What is business email compromise?

Directly jumping onto the definition of what is Business Email Compromise: Business Email Compromise (BEC) occurs when a hacker gains access to a company email account and assumes the account holder’s identity to commit fraud against the company. Taking the victim’s email account is trustworthy. 

An attacker would frequently set up an account with an email address nearly identical to one on the company network. BEC has also been called a “man-in-the-email attack.”

It’s hardly surprising that the FBI has classified the Business Email Compromise (BEC) as a “$26 bilselion scam,” given the average cost to businesses of $5.01 million per breach, and the threat is only growing. Business Email Compromise (BEC) attacks target employees who use fictitious or legitimate business email addresses. Over $1.8 billion was earned by BEC scammers in 2020, more than any other form of cybercrime.

What is Business Email Compromise and how does it work?

In a BEC attack, the threat actors pose as workers or reliable partners. They persuade the victim to do an action, like granting access to confidential information or sending money. Threat actors continue to succeed despite increased knowledge of business email compromise.

The frequency of these assaults targeting Abnormal consumers increased by an impressive 84% during the first and second halves of 2021. Despite this, in the second half of 2021, the assault rate increased to 0.82 per thousand mailboxes.

What are the Major Types of Business Email Compromise Attacks?

According to the FBI, major types of BEC scams are:

Fake Charities

In BEC attacks, one of the most common forms involves sending emails from fake charities that claim to be raising money for a worthy cause. These emails often include attachments that contain malicious software designed to infect computers with viruses and other malware.

Travel Problems

Another common BEC scam involves sending emails from fake travel agencies that claim there’s been a problem with your flight or hotel reservation — usually because someone has canceled their booking at the last minute. The email will ask you to update your travel information by clicking on an attachment or link included in the message. If so, you could inadvertently install malware on your computer or allow hackers access to sensitive data stored on your device.

Tax Threats

This attack involves a government agency’s threat of legal or official action if victims do not pay money. These scams often involve fake invoices and requests for payment to avoid legal consequences.

Attorney Impersonation

These emails claim that an attorney needs your help with a legal issue — either they’ve been arrested or trying to collect money owed by someone else. In these cases, scammers ask for your personal information so they can “help” with the legal matter in question (like sending money back).

The Bogus Invoice Scheme

In this scam, a business sends an invoice to another business, usually for a significant amount. The invoice will state that the receiver owes money for services or items they haven’t received. They may be asked to wire money to pay off the bogus invoice.

Data Theft

This scam involves stealing sensitive data from your company and selling it to competitors or other interested parties. The thieves may also threaten to publish your data if you don’t comply with their demands.

How Do BEC Attacks Work?

Here’s how BEC attacks work:

  • Spoofed email account or website – The attacker will spoof an email address or website that appears legitimate. They’ll send out one or more phishing emails from this account asking for financial information, such as bank account numbers and PINs. Using DMARC can help you to prevent hackers from spoofing your domain.
  • Spear Phishing emails – Spear Phishing emails are highly targeted emails sent directly to an employee at their place of work. They’re often disguised as internal communications from someone within the company (i.e., an executive), containing subject lines such as “urgent wire transfer” or “urgent invoice” that request sensitive data immediately.
  • Using malware – Attackers can install malicious software (malware) on a victim’s computer and use it to track their activity, capture keystrokes, or take screenshots. Keyloggers may even be installed on computer systems if the attacker has physical access to them.

What to prevent Business Email Compromise?

A successful BEC attack might cost a business a lot of money and cause significant harm. However, you can prevent these attacks by following a few simple steps, such as:

1. Protect Your Domain with DMARC

These BEC emails can be blocked by utilizing DMARC. An organization can identify which sources are sending emails on behalf of their domain through sender verification and domain alignment by using the protocol, along with enhanced visibility into their email channels. Organizations may ensure that all reliable sources are correctly validated using this information. An organization can implement a p=reject DMARC policy if all legitimate sources have been fully authenticated. 

With this policy, all malicious emails will be rejected and no longer reach the recipient’s inbox, thereby reducing the risk of business email compromise emails reaching your clients.

2. Anti-Phishing Protections

Use anti-phishing software that scans incoming emails for malicious links and attachments that could infect your network.

3. Separation of Duties

Ensure that critical functions are not performed by one person alone. This reduces the risk of an employee being coerced into performing unauthorized actions.

4. Labeling External Emails

Ensure all external emails are labeled as such or forwarded via a secure email gateway so they do not appear to be sent directly from within your organization’s network.

5. Carefully Examine the Email Address

Carefully examine the email address. If it’s from someone you know, open the email and read it. If it’s from someone you don’t know, ask why they would be contacting you. Also, check to ensure that the email subject line contains information about the email. The subject line should match what is in your inbox.

6. Educate Your Employees

The best defense against BEC attacks is employee education. Employees need to be taught about the threat of BEC, how it works, and how they can be targeted. They should also be aware of the company’s policies on business email usage and authorized email users.


Business Email Compromise scams sneak past even the most advanced security measures, and they usually ensnare an unsuspecting CEO or CFO with a single email. In the end, BEC is a genuinely insidious vector of attack that remains prevalent in the business world. And that means it’s one you should be very aware of.

Use the DMARC analyzer tool by PowerDMARC to ensure your domain’s emails are delivered and avoid sending phony ones. When you stop spoofing, you’re doing more than just protecting your brand. You’re ensuring the survival of your business.

Latest posts by Ahona Rudra (see all)