What Is Business Email Compromise?

Business email compromise (BEC) is a targeted cyber fraud scheme in which an attacker impersonates a trusted person or organization via email to trick employees into transferring funds, revealing credentials, or disclosing sensitive data. Unlike mass phishing campaigns, BEC attacks are researched and personalized. The attacker studies the target organization, identifies a plausible sender (i.e.a CEO, a vendor, a legal counsel), crafts a believable pretext, and initiates contact when the victim is least likely to verify.

BEC emerged as a distinct cyber threat category in the early 2010s as organized criminal groups recognized that social engineering was more reliable than malware for extracting money directly. The FBI began issuing formal alerts in 2014, and the scheme has since grown into one of the most costly categories of cybercrime worldwide. What makes BEC dangerous is its simplicity: No exploit code, no payload, no perimeter alarm. The entire attack surface is a person under pressure.

The threat has accelerated in recent years as generative AI tools have made it faster and cheaper to write convincing impersonation emails in any language, eliminating the grammar or factual errors that once served as warning signs.

How Business Email Compromise Attacks Work

BEC attacks follow a predictable sequence even when the specific pretext varies.

Stage 1: Reconnaissance and Identity Deception

Attackers gather intelligence before making contact. LinkedIn profiles, company websites, press releases, and court filings reveal organizational structure, vendor relationships, pending deals, and travel schedules. The attacker then establishes a fake sending identity using one of three methods: domain spoofing (e.g. a near-identical domain like acme-corp.com versus acmecorp.com), display-name spoofing (e.g. real domain, but the display name shows a trusted person), or full account compromise. The third method, called email account compromise (EAC), is the most dangerous, as the attacker monitors a real mailbox silently for days or weeks before acting, learning payment workflows before inserting fraudulent instructions into real conversations.

Stage 2: Pretext and Pressure

The message often contains a pretext that invokes authority (a senior executive), urgency (a same-day deadline), and secrecy ("do not discuss this with anyone else until it's completed"). These three levers suppress the victim's instinct to verify independently. Common pretexts include an emergency wire transfer, a change to payroll direct deposit details, or a request for W-2 records before a tax deadline.

Stage 3: Execution and Concealment

Once the victim acts, the attacker redirects funds through a chain of intermediary accounts to frustrate recovery. In data-theft variants, the attacker will harvest credentials or corporate documents and cover tracks by deleting sent items or setting up automatic forwarding rules.

Types of Business Email Compromise Attacks

BEC attacks cluster into five main variants. All rely on the same social engineering principles; what differs is the impersonation target and the desired outcome.

Vendor impersonation and conversation hijacking deserve particular attention in enterprise environments. Both exploit established trust relationships that finance teams rely on every day, and both are difficult to detect because the email content is contextually plausible. In conversation hijacking, the attacker uses a near-identical domain to insert themselves into an ongoing thread, making the fraudulent message appear as a natural continuation of a legitimate exchange.

Why Business Email Compromise Matters for Data Security

BEC is primarily framed as a financial crime, but the data security consequences are equally serious. The IC3 reported more than 21,000 BEC complaints in 2023, with losses totaling $2.9 billion for that year alone, and the FBI has documented more than $50 billion in aggregate BEC losses worldwide since 2013. Recovery is rare: international wire transfers are difficult to reverse, and many jurisdictions have limited capacity to pursue the organized criminal networks behind large-scale BEC operations.

Not every BEC attack ends with a wire transfer. A significant share targets corporate data directly. Attackers request W-2 forms, customer lists, merger documents, or employee records. In credential-harvesting variants, the initial BEC message is simply the first step toward account access, after which the attacker moves laterally to reach more valuable systems and data stores.

This is where BEC intersects with DLP and insider risk management. Once an attacker has access to a real email account, their behavior looks identical to a legitimate user: files opened, attachments forwarded, data downloaded. Traditional perimeter controls do not flag this activity, leaving organizations with no visibility into what happens after a successful compromise.

Common Challenges and Misconceptions

BEC's effectiveness stems partly from persistent misunderstandings about how it works and who it targets.

• "Spam filters catch these emails." BEC emails typically contain no malicious links, no attachments, and no known-bad indicators. They pass spam filters because they are well-written, contextually accurate, and sent from real or near-real domains. Detection requires behavioral analysis, not signature matching.
• "Urgency is always the tell." Sophisticated BEC campaigns build trust over multiple low-stakes exchanges before making the fraudulent request. Attackers may spend weeks in a compromised inbox before acting, ensuring their eventual request fits the established communication pattern.
• "DMARC solves the problem." Domain-based message authentication, reporting, and conformance (DMARC) is essential but not sufficient. Display-name spoofing bypasses DMARC, and account compromise variants are authenticated by definition. DMARC must be combined with verification procedures and behavioral detection.

How to Prevent Business Email Compromise

Effective BEC prevention combines technical controls, process design, and human awareness. No single layer is sufficient.

Technical Controls

1. Deploy DMARC, DKIM, and SPF. Configure all sending domains with these standards and set DMARC to a reject policy. This eliminates the majority of domain-spoofing attempts. Monitor DMARC reports to catch misconfigured senders before tightening enforcement.
2. Enable multi-factor authentication (MFA) on all email accounts. Account compromise requires valid credentials. MFA prevents an attacker from using stolen credentials to access a real inbox, blocking the most dangerous BEC variant at the door.
3. Use a secure email gateway with impersonation protection. Modern gateways combine domain similarity analysis, display-name anomaly detection, and behavioral sender profiling to flag messages that DMARC alone would pass.
4. Apply DLP controls to email channels. BEC attacks that succeed in extracting data (credential files, W-2 records, merger documents) generate data movement events that a modern DLP system can detect and block regardless of whether the sender was authenticated.

