ABCs of BEC (Business Email Compromise)


Business email compromise (BEC) is a cybercrime involving fake messages designed to trick receivers into divulging confidential company information. Crooks pose as trusted colleagues or associates and then ask recipients to pay false bills or provide credentials for access to proprietary data.


But BEC scammers do not limit their attacks to email. Studies show these cyber thieves use text messages about 30% of the time, social media connections for another 30% of attacks and phone calls for about 20% of intrusions.

Whichever method is used to target potential victims, faux links are often the tactic used to capture sensitive information. In fact, research shows 67% of all data breaches start with one person clicking a seemingly safe link.

Typical BEC scams include:
  • Data theft – First, BEC criminals steal company information from financial reports, an HR database or similar sources. Next, they include facts from these records to make fake messages feel authentic.
  • C-suite spoofing – Cybercrooks hack C-level email, and then direct staffers to pay invoices, make purchases or authorize other spending. They often use falsified attachments that may feature bogus accounts numbers—perhaps off by one digit—or appropriated logos from well-known banks to appear legitimate.
  • Advisor spoofing – This social engineering technique applies the same mechanism as C-suite spoofing. But instead of impersonating authorities inside the company, perpetrators mimic advisors outside the organization—e.g., accountants, lawyers, even IT help desks.
The FBI recommends user education as a best practice for thwarting BEC. As part of our managed services, we offer cybersecurity awareness programs. Let us know if this is an area where you need assistance.