What is a BEC attack and why it targets the financial sector
Business Email Compromise (BEC) is an advanced social engineering attack where cybercriminals impersonate executives, vendors, or regulators to authorize fraudulent financial transactions. The financial sector is the primary target because it operates directly with money — one forged transfer order can mean losses in the millions.
In 2025, the FBI recorded a 38% increase in BEC attacks on financial institutions. The average loss per incident in the banking sector is $4.7M — significantly more than in other industries. BEC attacks bypass traditional technical defenses because they exploit trust and internal procedures, not software vulnerabilities.
Main BEC attack vectors in finance
CEO Fraud — executive impersonation
Attackers impersonate the CEO or CFO, sending urgent transfer orders to the treasury department. They leverage organizational structure knowledge and communication style gathered from LinkedIn and public reports.
Fake vendor invoices
Criminals compromise or forge email accounts of IT service providers, audit firms, or law firms working with the bank. They alter account numbers in regular invoices.
Employee email account takeover
Through phishing or credential stuffing, attackers gain access to a bank employee’s email, then use it to authorize internal transactions.
Fake regulators and auditors
Impersonating regulatory bodies or audit firms with urgent requests for data transfer or test transaction execution.
Consequences of BEC attacks for financial institutions
Direct financial losses: Average $4.7M per incident. For international transfers, fund recovery is nearly impossible after 24-48 hours.
Regulatory consequences: DORA requires reporting major ICT incidents within 4 hours. Regulators can impose sanctions for inadequate internal controls. NIS2 requires risk management covering social engineering threats.
Trust erosion: A bank that falls victim to BEC fraud loses credibility with corporate clients and business partners.
Legal liability: Clients may seek damages if the bank failed to implement adequate order verification procedures.
Why traditional defenses are insufficient
BEC attacks bypass standard spam filters because they contain no malware or malicious links. The email looks like a normal business message. DMARC, SPF, and DKIM help detect domain spoofing but don’t protect against compromised accounts or lookalike domains (e.g., bank-global.com vs bank-g1obal.com).
Without behavioral analysis and multi-layered transaction verification, bank employees lack the tools to distinguish genuine orders from fraudulent ones.
7 protection methods against BEC in finance
1. Multi-layered transaction authorization
Implement dual authorization for transfers above set thresholds. At least two people from different departments must approve the transaction, with identity confirmation via a separate channel (phone, internal messenger).
2. Email behavioral analysis
Systems detecting communication anomalies: unusual hours, new addresses, writing style changes, urgency, account number change requests. Integration with SIEM for alert correlation.
3. DMARC, SPF, DKIM in enforce mode
Implement email authentication standards with reject policy. Monitor lookalike domains and automatically block messages from forged domains.
4. Training and phishing simulations
Regular BEC recognition training for treasury, accounting, and back-office staff. Quarterly BEC attack simulations measuring response time and detection rate.
5. Payment data change verification
Callback procedure — every vendor account number change requires phone confirmation on a previously verified number. No acceptance of payment data changes based solely on email.
6. Dark web monitoring
Monitor employee data leaks (credentials, personal data) on the dark web. Early detection of compromised accounts enables response before the attack.
7. SOC with BEC correlation rules
SOC as a Service with financial sector-specific rules: payment order anomalies, unusual logins, BEC alert escalation.
The role of DORA and NIS2 in BEC protection
DORA requires financial institutions to implement ICT risk management covering social engineering threats. Mandatory elements include: resilience testing (including BEC simulations), third-party risk management, and incident reporting.
NIS2 classifies the financial sector as essential entities, requiring security measures proportionate to risk — including social engineering protection.
A security audit identifies gaps in anti-BEC procedures and enables implementing controls compliant with regulatory requirements.
Cybersecurity for Your Industry
Learn more about cybersecurity in your industry:
Related topics
See also:
- NIS2 for hospitals — implementation and funding
- Security Audit Pricing Calculator
- NIS2 for hospitals — compliance
