What is Business Email Compromise (BEC)?

The digital world offers unprecedented connectivity but also opens the door to increasingly sophisticated cyber threats. Among the most dangerous of these is Business Email Compromise (BEC). This is a highly targeted form of fraud that preys on trust and the established business processes that keep companies running. It’s a problem that affects organisations of all sizes, from global corporations to local businesses, and its financial and reputational consequences can be devastating.

What is Business Email Compromise (BEC)?

So, what is Business Email Compromise? BEC is a type of scam where a criminal impersonates a trusted individual or organisation via email to trick a business or employee into making a fraudulent payment or revealing sensitive data. Unlike mass phishing campaigns that cast a wide net, BEC attackers are meticulous. They study an organisation’s public-facing information and internal communications to craft a believable and highly personalised message. The goal is to bypass a company’s financial controls by leveraging authority and urgency.

There are two primary tactics criminals use to execute a BEC attack:

• Email spoofing

This involves creating an email address that looks almost identical to a genuine one, with subtle differences that are easy to miss. For example, a scammer might use ‘J@rnbusiness.com’ instead of ‘J@mbusiness.com,’ hoping a busy employee won’t notice the difference.

• Email account compromise

Fraudsters gain access to a genuine email account through malware or by stealing the password. Once inside, they can monitor email conversations for weeks, waiting for the perfect moment to insert themselves into an existing communication thread, making their fraudulent requests appear legitimate.

These two tactics lead to the most common types of BEC fraud:

• Payment/invoice diversion, where attackers impersonate a supplier and send a fake invoice or a request to change a vendor’s bank details
• CEO fraud, in which a fraudster impersonates a high-level executive and emails an employee (often in the finance department) with an urgent and confidential request for a wire transfer

The mechanics of a BEC scam

A key aspect of a Business Email Compromise (BEC) attack is its deceptive simplicity. Unlike traditional cyberattacks that rely on malicious software or code, BEC often doesn’t involve attachments or links. Instead, it leverages social engineering to manipulate people into making a mistake.

The mechanics typically involve a few key steps:

1. The attacker first researches the target organisation, often using publicly available information from social media, corporate websites and press releases. They identify key personnel, such as CEOs and finance or human resources staff, to understand the chain of command and typical business processes. This allows them to craft a believable scenario.
2. The scammer then creates a convincing fake identity. This can be done by spoofing an email address to make it look almost identical to a legitimate one, or by compromising a genuine email account to send requests from a trusted source.
3. The fraudulent email is sent. It’s often simple and contains a sense of urgency and authority. It might claim to be a confidential request that needs to be handled immediately, discouraging the recipient from seeking a second opinion. The email might contain subtle red flags like slightly off grammar or an unusual tone, but these are often overlooked due to the perceived pressure.
4. If the employee falls for the scam, they will follow the instructions, which typically involve a wire transfer to a fraudulent account or the disclosure of sensitive data like employee social security numbers or tax information. The stolen funds are then quickly moved through multiple accounts to make them difficult to trace.

Common targets of Business Email Compromise

While any organisation can be a victim of BEC, some are more likely to be targeted due to their size, industry, or the specific roles of their employees.

• SMEs: While large corporations have sophisticated security teams, small and medium-sized enterprises (SMEs) are often prime targets because they may lack the resources or expertise for robust security protocols
• Government agencies and non-profits: Organisations that manage large budgets or grants are also a common target for BEC scams, as they regularly process large financial transactions
• Specific roles: Scammers typically target individuals with the authority to initiate financial transactions or access sensitive data. The most common targets include accounts payable staff, controllers, and anyone responsible for vendor payments, HR professionals that have access to sensitive employee data and new or junior employees who may be less familiar with standard protocols.

How does it happen?

Business Email Compromise attacks are so successful because they exploit human nature and the inherent vulnerabilities in our digital systems. The scammer’s methods are a blend of social engineering and technical savvy. They play on trust and mimic writing styles to make their requests seem genuine. The urgency they often create is a key psychological tool, designed to pressure employees into acting without a moment’s thought.

