ address. Be wary of emails demanding urgency or secrecy.
6. Educate Your Employees
The best defense against BEC attacks is employee education and awareness. Employees need to be taught about the threat of BEC, how it works, common tactics (like urgency, authority impersonation), and how they can be targeted. They should understand company policies on email usage, data sharing, and financial transactions, including verification procedures. Implement simulated phishing tests to gauge awareness and identify individuals needing more training. Encourage employees to report any suspicious emails or requests immediately without fear of reprisal.
7. Enable Multi-Factor Authentication (MFA)
Implement MFA for all email accounts and other critical systems. MFA adds an extra layer of security beyond just a password, significantly reducing the risk of account compromise even if credentials are stolen. Consider risk-based or location-based MFA for enhanced security.
8. Prohibit Automatic Email Forwarding
Disable automatic forwarding of emails to external addresses within your organization’s email system settings. Hackers can abuse this feature to silently monitor communications or redirect sensitive information after compromising an account.
9. Implement Additional Security Protocols
Consider enhancing email security further with:
- MTA-STS (Mail Transfer Agent Strict Transport Security): Ensures TLS encryption for emails in transit, protecting against eavesdropping and man-in-the-middle attacks. Use TLS-RPT (TLS Reporting) to get reports on TLS negotiation successes and failures.
- BIMI (Brand Indicators for Message Identification): Attaches your verified brand logo to authenticated emails, increasing brand recall and helping recipients visually identify legitimate messages in supported email clients. BIMI requires DMARC enforcement.
- SPF Record Management: Ensure your SPF record stays within the 10 DNS lookup limit to avoid validation errors. Tools like SPF flattening can help manage complex records.
10. Report Fraud
If you suspect or fall victim to a BEC scam, report it immediately to the relevant authorities (like the FBI’s IC3 in the US) and your financial institutions. Reporting helps law enforcement track these crimes and potentially recover funds.
Conclusion
Business Email Compromise scams sneak past even the most advanced security measures, often targeting key personnel like the CEO or CFO with a single, well-crafted email. In the end, BEC is a genuinely insidious vector of attack that remains prevalent in the business world. And that means it’s one you should be very aware of, regardless of your organization’s size. A combination of technical controls like DMARC enforcement, robust internal procedures, and continuous employee education is necessary to build a strong defense.
Use the DMARC analyzer tool by PowerDMARC to ensure your domain’s emails are delivered and avoid sending phony ones. When you stop spoofing, you’re doing more than just protecting your brand. You’re ensuring the survival of your business by implementing a crucial part of the email authentication stack, which can also include SPF, DKIM, BIMI, MTA-STS, and TLS-RPT for comprehensive protection.
- How to Prevent Spyware? - April 25, 2025
- How to Set Up SPF, DKIM, and DMARC for Customer.io - April 22, 2025
- What is QR Phishing? How to Detect and Prevent QR Code Scams - April 15, 2025