What is Business Email Compromise (BEC)?
Quick Answer
Business Email Compromise (BEC) is a type of scam where attackers impersonate executives or trusted partners to trick employees into transferring money or revealing sensitive information. It's one of the most financially damaging cybercrimes.
Business Email Compromise (BEC) is a sophisticated scam targeting businesses that conduct wire transfers or have suppliers abroad. Attackers either hack into or spoof legitimate business email accounts to conduct unauthorized transfers, steal data, or redirect payments. Unlike malware-based attacks, BEC relies primarily on social engineering and doesn't require technical exploitation—making it particularly difficult to detect with traditional security tools.
How Business Email Compromise (BEC) Works
Account compromise or spoofing
Attackers either gain access to a real email account through phishing, or create a lookalike domain that closely mimics the legitimate one.
Reconnaissance
Attackers study email patterns, learn about pending transactions, understand relationships, and identify who has authority to make payments.
Strategic timing
The attack is launched when the impersonated person is unavailable (traveling, in meetings) or during busy periods when verification might be skipped.
Request execution
A convincing email requests a wire transfer, invoice payment, or sensitive information, often with a plausible business reason.
Fund theft
Payments are directed to attacker-controlled accounts, often moved quickly through multiple banks to prevent recovery.
Real-World Examples
An email from the 'CEO' to the CFO requesting an urgent wire transfer for a confidential acquisition while they're traveling.
A supplier email with legitimate-looking invoice but altered bank account details for payment.
A message from 'HR' requesting employee W-2 or tax information for 'urgent compliance purposes.'
An attorney impersonation requesting immediate payment for a pending deal that 'must remain confidential.'
How to Protect Yourself
Implement dual authorization for all wire transfers and payment changes above a certain threshold.
Establish verification procedures — always confirm payment requests via phone using a known number.
Be especially cautious of requests emphasizing secrecy or urgency.
Verify any changes to vendor payment information through established channels.
Train employees to recognize BEC tactics through regular phishing simulations.
How Marulk Helps
Marulk's phishing simulations train your team to recognize business email compromise (bec) and other threats through hands-on experience. When someone encounters a simulated attack, they get instant micro-training explaining what they missed.
Get startedFrequently Asked Questions
How much money do businesses lose to BEC?
BEC is one of the most costly cybercrimes. The FBI's IC3 reports billions of dollars in losses annually. Individual attacks can range from thousands to millions of dollars, and recovery is often impossible once funds are transferred.
Why is BEC so effective?
BEC exploits trust and business processes rather than technical vulnerabilities. The emails come from legitimate-seeming sources, reference real business contexts, and request actions that employees regularly perform. There's often no malware to detect.
Can email security tools stop BEC?
Email security helps but isn't sufficient. Because BEC often uses compromised legitimate accounts or carefully crafted spoofed domains, and contains no malicious attachments or links, it can bypass technical controls. Human training is essential.
What should I do if I suspect a BEC attempt?
Don't respond to the email. Contact the supposed sender through a verified phone number or in person. Report the attempt to your IT department. If a payment was already made, contact your bank immediately—quick action sometimes enables recovery.
Related Security Topics
Spear Phishing
Spear phishing is a targeted phishing attack that uses personal information about the victim to appear more convincing. Unlike mass phishing, attackers research their targets to craft believable messages.
Learn moreInvoice Fraud
Invoice fraud involves sending fake or altered invoices to trick businesses into paying money to attackers. Scammers either impersonate legitimate vendors or intercept real invoices and change the payment details.
Learn moreWhaling
Whaling is a type of phishing attack specifically targeting high-level executives like CEOs, CFOs, and other senior leaders. These attacks are highly personalized and designed to exploit the authority and access these individuals have.
Learn morePretexting
Pretexting is a social engineering technique where attackers create a fabricated scenario (the 'pretext') to trick victims into providing information or taking actions they normally wouldn't. It's the foundation for many phishing and fraud attacks.
Learn moreIndustries Most Affected by Business Email Compromise (BEC)
While all organizations face these threats, some industries are particularly targeted.
Real Estate Agencies
Real estate transactions involve large wire transfers and emotional buyers—a perfect combination for fraudsters. One compromised email can redirect a down payment to criminals.
Industry-specific trainingAccounting Firms
Accounting firms handle sensitive financial data daily—making them prime targets for cybercriminals. Train your team to spot phishing attempts before they compromise client trust.
Industry-specific trainingLaw Firms
Legal professionals handle confidential client communications, case strategies, and sensitive documents. Phishing attacks on law firms don't just risk data—they risk attorney-client privilege.
Industry-specific trainingTrain Your Team to Recognize Business Email Compromise (BEC)
Knowledge is the first step. Practice makes it stick. Marulk's phishing simulations give your team hands-on experience recognizing business email compromise (bec) and other social engineering attacks.