Email Security Blog

BEC Attacks: What They Are, How to Spot Them, and What to Do

Armen Najarian November 10, 2020 Business Email Compromise
woman looking at computer screen

Here we’ll cover what BEC attacks are, how they work, what they usually look like, and how to handle them.

  • What is a BEC Attack?
  • 7 Common BEC Attack Patterns
  • Top Identity Deception Techniques
  • How Can BEC Attacks be Stopped?
  • What’s the Best Way to Recover From a BEC Attack?


What is a BEC Attack?

First, let me explain what a BEC attack is. In short, Business Email Compromise phishing occurs when cybercriminals spoof or hack email accounts in order to impersonate senior executives or outside vendors in email scams designed to trick employees into wiring payments or making purchases under fraudulent pretext.

The statistics of business email compromise are troubling. The FBI estimates that these attacks have led to more than $700 million in business losses every month for the last four years. That’s more than $26 billion in losses worldwide. In 2020, BEC groups have found plenty to exploit in business disruptions caused by the coronavirus pandemic–exacerbating an already costly business challenge.

So far this year, more than 45,000 organizations in the US have been targeted in COVID 19-related email attacks. According to HelpNet Security, BEC-based invoice and payment fraud rose 155% in just 90 days from July through September.

7 Common BEC Attack Patterns

BEC groups are master manipulators who use clever social engineering ploys to throw email recipients off kilter just long enough to respond to an email request before ever thinking to confirm its legitimacy. The FBI warns businesses to be on the lookout for red flags that include:

  • Payment Fraud: Late-minute emails, often late in the day, appearing to be sent by a senior executive who’s “traveling,” or “stuck in a Zoom meeting,” and in need of help with a favor: An urgent purchase or payment to a new vendor.
  • Payroll Diversion: Attackers target HR or accounting personnel by posing as employees in emails requesting last-minute changes to direct deposit details in time for the next pay period.
  • Vendor Email Compromise: Fraudsters use stolen credentials to infiltrate corporate email accounts, spy on email conversations, and then impersonate the organization’s employees in emails requesting that payment for invoices be sent to bank accounts the imposters secretly control.
  • Gift Card Scams: Fraudsters impersonate senior managers asking admins and other employees to purchase gift cards for upcoming staff appreciation efforts. In these cons, perpetrators request the gift card number and the PIN on the back of the cards, which can then be sold in online cryptocurrency exchanges.
  • Aging Financial Accounts Scams: Here, cybercriminals assume the identity of a senior executive seeking aging accounts receivable reports from one company, and then use that information gleaned from those reports to target the company’s customers with requests that payment on legitimate, past-due invoices.
  • Transaction Diversion: Shysters infiltrate email accounts at VC firms, law offices, real estate offices, or other organizations involved in large transactions to surveil email conversations. At the most opportune moment, they send an email instructing the purchasing entity to wire funds to the thieves’ own accounts.
  • Advanced Payment Schemes: Con artists masquerading as new or existing partners or vendors suddenly request advanced payment on goods or services that not previously required.

Top Identity Deception Techniques

Recognizing incoming attacks can be very difficult, thanks to the sophisticated identity deception techniques used to fool recipients.

  • BEC phishing messages sent from Office 365 and Gmail can easily evade detection due to the reputation and ubiquity of these cloud-based platforms–leading to more than $2 billion in losses since 2014.
  • Lookalike domains can be nearly indistinguishable from legitimate domains.
  • And messages sent from pirated email accounts (sometimes called email account compromise) can be virtually impossible to detect—especially since most employee-to-employee email isn’t even scanned.

In the past, many business email compromise cases might have involved a malicious link to a phishing site or a malware-infected download, which traditional email security controls can spot a mile away.

