What Is Business Email Compromise (BEC)? How It Works and How to Prevent It

Business Email Compromise, often shortened to BEC, is one of the most financially damaging cyber threats facing organizations today. It does not rely on flashy malware, zero day exploits, or obvious red flags. Instead, it exploits something far more reliable: normal business workflows and human trust.

At its core, BEC is a form of targeted fraud where attackers use email to impersonate a trusted person or gain access to a real email account. From there, they manipulate employees into sending money, changing payment instructions, or sharing sensitive information.

Because these attacks often involve legitimate email accounts and realistic requests, they regularly bypass both technical security controls and human intuition.

Business Email Compromise is fraud carried out through business email systems. The attacker’s objective is almost always one of the following:

• Initiate a fraudulent payment such as a wire transfer, ACH, or invoice payment
• Redirect an existing payment by changing vendor banking details
• Obtain sensitive internal data such as payroll files, tax forms, or customer records

What separates BEC from traditional scams is that the attacker is not pretending to be a random third party. They are pretending to be someone already trusted inside a real business relationship.

In more advanced cases, the attacker is not pretending at all. They are operating from inside a legitimate, compromised mailbox.

BEC attacks are deliberate and methodical. They are not mass spam campaigns. Each step is designed to reduce suspicion and increase success.

Reconnaissance And Target Selection

Attackers begin with reconnaissance. They map out the organization using publicly available information and prior breaches.

Typical sources include LinkedIn profiles, company websites, job postings, press releases, and social media. Attackers identify who works in finance, payroll, legal, and executive roles. They also identify vendors, partners, and typical payment flows.

In many cases, attackers already have partial data from older breaches and use it to enrich their targeting.

Initial Access And Email Compromise

There are two primary technical paths attackers use to gain leverage.

The first is impersonation. Attackers register domains that closely resemble the legitimate company domain or manipulate email headers and display names. Without proper email authentication, these messages can pass basic checks.

The second path is account takeover. This is more dangerous and more effective.

Account takeover typically occurs through credential phishing, password reuse from previous breaches, malware that steals browser sessions, or abuse of weak authentication methods such as SMS based resets.

Once attackers access a mailbox, they often spend days or weeks observing before acting.

Internal Mapping And Mailbox Manipulation

Inside a compromised mailbox, attackers do not rush. They study conversations, payment cycles, approval chains, and writing style.

Technically, attackers often set up hidden inbox rules that forward copies of emails to external addresses or move replies into obscure folders. This allows them to monitor conversations while remaining invisible to the victim.

They may also create rules to delete security alerts or login warnings.

The Fraud Execution Phase

When timing is right, attackers intervene.

They reply within existing email threads, modify invoices, or introduce urgent requests. Because the messages come from real accounts and reference real conversations, they often pass both spam filters and human scrutiny.

From a technical standpoint, there may be no malicious links, no attachments, and no obvious indicators of compromise.

BEC appears in several recurring technical and operational patterns.

Executive Impersonation And CEO Fraud

Attackers impersonate senior leadership and target employees who can move money or bypass controls. These messages often include language that discourages verification.

Vendor And Supply Chain Payment Fraud

Attackers compromise or impersonate vendor email accounts and request banking changes. Technically, this is often supported by hijacked email threads and modified PDF invoices.

This type of BEC is particularly dangerous because it exploits trusted third party relationships.

Accounts Payable And Wire Transfer Fraud

Attackers target finance teams with payment authority. The technical success depends on familiarity with approval workflows and internal terminology.

Payroll And Direct Deposit Redirection

Attackers request payroll changes by impersonating employees or HR staff. This is often paired with access to HR systems or leaked employee data.

Data Exfiltration And Tax Fraud

Some BEC attacks focus entirely on data theft. Payroll files, W2 forms, and employee records are requested and then used for identity theft or tax fraud.

Real Estate And Transaction Closing Fraud

Attackers monitor real estate email threads and inject fraudulent wiring instructions just before closing. Timing and psychological pressure play a major role.

Phishing is broad and opportunistic. BEC is narrow and intentional.

Phishing often relies on malicious links or attachments to steal credentials. BEC relies on conversation, context, and authority.

Technically, many BEC attacks involve no malware at all. This is why traditional endpoint and antivirus tools often fail to stop them.

Phishing is often the entry point. BEC is the payoff.

From a technical perspective, BEC is difficult to stop because it abuses legitimate systems.

Emails originate from real accounts. Domains may pass SPF, DKIM, and DMARC checks. There may be no malicious URLs to scan.

From a behavioral perspective, the requests align with normal business activity. Paying invoices, updating bank details, and sharing documents are routine tasks.

Attackers also time their actions carefully. End of quarter, holidays, travel periods, and executive absences are prime windows.

While subtle, there are technical signals organizations can monitor.

Unexpected inbox rules, especially those forwarding email externally, are a strong indicator of compromise.

New mailbox delegates, OAuth app authorizations, or changes to login locations should be reviewed.

Payment requests that bypass normal workflows or request process exceptions are operational red flags.

Email headers showing domain mismatches, unusual reply to addresses, or inconsistent routing paths can also signal impersonation.

Effective BEC defense combines identity security, email security, and process controls.

Strong Authentication For Email Accounts

Email should be treated as a high value system.

Require multi factor authentication for all email access. Phishing resistant methods such as hardware keys or passkeys provide stronger protection than SMS.

Disable legacy authentication protocols that allow attackers to bypass MFA.

Use conditional access policies to flag or block logins from unfamiliar locations or devices.

Monitoring And Mailbox Hygiene

Actively monitor for suspicious mailbox rules, external forwarding, and delegated access changes.

Audit OAuth application permissions and remove unused or risky integrations.

Review sign in logs for anomalous behavior.

Email Domain Authentication

Properly configured SPF, DKIM, and DMARC reduce the success of domain spoofing and impersonation attacks.

DMARC enforcement in particular helps receiving systems reject unauthorized messages claiming to be from your domain.

Payment And Approval Segmentation

Separate payment initiation from approval.

Restrict who can modify vendor banking details.

Log and review all changes to financial systems.

Reducing SMS Dependency

Many BEC attacks succeed because attackers exploit account recovery flows tied to phone numbers.

Reducing reliance on SMS and strengthening mobile account security closes an important gap attackers target.

Speed and containment matter.

Do not reply to the suspected email thread. Verify requests using known trusted channels.

If money has been sent, contact financial institutions immediately. Some transfers can be frozen if caught quickly.

Preserve all email evidence, including headers and logs.

If an email account is compromised, reset credentials, revoke sessions, remove malicious inbox rules, and notify affected contacts.

• Require out of band verification for payment changes
• Enforce strong authentication on email accounts
• Monitor inbox rules and forwarding behavior
• Implement SPF, DKIM, and DMARC
• Separate payment initiation and approval
• Reduce reliance on SMS for account recovery

Final Thoughts

Business Email Compromise is not a technical failure alone. It is an attack on trust, workflow, and identity.

The most effective defenses are layered. Strong identity protection, email visibility, and simple verification processes dramatically reduce risk.

When email is treated as critical infrastructure and verification becomes routine, BEC attacks lose their power.