Business Email Compromise: The Quietest Fraud

What is Business Email Compromise (BEC)?

Business Email Compromise, or BEC, refers to targeted fraud where attackers use a compromised or impersonated email account to deceive businesses into transferring money, changing bank details, or divulging confidential information. Unlike spam or generic phishing attempts, BEC is highly sophisticated, often leveraging detailed knowledge of business workflows to seem credible.

For instance, a BEC attack might involve a fraudster impersonating a senior executive, sending an urgent email to a finance team requesting an immediate wire transfer to a fraudulent bank account. Given its precision and focus, BEC attacks result in significant financial losses globally.

How Business Email Compromise Attacks Work

BEC attacks typically follow a structured flow:

  1. Reconnaissance: Attackers gather information on targets, such as the names, roles, and email patterns of executives or vendors.
  2. Email Compromise or Impersonation: Fraudsters either hack into real accounts (account takeover) or create lookalike domains (e.g., replacing "example.com" with "examp1e.com").
  3. Social Engineering: Manipulative messages are crafted to target employees or partners, often invoking urgency or secrecy.
  4. Deception: Requests may involve fake payment instructions or bank change requests.
  5. Cover-up: Fraudsters delete emails or employ inbox rules to evade detection.

For example, a CFO might receive an email from what appears to be the CEO requesting an “urgent wire transfer” for a supplier to a new bank account.

Common Business Email Compromise Scenarios

Fraudsters utilise various schemes to exploit vulnerabilities and manipulate workflows:

  1. Invoice Diversion: Attackers intercept payments by substituting real invoices with falsified versions containing fraudulent bank details.
  2. CEO/Finance Impersonation: Fraudsters fabricate high-pressure, time-sensitive requests for wire transfers disguised as company executives.
  3. Payroll Diversion: Employee email accounts are hacked, and direct deposit details are altered to redirect salaries to attacker-controlled accounts.
  4. Supplier/Client Fraud: Attackers infiltrate legitimate vendor or client email accounts to send fraudulent transaction requests.
  5. Third-Party Mailchain Compromise: Fraudsters gain access to suppliers’ real email accounts and insert themselves undetected into ongoing payment conversations.

BEC vs Phishing

Although phishing and BEC share overlaps, they differ in intent and impact:

  • Phishing: Typically broad, aiming to capture credentials or distribute malware to unknown victims.
  • BEC: A targeted attack exploiting relationships and specific business workflows for high-value payouts.

For instance, phishing may involve sending a mass email containing malicious links, while BEC targets an employee involved in finance with tailored fake invoices. Despite the absence of phishing-style malware in BEC, its damage can be equally catastrophic due to direct financial loss.

Warning Signs of Business Email Compromise

Identifying red flags in emails is the first step to detecting BEC schemes:

  • Email display names mismatched with reply-to addresses.
  • Subtle changes in email domains, such as replacing letters with numbers.
  • Requests emphasising urgency or confidentiality (e.g., “This must be done immediately”).
  • Sudden, unverified bank account changes for vendor payments.
  • Employee inbox rules that automatically forward emails to external unknown addresses, signalling account compromise.

Staying vigilant to these signs helps prevent falling prey to BEC scams.

How to Prevent Business Email Compromise

Effective BEC prevention involves combining technology, processes, and education:

  1. Process Verification:
    a. Implement call-back verification for payment or account changes.
    b. Require dual approvals for significant transfers or amendments to supplier details.
  2. Authentication Controls:
    a. Enforce Multi-Factor Authentication (MFA) for email accounts.
    b. Restrict admin privileges to critical staff only.
  3. Email Security Features:
    a. Use domain-based email authentication such as SPF, DKIM, and DMARC protections.
    b. Employ solutions that flag variations in reply-to fields and detect impersonation attempts.
  4. Employee Training:
    a. Provide scenario-based training tailored for finance departments to recognise manipulative emails or pressure tactics.
  5. Limiting Privileges:
    a. Lock sensitive payment systems to authorised personnel.

Advanced detection measures, such as solutions supported by artificial intelligence, can identify anomalous patterns in email usage, adding another layer of defence against these attacks.

Detection and Response: What to Do When BEC Happens

If a BEC attack is detected, take these critical steps to mitigate its impact:

  1. Immediate Actions:
    a. Halt pending payments and contact relevant banks to block transactions.
    b. Preserve digital evidence by securing emails, timestamps, and related communications.
  2. Internal Coordination:
    a. Notify Security, Finance, and Legal teams.
    b. Inform any affected parties, including impacted vendors or customers.
  3. Reinforce Measures:
    a. Reset compromised credentials and fix any mailbox rules set by the attacker.
    b. Conduct a thorough audit of all active supplier and customer accounts.

To improve response readiness, regular scenario exercises can prepare teams to handle incidents effectively.