Today, the most successful BEC attacks often leverage blended attack modalities combined with context-accurate information that most recipients would assume could only be known by the party being impersonated. This can include:

  • Sensitive intel gathered from ongoing and archived email conversations in compromised email accounts.
  • Accounts receivable reports acquired in one email attack that is then used to scam others.
  • Info from out-of-office reply emails, including key contact details and responsibilities in the person’s absence.

How Can BEC Attacks Be Stopped?

There is no one cure-all defense that organizations can deploy to eliminate the threat posed by BEC attacks. A multi-layered approach is required to outsmart these scams. Among some key steps organizations can take:

  • Tighter accounting controls: According to the FBI, stricter and more formalized accounting controls should be put in place to verify the legitimacy of payment requests and payment approvals.
  • Two Factor Authentication (2FA): Requiring 2FA to log into email accounts that can be used to reduce the likelihood fraudsters can compromise email accounts from which to lodge attacks against other employees or customers.
  • Identity-based Anti-Phishing Controls: Modern, identity-based phishing defenses capable of recognizing BEC in all its forms, including attacks launched from compromised accounts or spoofed within cloud-based email environments.
  • DMARC-based Protection: Deploying Domain-based Message Authentication, Reporting, and Conformance (DMARC) can help reduce the chances an organization’s own domains can be weaponized against them by impersonators targeting employees. Some forward-leaning companies are making this a requirement for business partnerships.
  • Phishing Awareness Training: Business email compromise training can help employees be vigilant against common BEC tactics and foster healthy skepticism about the legitimacy of requests that can signal fraud.

The goal in these and other steps is to reduce the odds BEC attacks will ever reach employee inboxes in the first place, and to address blind spots in accounting processes or internal email communications that can be usurped by those that do manage to evade early detection.

What’s the Best Way to Recover From a BEC Attack?

Cybercriminals send more than 3 million malicious emails every minute of the day. And the cold hard fact is that even with the best defenses and robust business email compromise training, it’s unrealistic to believe that at least one attack won’t hit home. That includes never-been-seen-before, “zero-day” attacks.

While many organizations enable employees to report suspect emails that do make it to their inbox, as much as 60% of employee-reported attacks are false positives, serving to bury Security Operations Center (SOC) teams with more email attacks than they can possibly handle.

As a result, Agari has developed continuous detection and response technologies to ferret out malicious emails that do manage to avoid early detection and automatically remove them from all employee inboxes at once.

Our own data shows that large organizations that deploy advanced phishing response workflows to identify the full scope of phishing threats detect and remediate an average of 90x more verified malicious emails than those reported by employees.

Organizations that ultimately fall victim to a BEC attack should immediately contact their financial institution to request a recall of funds, if it’s not too late—and report the incident to the FBI’s Internet Crime Complaint Center (IC3).

Want to learn how companies like Allergan, Comcast, Informatica and others defend themselves against BEC attacks and other advanced email threats? See for yourself with a simulated product demo for Agari Phishing Defense™.

Laptop with multiple paddle locks with key holes

May 27, 2022 John Wilson

SMTPS: Securing SMTP and the Differences Between SSL, TLS, and the Ports They Use

What is the difference between SMTPS and SMTP? SMTPS uses additional SSL or TLS cryptographic protocols…

Agari Blog Image

December 16, 2021 John Wilson

Common Phishing Email Attacks | Examples & Descriptions

What does a phishing email look like? We've compiled phishing email examples to help show…

Agari Blog Image

December 8, 2021 John Wilson

What Is Email Phishing? [How to Protect Your Enterprise]

Phishing emails can steal sensitive data and cost companies' reputation. However, protecting a company from…

Envelope with skull and cross-bones

December 1, 2021 John Wilson

Identifying and Mitigating Email Threats

Email  threats are ever evolving, and it’s important to stay up to date. Here are…

Woman-shopping on cell phone

November 30, 2021 Mike Jones

It’s the Most Wonderful Time of the Year… for Cybercriminals

The holiday season is upon us, which means it’s also the busiest time of the…

mobile image