Understanding Business Email Compromise

As we discussed in our previous article, there are a variety of phishing methods that may be utilized against an organization. But when those become successful and attackers can access your organization they may have further plans in store than just stealing data.

This is where Business Email Compromise (BEC) then becomes a concern. BEC is defined as a type of cyber crime in which attackers impersonate employees or executives to trick vendors, clients, or individuals into sending them money, usually by way of wire transfer. These attacks are pretty common and can cost your business a substantial amount of money. According to victim complaints sent to the FBI’s IC3, there has been an observed loss of $14 billion between October 2013 and December 2021 in the United States alone. [1]

However, this type of attack is preventable and can be broken down into four steps: Reconnaissance, Social Engineering, The Switch, and The Transfer and Getaway

1. Reconnaissance

Our reconnaissance phase covers the initial identification attackers will go through to select the targets they would like to attack. Ideal candidates for this would be financial-focused companies such as banks, insurance providers, mortgage brokers, etc. These types of companies would be expected to deal with a high volume of wire transfers and this is precisely what the attackers are looking for.

Utilizing online resources, attackers will build profiles on companies, their executives, and employees. Whether it’s a CEO or an administrative assistant, social media posts and tweets can provide valuable insight into the organization. In addition to social media, attackers will also utilize search engines to find as much information about the company and its employees.

Once the information is gathered and the targets are chosen; the strike begins.

2. Social Engineering

The attackers will try their best to utilize resources that will work in deceiving their targets. A popular method will be to register a domain name that looks official or looks similar to a partner the target company would work with. For example, if the partner company is @radsec.com an attacker would look for a variation such as rabsec.com. At a glance, it looks similar, and the attacker would hope that this bypasses the eyes of the target victim.

While there is a variety of methods that could be used, for the sake of brevity, we’ll assume that this method was successful and the attackers have succeeded in their deception. With their success, they’ve gained e-mail credentials to an employee in the finance department. It’s now time for the attackers to lay and wait for a financial transfer discussion to occur with the compromised employee.

3. The Switch

A transaction is now in the works between the company and one of its partners and is being brokered by our compromised employee. The attacker has been accessing the e-mail account and watching the conversation the entire time. All of the details have been worked out and the partner will be remitting payment to the company within a couple of days. The attacker now sees his opportunity for the switch.

The attacker will likely want to hijack the email chain by using more deceptive tactics. Using an illegitimate lookalike domain to send email from, as described above, the attacker replies to the partner. This ensures the Company won’t catch wind of the switch occurring. Then, the attacker will tell the partner that they had a change in payment details and to please use the wire details for the attacker’s account.

The partner agrees, seeing nothing amiss, and changes the payment details.

4. The Transfer and Getaway

A few days have passed and the payment gets sent to the false account. The company reaches out to the partner asking if they’ve remitted payment. Well of course the partner has but to the wrong individual. Both companies try to make sense of what occurred and discover the switch that occurred days earlier. The money is effectively lost and the criminals have gotten away. All that is left to do is to report the financial crime to the FBI and IC3


While just an example, these types of attacks are being performed frequently and successfully, it is up to you to be prepared by having protections and policies in place that will help prevent you from falling victim to these types of attacks.

Share This:

Share on facebook
Share on whatsapp
Share on twitter
Share on email