Shipsafershipsafer.ai
Email Security

Business Email Compromise: How BEC Attacks Work and How to Stop Them

BEC attacks have cost businesses over $50 billion globally. Learn how CEO fraud and invoice fraud work, how attackers research targets, and the technical and organizational controls that stop them.

September 2, 20259 min readShipSafer Team

Business Email Compromise (BEC) is the most financially damaging form of cybercrime tracked by the FBI. The Internet Crime Complaint Center (IC3) reported over $50 billion in BEC-related losses globally from 2013 through 2023, with average losses per incident exceeding $120,000. Unlike ransomware, which makes headlines with technical sophistication, BEC attacks often succeed through social engineering alone — no malware required, no zero-days, just a well-crafted email and an employee who did not verify the request.

Understanding how BEC attacks work is the first step toward stopping them.

What Makes BEC Different from Regular Phishing

Standard phishing casts a wide net — millions of emails, generic lures, hoping that a small percentage of recipients click a malicious link. BEC is targeted. Attackers spend days or weeks researching a specific organization and specific individuals before sending a single email.

The goal is not credential theft (though that sometimes precedes a BEC attack). The goal is money — a wire transfer, an ACH payment, a change to banking details, or gift card purchases that can be quickly liquidated.

The FBI categorizes BEC into five main types:

  1. CEO Fraud — An executive's identity (or email account) is impersonated to pressure an employee into making an urgent financial transfer.
  2. Account Compromise — An employee's actual email account is hijacked and used to request payments from vendors or customers.
  3. False Invoice Scheme — An attacker impersonates a vendor and submits fraudulent invoices, or intercepts a real invoice and changes the bank account number.
  4. Attorney Impersonation — Attackers pose as a lawyer handling a confidential legal matter, using urgency and secrecy to bypass approval processes.
  5. Data Theft — Employee PII or W-2 forms are targeted, often as a precursor to further fraud.

How Attackers Research Their Targets

The research phase of a BEC attack is thorough. Before an attacker sends the first email, they typically know:

  • The names and roles of executives and finance staff (LinkedIn, company website, press releases)
  • The organizational structure — who reports to whom, who approves payments
  • Ongoing business relationships — which vendors or law firms the company works with
  • Travel schedules — executives who are traveling are common BEC targets because they are less reachable for verification
  • The company's email format (firstname.lastname@company.com, found through email verification tools or data breach dumps)
  • The language and tone used in internal communications (sometimes through an earlier account compromise)

LinkedIn is the primary source for executive and employee intelligence. Job postings reveal internal processes and technology stacks. Annual reports and press releases identify acquisitions, legal counsel, and banking relationships. Some attackers monitor a company's social media to learn about upcoming events that create urgency (acquisitions, audits, end of quarter).

CEO Fraud: The Mechanics

The most common BEC variant follows a predictable pattern:

  1. The attacker identifies a finance employee (AP specialist, CFO, controller) and the executive whose identity will be impersonated.
  2. An email arrives appearing to be from the CEO, marked urgent, often referencing a time-sensitive business need.
  3. The email requests a wire transfer to a new account "for an acquisition we're announcing Monday" or payment of an invoice that needs to close before end of quarter.
  4. The attacker establishes rapport over email before revealing the financial ask, pre-empting suspicion.
  5. When the employee processes the transfer, funds land in a domestic account controlled by a money mule, then move internationally within hours.

The email either comes from a lookalike domain (examp1e.com instead of example.com), a free email service (ceo-name@gmail.com), or in some cases from the actual executive's compromised email account.

The urgency and secrecy are intentional: "Do not mention this to anyone — we will announce Monday" prevents the employee from verifying with colleagues.

Invoice Fraud and Payment Redirection

Invoice fraud exploits the payment relationships between businesses and their vendors. In a typical attack:

  1. An attacker compromises either the vendor's email account or monitors email communications through a man-in-the-middle position.
  2. They intercept or identify an upcoming invoice from the vendor.
  3. They send an email impersonating the vendor's finance contact, stating that their banking details have changed and all future payments should go to a new account.
  4. The company updates its records and begins sending payments to the fraudulent account.

These attacks can go undetected for months if the vendor does not immediately reconcile unpaid invoices. By the time the legitimate vendor inquires about non-payment, funds have long since been moved.

Technical Controls That Prevent BEC

DMARC Enforcement

DMARC at p=reject prevents attackers from sending emails that appear to come from your exact domain. If an attacker sends a phishing email with From: ceo@example.com and your domain has p=reject, receiving mail servers will drop it.

This does not prevent lookalike domain attacks (where the attacker registers examp1e.com), but it closes the direct spoofing vector entirely.

