Business Email Compromise

There are 5 major types of business email compromise scams defined by the FBI:

  • Account compromise: An employee’s email account gets hacked and is used to request payments to vendors. These payments are then sent to fraudulent bank accounts owned by the hacker.
  • CEO Fraud: Here the hackers position themselves as the CEO of a company and typically email an individual within the finance department, requesting that the funds be transferred to an external account.
  • Attorney Impersonation: This is when an attacker impersonates a lawyer or legal representative.

We Want To Give You A Free Cyber-Security Risk Assessment That Gives You The Answers You Want And The Certainty You Need

How do BEC attacks work?

In a BEC attack, the hacker poses as someone the recipient would usually trust – typically a boss, colleague or vendor. The sender asks the recipient to divert payroll, make a wire transfer, change banking details for future payments and so on.

Business email compromise attacks are difficult to detect because they don’t use malicious URL’s or bad malware that can be analyzed with typical antivirus software. Instead, business email compromise attacks rely on impersonation and social engineering techniques to trick people into interacting on the attacker’s behalf.

Because of their targeted nature and use of social engineering, manually investigating and remediating these attacks is difficult and time consuming.

BEC scams use a variety of impersonation techniques, such as domain spoofing and lookalike domains. These attacks are effective because domain misuse is a complex problem. Stopping domain spoofing is hard enough—anticipating every potential lookalike domain is even harder. And that difficulty only multiplies with every domain of an outside partner that could be used in a BEC attack to exploit users’ trust.

In EAC, the attacker gains control of a legitimate email account, allowing them to launch similar BEC-style. But in these cases, the attacker isn’t just trying to pose as someone—for all practical purposes, the attacker is that person.

Because BEC and EAC focus on human frailty rather than technical vulnerabilities, they require a people-centric defense that can prevent, detect, and respond to a wide range of BEC and EAC techniques.


We Want To Give You A Free Cyber-Security Risk Assessment That Gives You The Answers You Want And The Certainty You Need