top of page

Business Email Compromise

Business Email Compromise (BEC) is a form of phishing attack. BEC attacks are crafted to appeal to specific individuals and can be even harder to detect than typical phishing emails. The attackers attempt to defraud the company, its customers, partners, and/or employees into sending money or sensitive data to the attacker’s account.



INVOICE REDIRECTION: An attacker pretends to be a supplier and requests a transfer of funds to an account they control. Companies with foreign suppliers are often targeted with this tactic - often very successfully.


CEO FRAUD: Attackers pose as an executive and send an email to employees in finance, requesting that they transfer money into a bogus account. These email usually requests payment as a matter of urgency and when the CEO may be otherwise engaged.

ACCOUNT COMPROMISE: An executive’s or employee’s email account is hacked and used to request invoice payments to vendors listed in the address book.

DATA THEFT: Of course, the motivation behind an attack is not always immediately obvious.  The attacker may slower accrue sensitive data over time and exploit it at a much later date


  • The emails sent do not often contain hyperlinks or malware attachments, which is usually identified and removed by traditional IT security systems.


  • An attacker will frequently spoof an organisation’s name and email address. For example, instead of using, they will use – it can be extremely hard to spot the difference - even for the most wary.​


  • An attacker will conduct research when targeting company executives or employees. They will pillage social media, LinkedIn, company website and other sources of publicly accessible information. This kind of research makes the email incredibly convincing to the recipient.


  • If an adversary has infiltrated a legitimate email account and has monitored corporate communications for a while, then the attacker is rarely identified.



  • STRONG PASSWORDS: An email account should always be protected with a lengthy password - perhaps 3 random words separated by a number or special character. This is because email accounts are often so instrumental in the creation and maintenance of other online accounts.

  • 2-FACTOR AUTHENTICATION (2FA): Usernames and passwords require us to 'know something' but we can prove who we are by 'having something' too, such as a pin sent to our phone. When we protect accounts with something we know and something we have, we are using 2 factor authentication.  This is incredibly secure and should be used wherever possible. See here for step by step guidance.

  • MIND YOUR DIGITAL FOOTPRINT: How often have you ever researched your own name in a popular search engine? Always consider carefully what is publicly available and how that information may be used by others. Most online accounts have privacy settings and it pays to be familiar with them.


  • TRAINING: Train staff to identify fake emails. This starts with the basics, such as

    • Spelling and grammar

    • Formatting

    • Tone​, vocabulary and other tell tale idiosyncrasies

    • Factual inconsistencies

    • Changes to the 'From field'


Always be sceptical of urgent and hurried requests to transfer money. Verify those requests either by phone or in person.


  • INDEPENDENTLY VERIFY: Do not use the details from within the message to verify if the communication is authentic and reliable. Instead, seek out an authorative representative from the organisation


  • ADD WARNING BANNERS: Most email systems can be configured to place warning banners on emails from new or unusual contacts, helping to mitigate the risk of lookalike domain spoofing.


  • USE A SECURE EMAIL GATEWAY: This is your email ‘firewall’. It will stop spam, malware and viruses, but it can also be configured to hunt for key words such as ‘payment’, ‘urgent’, ‘sensitive’ and ‘secret’ to help identify suspicious content.


  • DMARC: This enables an organisation to verify that an email they receive aligns with what they know about the sender. The technology is extremely effective in eliminating spoofed emails. See here for more information about how to set up DMARC.

  • USE TLS: Although it is possible to encrypt individual emails using protocols like PGP or S/MIME, this requires the sender and recipient to have the necessary trust infrastructure in place. This is not likely to be possible for all the parties you communicate with. So, your email servers should be configured to support encryption of the communications channel that the email is sent over. This task is best handled by TLS. The good news is that if you use a cloud provider such as Microsoft or Google's G-Suite, this is relatively easy to set up. See here for further help

bottom of page