Understanding Business Email Compromise (BEC) Risks

Business Email Compromise (BEC) and phishing emails are the most common attack types. Here are five examples.

Business Email Compromise (BEC) is one of the most complex of all social engineering-based scams, making vast sums of money for its perpetrators. While ransomware makes the news, BEC seems to be less of a headline maker. However, research from the FBI has found that BEC volumes are four times that of malware.

The Verizon Data Breach Investigations Report (DBIR) points out that the vast majority (86%) of cybercrime is financially motivated. Scammers, fraudsters, and cybercriminals are all part of a nefarious community who use social engineering tactics and phishing emails to help carry out their cybercrimes. Understanding how a scam works can help to prevent your organisation from becoming a victim of this cyber attack.

Here is how Business Email Compromise works and how you can stop BEC fraudsters from stealing your company’s money.

Analysis of a Typical BEC Attack

Business Email Compromise fraudsters target businesses of all sizes and across all sectors. A BEC scam uses social engineering to its utmost, manipulating the targeted employees in its wake, as the chain of destruction moves through an organisation.

Business Email Compromise scams are lucrative, but they require a high level of commitment to gain access to the large sums of money that the fraudsters are looking for. BEC fraud can be thought of as an advanced email threat as it usually contains an element of email compromise and phishing at an early stage in the attack cycle.

Here are the typical processes behind a Business Email Compromise scam:

A BEC scam depends on tricking specific individuals within an organisation into making a wire transfer to move money to a fraudster’s account. There are several variants of the scam, but they all have a common element: finding a way to fool someone into believing that they are carrying out an important money transfer at the request of a C-level person and/or important client. The typical stages of a BEC scam are:

Stage One: Intelligence Gathering and Strategics

BEC crimes are serious money-making exercises that require the gathering of intelligence to perfect the crime. Surveillance usually involves collating general publicly available information on a company, who the C-level executives are, corporate structure, etc.

During this stage, the cybercriminals will gain an understanding of the operations of the business and will attempt to work out how payments are made and to whom. A BEC scammer then uses this information to begin stage two of the attack.

Stage Two: Email Compromise or Email Spoof

Using the information gathered in stage one, the BEC fraudster will then turn to one of two tactics to continue the attack:

Email account compromise is one possibility. Account takeover (ATO) requires the cybercriminal to steal the login credentials and password for a targeted email account. This can be done using spear-phishing; this is more complicated (but not impossible) if a second factor is used to protect an account.

If the cybercriminal can hijack an account, they will focus on either a C-level executive or someone who controls payments. A hijacked account of a CXO is highly valuable and can be used to demand ‘urgent’ payments are made to the hacker’s bank account – impersonating a ‘valuable client’.

In the case of ‘accounts payable’ employee ATO, the fraudster will be able to watch the email traffic, looking for information on who is being paid, when they are paid, etc. Having this level of control over an organisation’s email also allows them to intercept invoices, changing the details to ensure that payments are made to the fraudster’s bank account.

The second option is to spoof the email address of the target C-level executive. Spoofing an email is a common form of phishing and a recognised way to trick recipients into thinking it is from a particular person. An example of a spoof email address would be [email protected] or [email protected] — easy to impersonate, hard to spot, especially for busy accounts staff.

Stage Three: Extracting the Money

Stage three is where the money is moved into the fraudster’s bank account. This can take several forms and will be part of the original strategy for execution defined in stages one and two. Typical ways include:

CEO fraud: using a spoofed or hacked C-level account, the fraudster sends an ‘urgent’ email demanding a payment to avoid losing a key client.

Invoice fraud: If an email account is hacked, the fraudster intercepts legitimate invoices and alters payment details.

How Can You Reduce the Risk of BEC?

BEC fraud starts with intelligence gathering and progresses through advanced email attacks, typically involving spear-phishing. There are several ways to protect your organisation against a BEC attack, each forming part of a layered defence strategy:

Train Employees About How BEC Attacks Work

Business Email Compromise relies on deception and vigilance is key. Use Security Awareness Training and phishing simulation exercises so employees learn to recognise the tricks used by attackers.

Develop BEC-specific training for executives and finance teams. Include third parties or suppliers who handle payments.

Use Two-Factor Authentication

To prevent email account takeover, ensure all corporate email accounts require a second factor, such as a mobile one-time code in addition to a password.

Secure Your Corporate Domain

BEC fraudsters often register look-alike domains such as www.micr0soft.com or www.amason.com to impersonate legitimate senders. Registering similar domains proactively can help prevent spoofing.

Set Up Mechanisms to Double-Check Payments

Implement a verification process requiring employees to double-check with another staff member before making transfers or sharing sensitive financial data.

Be Aware of Changes or Updates

Create a security-conscious culture where staff stay alert to unusual behaviour from internal teams or vendors. A strong security culture helps detect scams early.

Business Email Compromise is a profitable and persistent crime. To reduce risk, organisations must remain vigilant and educate all employees — including executives — on how BEC works.

Protect Your Organisation Against BEC and Cyber Threats

MetaCompliance offers a comprehensive suite of solutions to safeguard your organisation from Business Email Compromise (BEC), reduce human risk, and enhance overall cyber resilience. Our Human Risk Management Platform includes:

Automated Security Awareness – train employees to recognise BEC and phishing threats.
Advanced Phishing Simulations – test staff readiness against realistic email attacks.
Risk Intelligence & Analytics – identify and address human risk vulnerabilities.
Compliance Management – ensure policies and procedures reduce exposure to BEC and other cyber threats.

Discover how these solutions can strengthen your organisation’s security posture and defend against BEC. Contact us today to book your demo.

FAQs: Business Email Compromise (BEC)

What is Business Email Compromise (BEC)?

BEC is a form of cybercrime where attackers impersonate executives, suppliers, or trusted partners to trick employees into sending money or sensitive information.

Who do BEC attackers usually target?

They typically target staff who handle payments, invoices, or sensitive financial information—especially accounts payable and executives.

How do cybercriminals gain access to email accounts?

They often use phishing emails, credential theft, or social engineering to hijack accounts or spoof a legitimate email address.

What are common signs of a BEC scam?

Urgent payment requests, changes to bank details, unusual tone or grammar, and pressure to bypass normal procedures.