Features 05.03.2024

Business Email Compromise: How Not to Lose $121m Like Google and Facebook

How BEC is becoming a bigger threat and what you can do about it

Stats don’t lie: Business email compromise (BEC) is a growing risk to all firms. Kate O’Flaherty investigates

As victims, including Facebook and Google, have discovered, business email compromise (BEC) attacks can cause untold damage to a company.

BEC attacks are targeted email scams that see adversaries impersonating a business CEO or supplier to steal cash.

The figures say it all. Ransomware and BEC accounted for 46% of cyber insurance claims from 2018 to 2022 and nearly 53% in 2022, according to the NetDiligence Cyber Claims Study. Between 2018 and 2022,1,480 claims were made as a result of BEC, and 71% of these occurred in the latter two years, according to the report.

Meanwhile, the median amount stolen per BEC attack has reached £40,000 ($50,000), according to Verizon’s Data Breach Investigations Report.

And BEC attacks are becoming more sophisticated. Cyber criminals are already using artificial intelligence (AI) to boost social engineering and create convincing written, voice and video fakes. To add salt to an already salty wound, the National Cyber Security Center (NCSC) has warned that this will worsen over the next two years.

It doesn’t make for joyful reading. Let’s look at exactly what BEC attacks look like now, how they will evolve and most importantly, what you can do to protect your business.

The changing face of BEC: What do attacks really look like?

BEC attacks involve email, but there are many ways of performing them. Here are four ways attackers could target you.

  • Mailbox access strategy: This sees attackers gain entry to a target’s email system by compromising a legitimate internal email account. Once they’ve gained access, attackers sift through email threads to gather information for fraud, says James Todd, chief technology officer at Adarma.
  • C-suite impersonation strategy: This one looks exactly as it sounds. Adversaries spoof or hack into a CEO or executive’s email account to research targets and deceive employees into purchasing or transferring money to the attacker’s account.
  • Attorney impersonation strategy: Another convincing attack method sees criminals use law firms’ hacked accounts to trick their victims. In these attacks, they often target victims using the company’s breached database.
  • False invoice strategy: Attackers can impersonate legitimate vendors and send fake bills to companies. “They’ll often provide altered account numbers or request funds be transferred to different banks with plausible excuses, such as ongoing audits,” Todd says.


BEC doesn’t look like it used to. In the past, attackers would simply hack or spoof business accounts and request wire payments, but this is evolving, according to the FBI’s 2022 Internet Crime Report.

“More recently, fraudsters are more frequently utilising custodial accounts held at financial institutions for cryptocurrency exchanges, or having victims send funds directly to cryptocurrency platforms where [they] are quickly dispersed,” the FBI warns.

“Once a payment diversion fraud is successful and funds are siphoned into criminal accounts, the financial gain is made” Richard Breavington

Many firms tackle BEC attacks by having additional processes, such as a requirement to phone and confirm bank details before sending the transfer (if you don’t do this already, you should). However, the FBI found attackers are even spoofing legitimate business phone numbers to confirm fraudulent banking details with victims.

BEC attacks can take several forms: An adversary might impersonate a business CEO, asking a financial director to wire cash. Invoice scams are another risk, with attackers pretending to be emailing from a supplier to try and persuade their victims to transfer money (see box).

BEC is attractive to adversaries because attacks are relatively straightforward compared to ransomware, says Richard Breavington, partner and head of cyber and tech insurance at RPC. “Once a payment diversion fraud is successful and funds are siphoned into criminal accounts, the financial gain is made. There is no need for ransom negotiation or managing decryption keys.”

The ease with which BEC can be performed makes it no surprise that the volume of attacks is surging, increasing the chances people will get caught out. Chris Morgan, senior cyber threat intelligence analyst at ReliaQuest, describes how his company has observed a “significant increase” in BEC attacks, “primarily involving phishing emails aimed at deceiving employees into making fraudulent payments”.

This can be attributed to the wide availability of phishing kits and services and increasing use of automation – both of which make it easier to execute BEC attacks, says Morgan. He cites the example of phishing-as-a-service offerings, such as BulletProofLink, which “streamline and facilitate operations”.

To make a bad situation worse, experts predict the threat will grow over the next few years thanks to new technologies such as generative AI. This will help scammers send more convincing phishing emails without typos or grammatical errors, “eliminating a key indicator of spam”, says Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University.

Curran says that generative AI can also help attackers create audio to mimic the voices of specific executives or generate fake videos to boost legitimacy. “All of this simply improves a scammer’s chance of tricking victims into thinking they’re communicating with real and genuine people.”

Morgan agrees, pointing to the fact AI can mimic communication styles in multiple languages. “This will make fake interactions and attacks much harder to detect.”

Morgan says that AI can also automate spear-phishing tactics used in BEC attacks. “Machine learning algorithms can analyse vast amounts of personal information available online to create personalised profiles for victims. By understanding a target’s preferences, relationships and activities, these AI systems can craft highly deceptive emails that increase the chances of success.”

How to thwart attacks

There’s no denying that the BEC threat is growing, but there are warning signs you can look out for. The style of the email can sometimes be a giveaway. One thing to be wary of is the use of fear tactics, so “be sceptical of urgent-sounding messages”, says Tony King, SVP international at NETSCOUT.

“Be sceptical of urgent-sounding messages” Tony King

Email security also needs to be considered. Experts recommend using multi-factor authentication (MFA) to prevent adversaries from gaining access to accounts. Meanwhile, Tim Freestone, chief strategy and marketing officer at Kiteworks, recommends a zero-trust policy ensuring no email is trusted unless it passes several authentication protocols – for sending, receiving and storing emails.

Education is integral. To reduce the volume and impact of successful BEC attacks, organisations should educate their employees about the dangers of clicking on suspicious links and train them to recognise fake audio and video, says Curran. “Staff should also be taught to look out for and report unusual requests or changes in communication patterns. This is especially true when it comes to financial transactions.”

It’s also important to double-check everything and enforce strong policies to govern payments. While attackers can spoof phone numbers, a multi-step process could include a video call to authorise the transfer of large sums of money. In many cases, this could prevent you from being caught out by a BEC attack.

Four steps to tackle BEC

  1. Use MFA to secure accounts: “Though it may not prevent all BEC strategies, it can alert the team to suspicious access attempts,” says Todd.
  2. Training is integral: Morgan says regular employee training is essential to improve awareness and reporting of BEC tactics and how they are changing in line with new technology.
  3. Double-check everything: Morgan says establishing and enforcing verification protocols for financial transactions and sensitive data exchanges can help thwart attacks.
  4. Enforce stringent policies: Assess the strength of finance, payroll and HR processes dependent on emails or third-party email systems, says Todd. “Enforce technical controls with mandatory policy configurations for supplier management.”

Latest articles

Be an insider. Sign up now!