Process Controls

1. Require out-of-band verification for financial transactions. Any request to change banking details or initiate a wire transfer must be confirmed by phone to a known number, not a number provided in the email itself. Make this a standing policy, not a judgment call.
2. Implement dual-approval for wire transfers above a defined threshold. No single employee should be able to authorize a payment in response to an email request alone. A second approver who has not seen the request is a practical safeguard.
3. Establish a no-urgency rule for financial requests. Any request that cannot wait for standard verification is automatically suspicious. Codify this in policy so that employees who push back on urgent transfer requests are following procedure, not obstructing a legitimate executive.

Human Controls

1. Run targeted awareness training with BEC-specific scenarios. Generic phishing simulations do not replicate BEC dynamics. Training should include CEO fraud, vendor impersonation, and conversation hijacking scenarios drawn from recent, real cases.
2. Create a clear escalation path. Employees need to know they can pause, escalate, and verify without facing criticism for slowing down a "legitimate" executive request. Leadership tone sets the cultural permission to question.

How Cyberhaven Addresses Business Email Compromise

BEC attacks succeed when people act on false instructions. But the downstream consequences, data exfiltration, credential reuse, lateral movement, are where Cyberhaven's Data Lineage and DLP capabilities provide visibility that email security tools cannot.

Detecting the Data Exfiltration Consequence

When a BEC attacker gains access to a corporate email account and begins exfiltrating documents, the activity pattern changes: files are opened and forwarded that have no relationship to the user's normal work. Cyberhaven Data Lineage traces every file from its origin through every copy, move, and share event. This continuous behavioral baseline means that an anomalous data movement (i.e. a finance employee's credentials used to forward merger documents to a personal email) generates an alert with full context rather than being silently passed.

Enforcing Policy on Sensitive Data Channels

BEC attacks that seek corporate data rather than wire transfers often use email itself as the exfiltration channel. Cyberhaven DLP monitors and controls data movement across email, cloud applications, and endpoints. Policies can block or alert when sensitive categories of data (financial records, M&A documents, employee PII, source code) leave the organization via channels inconsistent with normal workflow, regardless of whether the sender appears legitimate.

Insider Risk Context After Account Compromise

Once a BEC attacker is operating inside a compromised account, the threat is functionally indistinguishable from an insider threat. Cyberhaven IRM provides behavioral context by establishing what normal access and data movement looks like for each user, flagging deviations that indicate account takeover rather than legitimate activity.

Frequently Asked Questions

What is business email compromise (BEC)?

Business email compromise is a targeted fraud scheme in which attackers impersonate a trusted person or organization by email to trick employees into wiring money or handing over sensitive data. Unlike broad phishing campaigns, BEC attacks are researched and personalized, exploiting established trust relationships rather than relying on malicious links or malware. The FBI classifies BEC as one of the most financially damaging categories of cybercrime.

What is the difference between BEC and phishing?

Phishing is a broad category of social engineering attacks that use deceptive emails to harvest credentials or deliver malware; it typically targets many people at once with generic lures. BEC is a specific, high-value subset: it targets a small number of people within a single organization, involves deep reconnaissance, impersonates a known and trusted contact, and aims to trigger a specific financial or data transfer action. BEC messages rarely contain links or attachments, making them harder to detect with standard filters.

What are common examples of business email compromise?

Common BEC examples include: a CFO receiving an email appearing to come from the CEO requesting an urgent wire transfer to close a confidential acquisition; an accounts payable employee receiving updated banking details from what appears to be a long-standing supplier; a payroll administrator receiving a request from an employee to change their direct deposit account; and an HR manager receiving a request for all employee W-2 records before a stated IRS deadline. All exploit authority, urgency, and familiarity.

What are the red flags for a business email compromise attempt?

Key red flags include: requests to keep the communication confidential from colleagues; unusual urgency with explicit pressure not to follow standard approval procedures; payment or banking change requests arriving by email without a phone follow-up; subtle domain variations (e.g., an extra letter or a different top-level domain compared to the usual sender address); and requests that arrive outside normal business hours or just before a known deadline, such as quarter close or a pending acquisition announcement.

What is email account compromise (EAC) and how does it relate to BEC?

Email account compromise is a variant in which the attacker gains actual access to a legitimate email account, typically through credential phishing or credential stuffing, and uses it to send BEC messages from a genuinely authentic address. EAC bypasses email authentication controls because the messages are real and pass DMARC, DKIM, and SPF checks. The attacker typically monitors the inbox for days or weeks before acting, learning communication patterns and active transactions before inserting fraudulent instructions.

How does BEC lead to data loss beyond financial fraud?

Many BEC attacks target data directly rather than wire transfers. Attackers request employee tax records, customer lists, intellectual property, or merger documents through convincing pretexts. In account compromise scenarios, the attacker can silently forward emails, download files, and move laterally to other systems without triggering perimeter alerts. This makes DLP controls on data movement, independent of email authentication, an essential layer in any BEC defense program.