Attack #3: Business Email Compromise (BEC)
Threat snapshot – Business Email Compromise
| Category | Summary |
|---|---|
| What it is | Attacks that abuse legitimate email accounts and business processes to manipulate payments, data, or decisions without using malware. |
| Most common targets | Finance teams, executives, accounting, HR, suppliers, and partners. |
| What it relies on | Compromised or spoofed email accounts, trust in authority, weak verification processes, and time pressure. |
| How it’s detected | Unusual payment requests, changes in bank details, abnormal email patterns, behavioral anomalies. |
| Primary impact | Direct financial loss, data exposure, legal and compliance consequences. |
| What realistically helps | Strong payment controls, verification procedures, identity protection, and user awareness. |
How the attack works
Business Email Compromise does not look like an attack.
It looks like business.
BEC exploits real email conversations, real processes, and real authority. There is no malware, no malicious attachment, and often no obvious red flags.
Attackers gain access to a legitimate mailbox. or convincingly impersonate one. Then they observe. They learn how payments are approved, how suppliers communicate, how urgency is framed.
When the timing is right, they intervene.
A payment instruction is changed.
An invoice is “updated.”
Sensitive information is requested.
Everything looks normal. Until the money is gone.
Who they most often target
BEC follows money and decision-making power.
The more authority an email carries, the more valuable it becomes.
Roles
-
finance and accounting teams
-
executives and senior management
-
HR departments
-
procurement and supplier management
-
legal and operations teams
Sectors
-
professional services
-
manufacturing and logistics
-
construction and real estate
-
healthcare and education
-
public sector
Organization types
-
organizations with frequent wire transfers
-
companies with complex supplier chains
-
environments with weak approval segregation
-
fast-growing or reorganizing teams
BEC thrives where trust replaces verification.
What the attack relies on
BEC is successful because it aligns perfectly with how businesses operate.
Human factors
-
trust in authority
-
urgency and time pressure
-
fear of delaying payments
-
routine task execution
-
assumption of legitimacy
Technical gaps
-
compromised email accounts
-
lack of MFA on email
-
limited monitoring of mailbox activity
-
absence of anomaly detection
Process weaknesses
-
weak payment change controls
-
lack of out-of-band verification
-
unclear escalation paths
-
insufficient separation of duties
BEC works when process assumptions go unchallenged.
How it is detected
BEC is rarely detected by security tools alone.
It is often detected by people noticing something feels “off.”
What users may notice
-
unusual urgency around payments
-
last-minute changes to bank details
-
requests that bypass normal approval
-
tone or phrasing that feels slightly different
What IT teams observe
-
mailbox access from new locations
-
forwarding rules or inbox manipulation
-
unusual login behavior
-
identity anomalies
What SOC teams detect
-
anomalous email behavior
-
account compromise indicators
-
suspicious authentication patterns
-
correlation with known BEC campaigns
BEC detection depends heavily on context.
How impact is contained
In BEC incidents, speed directly affects financial loss.
The priority is to stop the transaction and secure identity.
-
immediately halt or recall payments
-
notify banks and payment processors
-
reset credentials and revoke sessions
-
preserve evidence and email logs
-
inform legal, finance, and management
What does not help:
-
assuming the request is legitimate
-
delaying verification
-
handling the incident quietly
BEC requires coordinated response across security and business teams.
What realistically helps
BEC cannot be stopped by technical controls alone.
It requires discipline in how business decisions are executed.
People
-
awareness training focused on authority abuse
-
encouragement to question unusual requests
-
clear escalation channels
Processes
-
mandatory out-of-band verification for payment changes
-
separation of duties
-
documented response playbooks
-
regular process audits
Technology
-
MFA on all email accounts
-
email security and anomaly detection
-
identity monitoring
-
SOC integration
Strong processes reduce BEC impact more than any single tool.
Common myths
BEC is often misunderstood.
“Email security blocks these attacks”
“If it came from a real account, it must be legitimate”
“Our approval process is clear”
“This only happens to large enterprises”
In reality, BEC affects organizations of all sizes and remains one of the costliest cyber attack types globally.
Attack #1: Phishing & Social Engineering
Attack #2: Credential Abuse & Account Takeover
Next: Attack #4 – Ransomware