_dmarc.example.com. TXT "v=DMARC1; p=reject; rua=mailto:dmarc@example.com"

Anti-Impersonation Controls in Email Gateways

Modern email security gateways (Proofpoint, Mimecast, Microsoft Defender for Office 365) have dedicated BEC detection features that look for:

  • Display name impersonation — an email with display name "John Smith CEO" but the actual address is john.smith.ceo@gmail.com
  • Lookalike domain detection — flags emails from domains that are visually similar to your own or your known vendors
  • Newly registered domain warnings — flags emails from domains registered within the last 30 days
  • Reply-to mismatch — emails where the Reply-To: address is different from the From: address

Configure these controls explicitly. Default settings are often too permissive.

Header-Based Sender Verification

You can create mail flow rules that flag or quarantine emails where:

  • The From: display name matches an executive but the email domain is external
  • The email arrives from outside your organization but has an internal-looking display name

In Microsoft 365:

If sender display name contains [Executive Name]
AND sender is outside the organization
THEN prepend subject with [EXTERNAL SENDER]

Lookalike Domain Monitoring

Proactively register common typosquats of your domain and monitor for newly registered lookalike domains. Services like DomainTools Iris, CertStream, or PhishLabs provide lookalike domain monitoring. When a lookalike domain is registered, you have an opportunity to take action (UDRP complaint, takedown request) before it is used in an attack.

Multi-Factor Authentication on Email Accounts

Account compromise (where the attacker uses the actual executive's email) is only possible if they can log into the account. MFA on all email accounts, particularly executive accounts, prevents this even if credentials are stolen through phishing.

Critically, audit Microsoft 365 and Google Workspace for OAuth app permissions. Attackers increasingly compromise accounts through malicious OAuth apps rather than password theft, and MFA does not stop OAuth-based access.

Organizational Controls

Payment Verification Procedures

The single most effective non-technical control against BEC is a mandatory out-of-band verification process for payment requests above a threshold. Regardless of how urgent or confidential an email request appears:

  • Call the requestor using a phone number from the company directory (not a number provided in the email itself)
  • Require dual approval for wire transfers and ACH payments above a defined amount
  • Never change vendor banking details based solely on an email request — always call the vendor to confirm
  • Implement a mandatory waiting period (24-48 hours) for new vendor banking details before they are used

These procedures feel bureaucratic when business is moving fast, but they are the controls that actually stop funds transfers once an attacker has already crafted a convincing email.

Finance Team Training

Finance employees are the primary targets of BEC. They need specific, scenario-based training that goes beyond generic phishing awareness:

  • Walk through actual BEC email examples, including the research phase
  • Practice the verification call scenario — roleplay what it feels like to tell a (simulated) urgent CEO "I need to verify this by phone before processing"
  • Cover the warning signs: unusual urgency, requests for secrecy, wire transfers to new accounts, requests to bypass normal approval

Training should be repeated regularly because BEC techniques evolve. The "CEO is traveling and needs a wire transfer" narrative from 2018 has been supplemented with "we are acquiring a company and need confidential payment" narratives today.

Vendor Communication Security

For high-value vendor relationships, establish a shared protocol for banking changes:

  • Maintain a list of approved banking details for key vendors, verified through a phone call at the start of the relationship
  • Require a signed letter on company letterhead plus a verification call for any changes
  • Confirm large invoice payments via phone with a contact verified through your directory, not through contact info in the invoice itself

Responding to a BEC Incident

If a BEC payment has been made, time is critical. The FBI advises:

  1. Immediately contact your bank and request a recall of the wire transfer. If caught within hours, some transfers can be reversed.
  2. File an IC3 complaint at ic3.gov. The FBI's Financial Fraud Kill Chain program has recovered hundreds of millions of dollars in intercepted transfers.
  3. Report to your local FBI field office — for large amounts, an immediate phone call alongside the IC3 complaint can initiate a faster response.
  4. Notify your cyber insurance carrier if you have a policy covering business email compromise.
  5. Preserve all email evidence — do not delete the fraudulent emails.

Domestic wire transfers have a slightly better recovery rate than international transfers, but in either case the window is measured in hours, not days.

Building a BEC-Resistant Organization

No single control stops BEC. It requires a layered approach:

LayerControl
TechnicalDMARC p=reject
TechnicalAnti-impersonation gateway rules
TechnicalLookalike domain monitoring
TechnicalMFA on all email accounts
ProceduralOut-of-band verification for payments
ProceduralDual approval for wire transfers
ProceduralVendor banking change protocol
PeopleScenario-based finance team training
PeopleExecutive travel = extra vigilance policy

The procedural and people controls matter most. A well-crafted BEC email can get through any technical filter. The question is whether the employee who receives it has the training and procedures to stop the attack in its tracks.

bec
email-security
phishing
social-engineering
fraud-prevention

Check Your Security Score — Free

See exactly how your domain scores on DMARC, TLS, HTTP headers, and 25+ other automated security checks in under 60 seconds.