Browse Definitions :
Definition

business email compromise (BEC, man-in-the-email attack)

Business email compromise (BEC) is a security exploit in which the attacker targets an employee who has access to company funds and convinces the victim to tranfer money into a bank account controlled by the attacker.

According to the FBI's Internet Crime Report, BEC exploits were responsible for over $1.77 billion in losses in 2019. Business email compromise is one of the top cyberinsurance claims in 2020, and security vendor Proofpoint has warned businesses that BEC exploits are increasingly being tied to COVID-19. The most common victims of BEC are companies that use wire transfers to send money to international clients.

 

BEC exploits often begin with the attacker using a social engineering scam to trick a C-level target into downloading malware, clicking on an infected link or visiting a compromised website. Once the C-level manager's account has been compromised, it can be used to trick another employee into sending money to the attacker.

 

A popular BEC strategy is to send an official-looking email to someone in the company's finance department. Typically, such an email will say there is a time-sensitive, confidential matter that requires payment be made to a customer's, partner's or supply chain partner's bank account as soon as possible. The attacker hopes that the unsuspecting person in finance will think they are helping their company by facilitating a quick transfer of funds -- when in reality, they are sending money to the attacker's bank account.

There are numerous ways that BEC can be used to defraud targets. Here are a few examples:

  • A compromised employee account requests a change in payee information and transfers payments to the perpetrator’s account.
  • The attacker sends a bogus invoice to partner vendors in hopes they will pay the bill without questioning it.
  • An attorney’s email identity might be used to pressure the target for immediate payment.

Cybercriminals may further use a compromised account (especially those of HR employees) to gain more personally-identifiable information (PII) for later use in defrauding the company or its clients. Measures to prevent this type of financial fraud include employee education, conducing social engineering pen tests and adding a requirement that at least two employees sign approvals for payment change requests.

This was last updated in March 2020

Continue Reading About business email compromise (BEC, man-in-the-email attack)

Networking
Security
  • timing attack

    A timing attack is a type of side-channel attack that exploits the amount of time a computer process runs to gain knowledge about...

  • privileged identity management (PIM)

    Privileged identity management (PIM) is the monitoring and protection of superuser accounts that hold expanded access to an ...

  • possession factor

    The possession factor, in a security context, is a category of user authentication credentials based on items that the user has ...

CIO
  • business process reengineering (BPR)

    Business process reengineering (BPR) is a management practice in which business processes used are radically redesigned to ...

  • innovation management

    Innovation management involves the process of managing an organization's innovation procedure, starting at the initial stage of ...

  • radical innovation

    Radical innovation is an invention that destroys or supplants an existing business model.

HRSoftware
  • employee resource group (ERG)

    An employee resource group is a workplace club or more formally realized affinity group organized around a shared interest or ...

  • employee training and development

    Employee training and development is a set of activities and programs designed to enhance the knowledge, skills and abilities of ...

  • employee sentiment analysis

    Employee sentiment analysis is the use of natural language processing and other AI techniques to automatically analyze employee ...

Customer Experience
  • customer profiling

    Customer profiling is the detailed and systematic process of constructing a clear portrait of a company's ideal customer by ...

  • customer insight (consumer insight)

    Customer insight, also known as consumer insight, is the understanding and interpretation of customer data, behaviors and ...

  • buyer persona

    A buyer persona is a composite representation of a specific type of customer in a market segment.

Close