Business Email Compromise Attacks: The Big Phishing Scam That’s Easily Missed


By Stephanie Mitchell, marketing manager
Share this post

Business email compromise (BEC) attacks are arguably the most sophisticated of all email phishing attacks, and some of the most costly. From 2016-2018, BEC alone made $5.3 billion[1], but it’s not an attack that everyone is familiar with.

What is business email compromise?

BEC is a form of email phishing that targets companies rather than the public. Emails appear to come from someone the victim already knows—usually a higher status colleague—asking them to do something ordinary, like setting up and paying a new supplier, or paying an invoice or a staff member.

BEC attack emails have many of the same characteristics as other forms of phishing emails; they impersonate others, seek to gain data or money from unsuspecting victims, and messaging conveys a sense of urgency.

What makes them different is their sophistication, and their outcomes. Why? Because the scammer really does their homework.

How do BEC scams work?

For a BEC scam to be successful, the victim has to believe the email being sent is genuine. The telltale signs of other phishing emails—spelling errors, noticeably bogus email addresses, unknown senders—aren’t present in BEC scams. Here’s how BEC is achieved:

  1. Research. A scammer can spend months researching the company and the person within that company they want to target. Social media platforms like LinkedIn®, Facebook®, etc. are goldmines for personal information, which scammers use to find out more about their targets, like their roles and responsibilities, their line manager, and direct reports, even the way they write or communicate. Scammers need to know both the person they’re imitating and the person they’re targeting.

  2. Getting the right domain. The scammer will buy a domain that’s very close to the genuine brand they’re targeting, e.g., teramundi.net as opposed to terramundi.net. At a glance, most people would not notice the missing second “r.” They can then use this to set up an email address that matches the person’s they’re imitating, but for that one letter difference— “john.doe@teramundi.net” (fake) as opposed to “john.doe@terramundi.net” (genuine).

  3. Manipulation. BEC scams rely on social engineering techniques to get victims to do what the attacker wants. Scammers use a range of methods to panic the recipient into believing the email is from their superior so the victim takes action quickly, including:

    • Mimicking the writing style of the sender
    • Sending emails late in the day or week with urgent messaging, like “I need this done before the end of the day”
    • Using excuses as to why the scammer can’t answer any follow-up questions, indicating the action should be fulfilled without question, for example, “I’ll be in meetings for the rest of the day”

Unlike other phishing attempts, BEC scams don’t need to cast a wide net in the hope that a few people will take the bait. They’re highly targeted and not easy to spot. Targeting companies rather than individuals means that their efforts yield a higher reward.

How to combat BEC scams

There are two elements to mitigate against BEC attacks—technical and human. Technical elements are security protocols that can stop the email from reaching the recipient in the first place. The human element is about training your staff on what to look for. Unfortunately, phishing scams rely on human error, and BEC scams are no exception.

Technical protection
Ensure that you have an email authentication protocol in place, like domain-based message authentication, reporting, and conformance (DMARC). Essentially, DMARC allows you to specify how to handle unauthenticated emails, either sending them to the junk folder or blocking them altogether. Having a robust monitoring solution in place will also give you a full view of the phishing landscape for your company, helping you spot anomalies and take quick action.

Staff training
It’s easy to be fooled by a phishing email as sophisticated as a BEC scam. Recent research shows that 43% of global workers are unsure what a phishing attack is[2]—so educating your staff is key. Having regular cybersecurity awareness training as part of your employee training program will help educate your staff on what to look out for. It’s also important to have a process for what to do if one of your employees suspects a BEC phishing attempt—which would usually involve confirming the authenticity of the request with the sender either via telephone or face-to-face (where possible).

We’re ready to talk
If you’d like to talk to one of our experts about our Fraud Protection solutions, complete this form and one of our team members will be in contact.


[1]casselsalpeter.com/wp-content/uploads/2018/06/CS-BusinessNewsDaily-19SmallBusinessTrendsandPredictionsfor2018-mediaclip-6.19.18.pdf

[2]securityboulevard.com/2020/10/43-of-global-employees-are-not-sure-what-a-phishing-attack-is-2/