Business Email Compromise (BEC)

Timeline: The Cat and Mouse

2013 ← Attack emerges → 2016 ← Industry responds → 2021 ← Attackers adapt → Present

The Evolution

Key Events with Sources

Overview

Business Email Compromise (BEC) is the most financially damaging form of cybercrime. Attackers impersonate executives, vendors, or trusted contacts to manipulate employees into transferring funds or disclosing sensitive information. Unlike malware-based attacks, BEC relies purely on social engineering—there’s often no malicious link or attachment to detect.

The Attack

BEC Categories (FBI Classification)

CEO Fraud:

From: "CEO Name" <ceo.private@gmail.com>
To: CFO
Subject: Urgent Wire Transfer

I need you to process a wire transfer today.
I'm in meetings and can't call. This is confidential.
Let me know when it's done.

Vendor Email Compromise:

From: accounts@vendor.com (compromised)
To: accounts.payable@company.com
Subject: Updated Banking Information

Please update our banking details for future payments.
New account: [attacker's account]

Account Compromise:

• Attacker gains access to employee’s actual mailbox
• Sends fraudulent requests from legitimate account
• Reviews email history for context and targets

Attorney Impersonation:

From: "Law Firm Partner" <partner@lawfirm-secure.com>
To: CEO
Subject: Confidential Acquisition Matter

We need to wire escrow funds today for the confidential acquisition.
Please process $500,000 to the following account.

Data Theft:

From: "CEO Name" <ceo.name.company@gmail.com>
To: HR Director
Subject: Employee Information Request

I need W-2 forms for all employees sent to this email.
Working on a tax matter. Keep this confidential.

Why BEC Works

Authority and Urgency:

• Impersonates executives (hard to question)
• Creates time pressure (prevents verification)
• Requests confidentiality (isolates victim)

No Malware to Detect:

• Pure text emails
• No links, no attachments
• Nothing for security tools to flag

Reconnaissance:

• Attackers research company hierarchy
• Know who can authorize payments
• Understand business relationships
• Time attacks with executive travel

Financial Impact

FBI IC3 reports (2023):

• $2.9 billion in reported losses
• Average loss per incident: $125,000+
• Likely underreported by 80%+

Raw Email Headers (BEC Attack)

Pure social engineering—authentication passes because it’s from a legitimate freemail account:

Return-Path: <ceo.smith.private@gmail.com>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com [209.85.220.41])
        by mx.company.com (Postfix) with ESMTPS id BEC12345
        for <controller@company.com>; Fri, 24 Jan 2025 16:45:22 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601;
        h=from:to:subject:date:message-id;
        bh=validhash123...;
        b=validsig456...
Authentication-Results: mx.company.com;
        dkim=pass header.d=gmail.com header.s=20230601;
        spf=pass (google.com: domain of ceo.smith.private@gmail.com
            designates 209.85.220.41 as permitted sender);
        dmarc=pass (p=NONE) header.from=gmail.com
From: "Robert Smith - CEO" <ceo.smith.private@gmail.com>
To: controller@company.com
Subject: Urgent - Wire Transfer Needed Today
Date: Fri, 24 Jan 2025 16:45:20 -0500
Message-ID: <CABec123456@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8

Hi Jennifer,

I need you to process an urgent wire transfer today. I'm traveling
and in back-to-back meetings so I can't call.

Amount: $47,500
Bank: First National Bank
Routing: 021000021
Account: 123456789
Beneficiary: Global Consulting Partners LLC

Please process this immediately and confirm when done.
Keep this confidential for now.

Robert Smith
CEO

Key observations:

• dkim=pass, spf=pass, dmarc=pass — All authentication passes for gmail.com
• No attachments, no links — Nothing for security tools to flag
• Display name impersonates CEO: "Robert Smith - CEO"
• Actual sender is random Gmail: ceo.smith.private@gmail.com
• Creates urgency (“today”, “immediately”) and isolation (“confidential”)
• This is pure social engineering with perfect authentication

Attack Timeline

Week 1: Reconnaissance
- LinkedIn for org chart
- Company website for executives
- News for M&A activity, travel

Week 2: Infrastructure
- Register lookalike domains
- Set up email accounts
- Compromise vendor/partner if possible

Week 3: Initial Contact
- Test with low-risk request
- Build rapport
- Establish communication pattern

Week 4: Execution
- Make the fraudulent request
- Create urgency
- Collect funds
- Disappear

Defenses

Process Controls

Wire Transfer Verification:

• Two-person approval for transfers > $X
• Callback to known number for all changes
• 24-48 hour delay on new vendor payments

Vendor Management:

• Verify banking changes by phone
• Use numbers on file, not from email
• Multi-party approval for payment changes

Technical Controls

VIP Impersonation Protection:

• Protect executive names and email patterns
• Flag external emails using executive names
• Quarantine display name impersonation

External Email Tagging:

[EXTERNAL] This email originated from outside the organization.
Be cautious with links, attachments, and requests for sensitive information.

DMARC Enforcement:

• Prevents direct domain spoofing
• Forces attackers to lookalike domains
• Easier to detect non-exact matches

User Training

Focus on:

• Verifying unusual requests by phone
• Being suspicious of urgency + secrecy
• Checking actual email addresses
• Reporting suspected BEC attempts

Simulated BEC:

• Test with fake executive requests
• Measure response rates
• Train those who fall for simulations

Attacker Adaptation

Gift Card Scams

Lower value, harder to trace:

"Can you buy $500 in Google Play gift cards?
I need them for a client. Send me the codes."

Payroll Diversion

Target HR/Payroll:

"Please update my direct deposit to this account."
(Employee impersonation with changed banking)

Real Estate BEC

Target home buyers at closing:

"Wire your down payment to these updated escrow details."
(Compromised title company or realtor email)

Multi-Stage Attacks

1. Compromise vendor mailbox
2. Monitor for payment discussions
3. Inject at critical moment
4. Request payment to attacker account

Current State

Status: Active (and Growing)

BEC remains the most damaging email threat:

Detection Guidance

Email Indicators

Flag emails with:

• Executive display names from external addresses
• Keywords: “wire transfer”, “urgent”, “confidential”, “don’t tell”
• Requests to change payment details
• Gift card requests from executives

Behavioral Indicators

• Unusual payment requests
• Pressure to bypass approval processes
• Requests for secrecy from colleagues
• Changes to vendor banking information

SIEM Correlation

(email.subject CONTAINS "wire" OR "urgent" OR "confidential")
AND email.sender.domain NOT IN (internal_domains)
AND email.display_name IN (executive_names)

Incident Response

If BEC succeeds:

1. Contact bank immediately (recall may be possible < 24-72 hours)
2. File FBI IC3 complaint
3. Preserve all email evidence
4. Investigate how attack succeeded
5. Review for additional compromised accounts
6. Implement process improvements