Business Email Compromise (BEC)
Business Email Compromise (BEC) is one of the most costly cyber threats: Attackers compromise or spoof business emails to trick victims into making wire transfers, sharing data, or providing login credentials—often without using malware, relying solely on social engineering.
Business Email Compromise (BEC) is, according to the FBI, the most financially damaging form of cybercrime worldwide: The total losses regularly exceed those of all other malware categories combined—in 2023, over $2.9 billion was lost globally due to BEC (FBI Internet Crime Report).
BEC Subtypes
BEC Categories (FBI Classification):
1. CEO Fraud / Executive Impersonation:
Scenario: Attacker poses as CEO, instructs CFO to make an urgent transfer
Example: "I am abroad and need EUR 80,000 immediately for a discreet deal"
No account compromise required—only a fake sender address
2. Vendor/Invoice Fraud:
Scenario: Attacker compromises a genuine supplier’s email account
Then: IBAN change in the next genuine invoice
Detection: difficult—genuine email domain, genuine contact person
3. Credential Phishing via BEC:
Scenario: Compromised internal account sends phishing emails to employees
Advantage for attacker: Internal sender address bypasses email filters
4. Legal/Attorney Impersonation:
Scenario: Attacker poses as a lawyer/notary in a confidential transaction
Context: M&A processes; real estate transactions
5. W2/HR Data Theft:
Scenario: HR department is asked to send employee data/salary information
(Further use for tax fraud, identity theft)Technical Countermeasures
Technical BEC Prevention:
Email Authentication (fundamental protection):
SPF: Prevents email spoofing of your own domain
DKIM: Cryptographically signs outgoing emails
DMARC (p=reject): Blocks unverified incoming spoofed emails
Important: Protects ONLY against spoofing—not against compromised accounts!
Detecting display name spoofing:
Problem: "Thomas Müller<attacker@gmail.com>"—the name is fake, not the domain
Solution: Email gateway rule: mark external emails with internal display names
Microsoft 365: Anti-Phishing Policy → Impersonation Protection
Multi-factor authentication:
MFA prevents account compromise (the basis for vendor fraud)
Particularly critical: Finance department, Accounting, CFO
Verify IBAN changes:
Process: Any IBAN change from a supplier → Call back to a known number
DO NOT: Call back to the number provided in the email (could be an attacker)Procedural protective measures
Technology alone is not enough – BEC is primarily a process issue:
Dual-control principle for transfers:
→ All transfers > [threshold] require 2 approvals
→ New bank details: additional verification by phone (known number!)
→ "Urgent" requests: always be suspicious – urgency is a BEC tactic
Employee awareness:
→ Specific BEC training (not generic phishing training)
→ Scenario: CFO simulation: "CEO calls and confirms the email"
(Spear-phishing + vishing combination attack – real tactic!)
→ Red flag recognition: high-pressure situations, confidentiality requirements, new IBANs
Incident Response:
→ Immediate action in case of suspected BEC transfer:
1. Contact your own bank: SWIFT recall possible within 24 hours
2. Contact the recipient’s bank (via INTERPOL/BKA for international cases)
3. File a criminal complaint: Police + BKA Cybercrime (often a prerequisite for insurance coverage)
4. Notify the BSI (mandatory for KRITIS companies)BEC is not a technical problem—it is a trust and process problem. The best defense is a corporate culture in which no one shies away from security checks just because “the boss wanted it that way.” CEO fraud thrives on employees’ reluctance to question supposed superiors./attacker@gmail.com