Why BEC Is a Financial Crime Risk

BEC attacks sit at the intersection of various fraud types:

  • Payment Fraud: Redirecting funds or misdirected business payments is the most common outcome.
  • Invoice Fraud: Attackers often swap bank details in invoices to funnel payments into fraudulent accounts.
  • Account Takeovers: Compromising accounts aids BEC schemes by adding legitimacy to fake payment requests.

Effective KYC verification and counter-fraud solutions complement internal payment approval processes, mitigating these risks while ensuring robust compliance measures.

LSEG’s Approach to Managing BEC Risk

While no organisation can eliminate all risks, leveraging solutions to mitigate them significantly reduces exposure. LSEG World-Check One screening platform and advanced identity verification capabilities help organisations identify key vulnerabilities and respond to risks confidently. These solutions work by detecting anomalies and flagging attempts linked to common BEC tactics. Furthermore, AI-driven capabilities within these systems assess compromised accounts and alert against unusual activity.

Conclusion

While no organisation can eliminate all risks, leveraging solutions to mitigate them significantly reduces exposure. LSEG World-Check One screening platform and advanced identity verification capabilities help organisations identify key vulnerabilities and respond to risks confidently. These solutions work by detecting anomalies and flagging attempts linked to common BEC tactics. Furthermore, AI-driven capabilities within these systems assess compromised accounts and alert against unusual activity.

FAQs

  • Business Email Compromise (BEC) is a type of cybercrime where attackers impersonate or compromise email accounts to deceive businesses into transferring money, changing bank details, or sharing confidential information. It is highly targeted and often exploits trust within business workflows.

  • Business email compromise refers to fraud strategies that use emails to manipulate organisations into conducting unauthorised payments or disclosing sensitive data. These attacks typically target financial teams or executives and exploit human trust and process gaps.

  • In a business email compromise attack, fraudsters gain access to or convincingly mimic email accounts, often requesting urgent financial actions. This may involve fake invoices, redirected payments, payroll diversions, or confidential information requests.

  • Business email compromise is also referred to as CEO fraud, email account compromise (EAC), or wire transfer fraud, depending on the specific scam tactic used.Business email compromise is also referred to as CEO fraud, email account compromise (EAC), or wire transfer fraud, depending on the specific scam tactic used.

  • BEC begins with attackers gathering information about their target. Using either compromised accounts or email impersonation, fraudsters craft convincing messages to manipulate recipients into making financial transfers, altering payment details, or providing sensitive information.BEC begins with attackers gathering information about their target. Using either compromised accounts or email impersonation, fraudsters craft convincing messages to manipulate recipients into making financial transfers, altering payment details, or providing sensitive information.

  • Common scams include invoice fraud (changing vendor bank details), CEO impersonation ("urgent wire transfers"), payroll diversions, and spoofing supplier or client emails to redirect receivables to fraudulent accounts.

  • An example would be an email appearing to come from a CEO asking the finance team to urgently transfer funds for a business deal. Another could involve a vendor’s email being compromised to redirect invoice payments to a fraudulent bank account.

  • Common signs include mismatched reply-to addresses, subtly altered email domains, urgent or confidential payment requests, sudden changes to vendor bank details, and mailbox rules automatically forwarding emails externally.Common signs include mismatched reply-to addresses, subtly altered email domains, urgent or confidential payment requests, sudden changes to vendor bank details, and mailbox rules automatically forwarding emails externally.

  • While phishing involves broad attempts to steal credentials via fake emails or links, BEC is highly targeted and uses legitimate workflows, impersonation, or compromised email accounts to directly manipulate victims into transferring money.

  • Prevention involves strong authentication (e.g., Multi-Factor Authentication), email security measures (DMARC/SPF/DKIM), robust payment approval processes (e.g., callbacks for bank changes), and regular employee training to recognise red flags.

  • Finance teams can reduce risks by implementing dual approvals for significant payments, verifying bank detail changes through independent contact methods, and enforcing regular vendor audits to validate account information.

  • Controls include requiring independent verification for supplier bank changes, maintaining accurate vendor master data, and using callbacks or dual approvals to confirm new payment details before processing.

  • Multi-Factor Authentication (MFA) adds an extra security layer by requiring additional proof of identity to access email accounts. This helps prevent attackers from easily compromising accounts, a critical enabler for most BEC attacks.Multi-Factor Authentication (MFA) adds an extra security layer by requiring additional proof of identity to access email accounts. This helps prevent attackers from easily compromising accounts, a critical enabler for most BEC attacks.

  • Businesses should freeze payments, notify their bank to attempt fund recovery, preserve affected emails and communication as evidence, reset compromised credentials, audit mailbox rules, and inform any impacted parties, such as vendors or customers.

  • Scenario-based training tailored for finance and accounts teams can help employees identify common BEC tactics like fake urgency, domain spoofing, or concealed reply-to addresses. Regular refresher courses combined with real-world examples enhances vigilance.

Request details

Help & Support

Already a customer?

Get help through LSEG Support

Office locations

Contact LSEG near you

Find your nearest LSEG office