What is BEC? Protecting against Business Email Compromise attacks

Business Email Compromise (BEC) is a targeted form of cybercrime where attackers impersonate trusted people or organizations to trick you into sending money or sharing sensitive data. Unlike broad phishing campaigns, a BEC attack is usually quiet and precise. It looks like a normal company email because it relies on social engineering, not obvious malware.

In a typical BEC incident, attackers spoof addresses, take over real email accounts, or register lookalike domains. Their objective is generally the same: Get someone inside your business to approve a payment, change bank details, or share information that should never leave the organization.

Common scenarios include CEO fraud, vendor impersonation, payroll redirection, and Email Account Compromise (EAC) that quietly reroutes payments or targets downstream partners. Traditional email filters often miss these attacks because messages come from real or convincing accounts, contain no overt malicious content, and match the company’s normal business communication.

Reducing BEC risk means combining clear, people-focused processes (such as training and verification) with technical measures such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Common types of BEC attacks and real-world examples

Recognizing BEC attack types early helps you stop fraud before money or data leaves your environment.

CEO or executive impersonation

In CEO fraud, attackers impersonate senior leaders such as the CEO, CFO, or managing director and send urgent requests to staff. The email might ask for an emergency payment, an “off-the-record” vendor settlement, or confidential reports that are supposedly needed for a deal or audit. The tone leans heavily on authority and urgency, with phrases such as “This must be done today” or “We can’t loop anyone else in”.

Sometimes the attacker spoofs only the display name, so that the message looks right at first glance. In other cases, they register a domain that is visually similar to yours, swapping characters or adding short words so that the difference is easy to miss.

VEC and fake invoices

Vendor Email Compromise (VEC) focuses on the relationship between your organization and its suppliers.

Attackers send messages that look like routine communication, such as an invoice or a statement, but the content quietly changes where the money goes, for example, adding “updated bank details”.

Accounts payable teams are particularly vulnerable if they don’t treat bank detail changes as high-risk events that require out-of-band verification.

Payroll, HR, and gift card scams

Smaller but recurring BEC scams often target HR, payroll, and office administration. In a payroll redirection scam, attackers impersonate employees and ask to change the bank account used for salary payments. The request is usually framed as urgent.

Gift card scams follow a similar pattern. An attacker poses as a senior leader and asks an assistant or team member to urgently buy gift cards for “client gifts” or “team rewards”, then has them send the codes back by email. Each loss may be lower than a large wire transfer, but these attacks are easy to repeat, and they frequently go unreported.

EAC vs. “pure” BEC

Not every BEC incident starts with a spoofed address. In many cases, attackers first obtain valid credentials through phishing or credential theft tools and log into real mailboxes. This is called EAC.

Once inside an account, they often delete or hide messages that could alert the victim and reply within real threads to request payment changes or sensitive information.

Because these messages come from legitimate, authenticated accounts, they’re more convincing and harder to flag.

How to identify a BEC attack

BEC attacks are designed to blend into everyday workflows. Even so, most attempts leave clues in both the content of the email and the technical data, such as headers.

Red flags inside the email

The first set of clues is in the message itself. Small domain changes are common: Extra letters, subtle misspellings, added hyphens, or a different top-level domain. Display names often match the person being impersonated, but the underlying email address belongs to an unfamiliar domain.

The tone and request type also matter. A sudden request to change bank details, an urgent demand to bypass normal approvals, or an out-of-pattern payment to a new beneficiary should trigger questions. You might also notice that the language is slightly off: Overly formal or awkward for the person in question.

Timing is another signal. Messages sent outside normal office hours, especially from leaders who rarely contact you directly about payments, are worth verifying. If an email involves money, bank accounts, or sensitive data, and something feels “off”, it’s safer to slow down and verify than to push the request through.

Technical indicators in headers

Technical indicators can confirm your suspicions. Message headers can reveal sending IP addresses and authentication results. A BEC attack that relies on spoofing may fail SPF, DKIM, or DMARC checks.

How BEC differs from classic phishing

Traditional phishing tends to be high-volume and generic, with obvious lures and links. BEC is almost the opposite. It is low-volume, carefully targeted, and often clean: No attachments, no links, just a plausible story.

Because of that, the most effective first line of defense is often procedural rather than technical. Treat any email that changes where money goes or requests access to sensitive information as a high-risk request, and insist on verification by phone, video call, or another trusted channel before acting.

Step-by-step response to a BEC incident

1. Contain the incident and secure accounts

Start by breaking the attacker’s access. Do not reply to suspicious emails. Reset passwords for any potentially affected accounts, enforce multi-factor authentication where it isn’t already in place, and revoke active sessions.

2. Scan devices and look for malware

Once accounts are secured, turn to the devices users rely on. Run scans to check for keyloggers, remote access tools, or browser-based malware that might have captured credentials.

3. Trace the attack and assess the impact

Preserve relevant evidence before making wide-reaching changes. Collect message headers, IP addresses, and domain names. Use these for any clues or indicators of compromise.

Distinguish between a single BEC email sent from outside your environment and a broader compromise involving multiple accounts. That distinction will shape both your remediation activities and your notification obligations.

4. Protect funds and notify stakeholders

If you believe money has been sent to an attacker-controlled account, contact your bank immediately to request a freeze or recall. Provide as much detail as possible, including timestamps, amounts, and account information.

At the same time, inform internal stakeholders. If a supplier or customer’s identity was misused, notify them so they can take precautions and check their own systems. Clear, factual communication helps reduce confusion and limits the chance of further losses.

5. Report to law enforcement and regulators

Depending on your regulatory environment, you may need to report the BEC incident to law enforcement or sector-specific bodies. If regulated data is involved, work with your privacy and compliance teams to confirm whether a breach notification is required.

Many data protection regimes require a notification to authorities and, in some cases, affected individuals within a fixed timeframe once you’re aware of a qualifying incident.

6. Document lessons learned and strengthen controls

When the immediate response is under control, run a structured post-incident review. Document the systems and funds affected, the root causes and contributing factors, and the controls that worked or failed.

Use this to update your incident response plan, refine your training material, adjust approval processes, and prioritize technical improvements.

If you don’t have a formal BEC playbook yet, use this as a baseline and consider scheduling a session with Sendmarc to review your email authentication posture and domain configuration so you can close gaps.