CISO's guide: How to prevent business email compromise

What is business email compromise?

BEC is a coordinated cyberattack that specifically targets organizations by exploiting email communications to employees through impersonation and social engineering. The objective of BEC is to trick employees into transferring money, sharing confidential information or permitting system access to cybercriminals. Unlike more generalized phishing schemes, BEC relies on psychology and workplace norms to deceive the email recipients.

At its core, BEC involves attackers impersonating company executives, authority figures, colleagues and business stakeholders within the organization, and communicating through company email access or by spoofing legitimate business email accounts. The sender requests wire transfers, payroll changes, payment arrangements, passwords or other confidential data. BEC is effective because the messages are unexpected, appeal to our professionalism, and carry the added weight of urgency and legitimacy.

BEC attack threat severity

Most organizations consider BEC a high-severity security threat due to its complexity, difficulty in detection and potential for financial loss. The FBI's "Internet Crime Report 2024" recorded more than 21,000 BEC incidents, resulting in almost $2.8 billion in losses.

Tasked with responding to BEC incidents and assessing business impact, security teams must align internal severity levels with the potential financial and operational implications of a successful attack. Despite BEC incidents being at high- to critical-severity levels, lower-level exploits can also pose a significant risk to the organization. The following chart highlights BEC attack scenarios and their effect on the organization.

How BEC attacks operate

Because they are highly targeted and specific to each victim, BEC attack methods vary. However, the criminals behind these cyberattacks display some common tactics. The attack stages seen in many BEC incidents include the following:

• Reconnaissance. Attackers research the organization to identify executives, finance staff, vendors, payment patterns, ongoing projects and more. Much of the information is publicly available or for sale on the dark web as a result of a prior breach. Cybercriminals use this information to craft bespoke messages to targeted users that look routine and expected.
• Initial account compromise or spoofing. Attackers either spoof a trusted email address with a nearly identical domain -- for example [email protected] instead of [email protected] -- or compromise a real email account using stolen credentials or other phishing methods. If a legitimate account is compromised, the threat actors often idle in the background to observe user behavior. This permits them to learn the tone, messaging, approval chains, invoice cycles and other account behavior, enabling them to mimic a legitimate employee.
• Social engineering. After the attackers gather enough information to impersonate a legitimate email user, the manipulation phase begins. BEC attackers send a convincing email that requests urgent action -- for example, an instruction to pay a vendor invoice, send gift cards, share banking details or anything else that fools the receiver into acting.
• Successful attack execution. After the successful BEC incident, attackers transfer the funds or data to their own accounts, then cover their tracks by deleting evidence, restoring email rules or moving stolen funds or data among multiple accounts.

How to prevent BEC attacks

While BEC is infamous for its ability to fool employees, organizations can take the following steps to identify BEC attacks before they cause losses:

• Strengthen email security. Deploy secure gateways and filters to detect spoofing, malware and suspicious links or attachments before they reach users.
• Implement email security protocols. Use Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM) and Domain-based Message Authentication, Reporting and Conformance (DMARC) to prevent domain spoofing.
• Fortify user access protections. Use MFA and other role-based access controls to protect user email accounts against unauthorized access. Require users to create strong, unique passwords.
• Manage access controls and accounts. Apply least‑privilege and timely account deprovisioning.
• Disable automatic email forwarding. Disabling automatic forwards to external email addresses helps prevent data exfiltration in the event of a compromised account.
• Monitor email and financial activity. Look for anomalies, such as logins from unusual locations, off‑hours wire requests or sudden changes to vendor details.
• Conduct ongoing awareness training for end users and security teams. Educate employees on BEC and how to spot it. Keep security teams up to date with the latest phishing campaigns and BEC tactics to help them identify real-world attacks.

Let’s get back to Mike, our eager new employee. With rigorous cybersecurity measures in place, he will probably never even receive the email containing a hidden BEC attack. However, even if he does, awareness training has given him the tools to identify the threat, confirm the request (by some other means than email) and alert IT to the attempt. What better way to impress the new boss than by avoiding a costly BEC attack?

Amanda Scheldt is a security content writer and former security research practitioner.