This is where technology, or a lack of proper configuration, comes into play. While most businesses use email platforms with built-in security features, such as Microsoft 365, the default settings are rarely enough to provide comprehensive protection against a sophisticated BEC attack.

The default settings of Microsoft Defender for Office 365

Microsoft Defender for Office 365 offers robust security tools, but many organisations don’t fully leverage them. The platform comes with standard email spam filtering, but this is often not configured to a company’s specific needs. Out-of-the-box settings are generic and may be too permissive, leaving gaps for fraudsters to exploit.

While some basic anti-phishing, anti-spam and anti-malware policies are enabled by default, they don’t provide the custom protection needed to stop BEC. For instance, advanced impersonation protection (which flags emails that are attempting to spoof a user or domain) is not available in all standard packages.

Furthermore, many helpful features are disabled by default. These include:

• Custom safety tags that can be configured to add a visual tag to emails, indicating if the sender is outside the organisation or if it’s the first time they’ve contacted you.
• Secure sandbox environments which is a feature that allows users to view potentially low-risk emails in a secure, isolated ‘sandbox’ before releasing them to their inbox. This prevents malicious content from ever reaching your network
• High-risk email reviews that automatically quarantine certain suspicious emails for IT review. This prevents users from making a potentially risky decision on their own

Without custom configuration, these powerful tools remain dormant, leaving your organisation vulnerable to social engineering tactics.

Beyond the inbox

While employee training is a crucial defence against Business Email Compromise, many organisations fail to implement basic but powerful technical controls that can stop a BEC attack even if a scam email slips past a user’s notice. The most impactful of these is Multi-Factor Authentication (MFA).

MFA requires a user to provide two or more verification factors to gain access to an account. For example, even if a scammer steals an employee’s email password through a phishing attempt, they still won’t be able to log in without a second factor, such as a code from a mobile authenticator app or a biometric scan. This single control can stop an account compromise attack in its tracks, preventing the scammer from gaining access to email trails or impersonating the user.

Beyond MFA, other technical measures are vital. Secure Email Gateways (SEGs) can be configured to add a layer of filtering before messages even reach an inbox. These tools use advanced threat intelligence and machine learning to detect subtle signs of fraud, such as suspicious sender domains or unusual email headers. They can also be set to automatically quarantine emails with certain characteristics, ensuring that a risky message never gets seen by a user.

Finally, implementing DMARC (Domain-based Message Authentication, Reporting, and Conformance) helps prevent email spoofing by allowing a company’s domain to reject emails that are not sent from a legitimate source, effectively blocking a common BEC tactic at the source. Together, these technologies create a multi-layered defence that makes your digital infrastructure much more resilient.

How Net-Defence can help

The pervasive challenges of outdated or misconfigured security and the human element of BEC scams are significant hurdles for any organisation. This is why a proactive, layered security approach is essential.

We provide a comprehensive suite of services designed to help you build a robust defence against Business Email Compromise.

Auditing and configuration

Many businesses are unaware of the security features they already have. Our team can conduct a thorough review of your existing security policies and rules in Microsoft Defender for Office 365. We will assess what policies you have in place and, more importantly, what you don’t. We’ll then provide expert recommendations and help you implement custom configurations that are tailored to your company’s specific needs, ensuring your email system is as secure as possible without impacting day-to-day operations.

We can help you configure:

• Custom impersonation policies that specifically protect key individuals (like your CEO) and domains, adding an essential layer of defence
• Email tags and safety tips to help users identify potentially suspicious emails at a glance
• Sandbox environments that allow for the safe preview of attachments and links, preventing malware from ever reaching a user’s machine

Cyber security training

Your employees are your first line of defence. We offer cyber security training to empower your team to spot the signs of a BEC scam. We’ll provide guidance on:

• Email verification that teaches staff to scrutinise email addresses for subtle differences and to never trust a phone number provided in a suspicious email
• Implementing a ‘non-email check’ such as a phone call to a known contact for all new payment details
• Training employees to question urgent requests, especially if they are from a senior leader, and to never be afraid to seek a second opinion

By combining technological safeguards with comprehensive human training, we help you create a risk-aware culture where employees are not only protected by technology but are also empowered to recognise and report threats themselves.