BEC
BEC (Business Email Compromise) is a targeted social engineering attack where criminals impersonate a trusted person (CEO, vendor, lawyer) to fraudulently obtain wire transfers, change of bank details, or confidential information. Average loss per incident in 2024 — $125,000.
What is BEC (Business Email Compromise)?
BEC (Business Email Compromise) is a targeted social engineering attack where criminals impersonate a trusted person — CEO, CFO, vendor, attorney — to force wire transfers, bank detail changes, or extraction of confidential information (e.g., W-2, HR data).
FBI IC3 reports BEC as the most costly cyberattack type — over $2.9 billion in annual losses (2023 report). Average loss per incident: $125,000 (2024).
BEC is unique in that it requires no malware or exploit — it relies entirely on persuasion, time pressure, and exploitation of trust.
5 main types of BEC attacks (per FBI IC3)
- CEO Fraud — criminal impersonates CEO, orders CFO or accounting to execute urgent “confidential, strategic” transfer.
- Vendor Email Compromise (VEC) — criminal takes over vendor mailbox (phishing, password spray) and sends fake invoice with new account number. Victim is the vendor’s customer, not the vendor.
- Account Compromise — hijacking employee mailbox (via phishing) for phishing others inside organization (“internal” email is more credible).
- Attorney Impersonation — posing as external attorney in “confidential and urgent” matter, applying time pressure.
- Data Theft — phishing accounting/HR to extract W-2 forms, employee data (target: identity theft).
Defense — 9-step BEC protection
- MFA on all mailboxes — foundation, especially Office 365/Google Workspace
- DMARC / DKIM / SPF enforced (DMARC
p=rejectpolicy) — blocks domain spoofing - 2-step verification procedure for transfers >$X — mandatory call-back to originator on known number (not from email!)
- Separate procedures for vendor bank detail changes — written verification + call-back + double-sign-off required
- Security awareness training + quarterly BEC simulations (KnowBe4, Proofpoint Security Awareness)
- “External” banner on emails from outside (default in Microsoft 365 and Google Workspace)
- Monitoring sensitive mailboxes (finance, executives) for forwarding rules, filters, OAuth apps
- Cyber insurance with BEC coverage (social engineering endorsement)
- Response plan — banking relationship for fast transfer suspension (24-72h SWIFT wire recall window)
Incident response plan after BEC detection
First 24 hours are critical — most transfers can only be reversed in this window:
- Immediately: block transfer via bank (SWIFT wire recall, 24-72h window)
- Within 2h: notify CERT and police, for US transfers — IC3.gov
- Within 4h: change passwords + log out sessions for all involved
- Within 8h: forensic mailbox audit (forwarding rules, filters, OAuth apps, recent logins)
- Within 24h: communication with affected business partners
- Within 72h: GDPR notification if personal data leak
- Week +: retrospective — which procedures failed, remediation plan
Explore our services
Frequently asked questions
+ What is BEC (Business Email Compromise)?
BEC is a targeted social engineering attack where criminals impersonate a trusted person — typically CEO, CFO, vendor, or attorney — to force wire transfers or bank detail changes. The attack requires no malware or exploit — it relies entirely on persuasion and pressure. FBI IC3 reports BEC as the most costly cyberattack type: $2.9 billion in annual losses (2023 report).
+ What are the types of BEC attacks?
FBI identifies 5 main types: (1) CEO Fraud — impersonating CEO, pressuring CFO/accounting for urgent transfer, (2) Vendor Email Compromise — hijacking vendor mailbox, sending fake invoice with new account number, (3) Account Compromise — taking over employee mail for internal phishing, (4) Attorney Impersonation — posing as lawyer in 'confidential and urgent' matter, (5) Data Theft — extracting W-2 / HR data (accounting phishing).
+ How to recognize a BEC attack?
Typical warning signs: (1) urgency and secrecy — 'do it now, tell no one', (2) deviation from standard procedure — transfer outside normal process, (3) subtle email address differences (e.g., @ceo.nflo-corp.com vs @nflo.com), (4) request to change bank details right before scheduled payment, (5) email from phone/signature not normally seen, (6) grammar or style different from usual, (7) no voice verification possible.
+ How to defend against BEC?
9-step defense: (1) MFA on all mailboxes — foundation, (2) DMARC/DKIM/SPF enforced — blocks spoofing, (3) 2-step verification procedure for transfers >$X (mandatory call-back to originator on known number), (4) separate procedures for vendor bank detail changes (written verification + call-back required), (5) security awareness training + quarterly BEC simulations, (6) 'External' banner on all emails from outside organization, (7) monitoring sensitive mailboxes (finance, executives) for forwarding rules, (8) cyber insurance with BEC coverage, (9) response plan with bank (quick transfer suspension — 24-72h window).
+ What to do after detecting a BEC attack?
Response plan (first 24h critical): (1) immediately block transfer via bank (SWIFT wire recall has 24-72h window), (2) notify CERT + report to police, (3) for US transfers — IC3.gov may reverse transfer, (4) change passwords + log out sessions for all involved persons, (5) forensic audit of sender and recipient mailbox (rules, filters, OAuth apps), (6) GDPR reporting if personal data leak (72h), (7) communication with affected business partners, (8) retrospective — which procedures failed.