What is Business Email Compromise (BEC)?

How BEC Attacks Work

CEO Fraud

CEO fraud involves the attacker impersonating the CEO or another senior executive to pressure an employee — typically in finance — into making an urgent wire transfer. The communication typically creates urgency, requests secrecy, and provides wire instructions to an attacker-controlled account. The impersonation may be achieved through a lookalike email domain, display name spoofing, or actual compromise of the executive's email account. The financial employee receives what appears to be a direct instruction from the CEO, often referencing a real business deal or acquisition to create plausibility.

Vendor Invoice Fraud

Vendor invoice fraud involves the attacker impersonating a legitimate vendor to redirect payment for legitimate invoices to an attacker-controlled account. The attacker may compromise the vendor's email account to send fraudulent payment change notifications, or may spoof the vendor's email domain to intercept or redirect invoice payment discussions. The target organization believes they are paying a legitimate invoice from a known vendor; the funds go to the attacker.

Payroll Diversion

Payroll diversion attacks target HR or payroll staff to redirect employee direct deposit payments. An attacker impersonating an employee requests a change to their banking information, providing attacker-controlled account details. The next payroll cycle deposits the employee's pay to the attacker's account rather than the legitimate employee's account.

Technical Enablers of BEC

Email Account Compromise

The most sophisticated BEC attacks involve actual compromise of a legitimate email account — either the executive being impersonated or a vendor whose communications are being intercepted. An attacker with access to a CFO's email account can monitor communications, identify pending transactions, understand the context that makes fraudulent requests plausible, and send fraudulent communications that originate from the legitimate email address. Email account compromise is typically achieved through adversary-in-the-middle phishing, credential stuffing, or exploitation of email platform vulnerabilities.

Domain Spoofing and Lookalike Domains

Attackers register domains that closely resemble legitimate business domains — cloudskope.com might be spoofed by c1oudskope.com, cloudsk0pe.com, or cloudskope-billing.com. Emails sent from these lookalike domains appear legitimate at a glance, particularly when the display name is set to match the legitimate organization. DMARC, DKIM, and SPF email authentication standards prevent spoofing of the exact legitimate domain but do not prevent lookalike domain attacks.

BEC Defense and Detection

Process Controls

The most effective BEC defenses are process controls that require out-of-band verification for financial transactions. A policy that requires verbal confirmation — a phone call to a known number, not a number provided in the email — before processing any wire transfer request over a defined threshold eliminates the majority of BEC fraud attempts. The attacker can send a fraudulent email; they cannot easily intercept a phone call to the CFO's known mobile number. Similarly, a policy requiring dual authorization for wire transfers ensures that a single compromised or deceived employee cannot complete a fraudulent transaction unilaterally.

Technical Controls

Email security platforms with BEC detection analyze email metadata, writing patterns, and domain reputation to identify impersonation attempts. Microsoft Defender for Office 365 and Proofpoint include impersonation protection that identifies emails that appear to originate from executives but arrive from external domains. DMARC enforcement blocks exact-domain spoofing of your own domain, preventing attackers from sending emails that appear to come from your CFO's legitimate email address. Anti-phishing training helps employees recognize the characteristics of BEC attempts — urgency, secrecy, wire transfers, payment change requests.

Real-World Example: Toyota Boshoku — $37M in 4 Days

In 2019, Toyota Boshoku Corporation's European subsidiary transferred $37 million to an attacker-controlled account following a BEC attack. An employee in the finance and accounting department received communications from an attacker impersonating a business partner, requesting an urgent change to banking information for a pending payment. The attacker's communications were convincing enough that the employee completed the transfer without additional verification. The funds were moved through multiple accounts before the fraud was discovered four days later. Recovery was minimal. The attack required no technical sophistication — no malware, no hacking, no credential theft. It required only a convincing email and an employee who followed instructions without verification.