Business Email Compromise

Learn about BEC and protect your organization with resources from Cofense


Number one cybercrime for financial losses for 7 consecutive years


There are BEC victims in 177 of 195 countries around the world


BEC has resulted in over $400 billion stolen from victims globally

BEC Corner

Ronnie Tokazowski

If someone whispers the letters “B”, “E”, and “C” somewhere on the internet, chances are that Ronnie’s name comes up. Stemming from the days before APT was a buzzword, Ronnie has spent the last 6 years fighting and advocating for all things Business Email Compromise. He likes pointing to big numbers, says we need to start caring about each other to fix this problem, and can frequently be found posting memes on why the financial losses of BEC are worse than ransomware. (Aside from it being a cold fact, of course.)

Follow Ronnie on Twitter, LinkedIn and YouTube.

Real BEC Threats Secure Email Gateways Missed

Each week our analysts share a selection of real threats discovered in environments protected by Proofpoint and other SEGs. Here are some of the most recent BEC attacks we’ve found.

Business Email Compromise Overview

Business email compromise amounts to an estimated $500 billion-plus annually that’s lost to fraud. That’s billions lost to unemployment fraud. Billions lost to romance scams, real estate cons, advanced-fee fraud and dozens of other crimes affecting hundreds of thousands of victims. No single company can solve BEC, but awareness can help.


Something as simple as a “spoofed” email, where the display name in the email is modified to appear as an individual within an organization, when in reality, the return address is actually that of the attacker. The email format allows for a “display name” that doesn’t have to be related to the actual sender’s email address. This kind of format is less difficult to fraudulently use the name of a trusted individual. The message often appears to be sent from a senior staff member to someone at a lower level in the company, and the body of the email will imply a sense of urgency. Spoofing is the most common mechanism for payroll diversion attacks because it simply identifies an individual within an organization and sends an email to the payroll department asking for their bank account details to be updated.

What’s worse, suppliers and customers can be attacked using your organization’s email domain, which greatly impacts relationships, your organization’s reputation, and stakeholder trust.

Other BEC Methods

Then there’s the business email compromise where a legitimate user’s email account is compromised. Attacks can obtain user account details and then use those credentials to log into a user’s account. Sneaky attackers will sometimes set up forwarding rules to monitor a victim’s email conversations following the initial message. That gives the attacker the opportunity to step in at their leisure with urgent messages that appear authentic, making the attack even more convincing.

BEC is Big Money

These attacks pose a significant risk. According to the annual 2020 FBI Internet Crime Report, this phishing tactic has raked in nearly $2B this past year alone. But the damage caused by these attacks reaches well beyond financial losses. Fraudulent invoices, which are the most common of BEC attacks, the recipient gets what appears to be a legitimate invoice from an organization.

According to HelpNet Security, there was a 200% increase in business email compromise attacks focused on invoice or payment fraud from April to May 2020, posing an internal risk to organizations; and a reputation risk. As stated above, if a supplier or customer falls for a BEC attack that claims to come from a known organization, it can harm the established trust in the existing relationship as well.

How to Combat BEC

There are actions you can take to inform your employees to avert this threat. Educate your executive leadership team about this type of threat and discuss business email compromise with your organization at-large — especially those employees responsible for payments/payroll AND suppliers, customers, and clients. Training should include preventative strategies and reactive measures in case they are victimized. See our full checklist for details.

There is no single technology solution to BEC, rather it’s a combination of technology, process and user awareness.

What are the most common BEC scams?

In no particular order the four most common business email compromise scams include:

  • Fake invoicing, in which the hacker requests funds as a familiar supplier or service provider.

  • Wire fraud requests, in which the hacker pretender to be a senior executive handling urgent or confidential information.

  • Impersonating a lawyer, who like the wire fraud scam pretends to be handling confidential or time sensitive information.

  • Impersonating human resources, where the attacker is attempting to collect personally identifiable information (pii).

  • Knowing what to watch out for is the best defense any organization has. If something doesn’t feel right, it is always best to verify and authenticate the request before doing anything that might compromise you or your organization.

Protect Your Organization from BEC Attacks

Follow our checklist to ensure your organization stays protected.

Train employees to identify and report phishing attacks

Use secondary channels or two-factor authentication to verify requests for changes in account information.

Ensure the URL in emails is associated with the business it claims to be from.

Be alert to hyperlinks that may contain misspellings of the actual domain name.

Refrain from supplying login credentials in response to any emails.

Keep all systems updated.

Verify the email address used to send emails, especially when using a mobile device by ensuring the senders address email address appears to match who it is coming from.

Ensure the settings the employees’ computer are enabled to allow full email extensions to be viewed.

Frequently Asked Questions

What Is Business Email Compromise?

Business email compromise, often known simply as BEC or Email Account Compromise (EAC), is when threat actors use email fraud to attack commercial, government and non-profit organizations to achieve a specific outcome which negatively impacts the target organization. Basically, BEC’s goal is to deceive people into thinking they have received a legitimate business-related email and convince them into doing something they believe is necessary to help the company.

How Does Business Email Compromise (BEC) work?

Business email compromise, often referred to as BEC, employs social engineering to target a certain individual or specific employee roles in a chosen business. Attackers typically send a spoof email (or series of spoof emails) that fraudulently represent a senior colleague (CEO or similar), or a trusted customer, with instructions to approve payments or release client data.

What Makes an Email Suspicious?

Malicious email, particularly BEC, isn’t always obvious. Be on alert for formatting and punctuation that vary from you company’s norms. Often the greeting is red flag. For example, “Hi” coming from a CEO whose messages consistently open with “Hello” or another convention should raise suspicion. Be on particular alert for minor variations in the sender’s email address. BEC examples and case studies can also be instructional. Cofense offers case studies and blog reporting on the subject.

What Should a Business do to Guard Against Suspicious Email?

There are actions you can take to inform your employees to avert the threat of business email compromise. Educate your executive leadership team about this type of threat and discuss business email compromise with your organization at-large — particularly employees responsible for payments/payroll and suppliers, customers and clients. Training should include preventative strategies and reactive measures in case they’re victimized. Cofense PhishMe, simulations reflect the latest threats known to bypass standard technologies, empowering your users to become human threat detectors. Cofense Reporter simplifies reporting suspicious email with the click of a button.