BEC — Business Email Compromise

Business Email Compromise (BEC) is a targeted social engineering attack in which an adversary impersonates a trusted executive, vendor, or business partner via email to trick employees into transferring funds, sharing sensitive data, or modifying payment instructions. BEC is consistently among the most financially damaging categories of cybercrime, causing billions in global losses annually.

How BEC Attacks Work

BEC attacks rely on social engineering rather than technical exploitation. The attacker researches the target organization, identifies key personnel and business relationships, and crafts highly convincing impersonation emails. Common BEC scenarios include impersonating the CEO to request an urgent wire transfer, posing as a vendor to change payment routing details, compromising an executive's actual email account to send requests from a legitimate address, and impersonating attorneys or consultants during time-sensitive transactions.

BEC vs Phishing

While BEC is a form of social engineering, it differs from mass phishing campaigns in important ways. Phishing typically casts a wide net using generic messages to steal credentials or deliver malware. BEC is highly targeted, often involves extensive reconnaissance, rarely includes malware attachments, and aims for direct financial theft. BEC emails frequently contain no malicious links or attachments at all, making them invisible to traditional email security filters that scan for technical indicators.

BEC Incident Response

Speed is critical in BEC response. If a fraudulent wire transfer has been initiated, the organization must immediately contact its bank to request a recall. The FBI's Internet Crime Complaint Center (IC3) can coordinate with financial institutions to freeze funds through the Recovery Asset Team. Beyond the financial response, the incident team must determine how the attacker gained the information needed for the impersonation: was an email account compromised, was information harvested from public sources, or was there an insider element? The forensic findings drive both remediation and breach notification analysis.

BEC and Regulatory Obligations

BEC incidents can trigger multiple regulatory obligations. If an email account was compromised and contained personal data, breach notification requirements may apply. If financial fraud was successful, securities regulations, banking regulations, and insurance reporting requirements may be triggered. The incident response team must assess all applicable notification obligations during the response rather than treating BEC solely as a fraud matter.