Business Email Compromise

    Help us build a better business for our people & customers.

    What is Business Email Compromise?

    Business email compromise attacks are impersonation scams: Hackers create emails impersonating a senior executive of the company or one of its business partners in an effort to steal money. Sometimes, it involves the compromise of a legitimate business email account but often it’s accomplished through social engineering: By convincingly masquerading as a CEO, for example, in an email that tells an accounting employee to wire money to a supplier — but to a bank account controlled by the hacker. In another type of BEC attack, hackers intercept emails from suppliers and substitute their own account numbers for the supplier’s.




    6 Most Common Types of Business Email Compromise

    The first and most familiar form of BEC is known as CEO fraud: a business leader’s email is hacked or spoofed, and fraudulent emails are sent in his or her name instructing subordinates to immediately wire payments to fraudulent locations. Subordinates, accustomed to following instructions from senior business leaders without question, often do so without independently confirming the legitimacy of the transaction. While called CEO Fraud, these BEC attacks have often been made in the name of a senior financial executive such as a CFO.

    Since then, BEC has morphed into multiple variants, including these five:

    Personal email compromise (PEC)

    These attacks are similar to CEO fraud but spoof an executive’s personal email account. They can be even more convincing, since recipients may have received private emails from the executive before and may assume the account is legitimate.

    Vendor email compromise (VEC)

    In this case, the criminal impersonates a vendor by spoofing the vendor’s legitimate email account. Acting as the vendor, the criminal instructs the recipient to make payments or change payment destinations to an account controlled by the criminal. By doing careful research about vendors over time, criminals may be able to identify multiple target victims throughout a company’s entire supply chain.

    Spoofed lawyer or real estate email accounts

    In these attacks, a criminal impersonates one party to a sizable financial transaction, spoofing that party’s email address. The transactions often involve real estate, but sometimes relate to other commercial transactions. The messages often include transaction details gleaned through social engineering or a computer intrusion. The criminal may instruct the recipient to change previously anticipated payment information — for example, updating a wire transfer destination or account number.

    Requests for W-2 information

    Instead of asking for cash, the cybercriminal (posing as a senior employee) asks an HR professional for an employee’s W-2 data. Given this data, the criminal may attempt to file fraudulent income tax returns in the victim’s name, appropriating the victim’s refunds; or use the victim’s social security number and other data to pursue other fraudulent activities that might not be uncovered until the victim’s credit is ruined.

    Gift card fraud

    In this variant of CEO fraud, a criminal may impersonate an executive and ask an assistant to purchase multiple gift cards that will be used as employee rewards. In the interests of rewarding employees as quickly as possible, the phony “executive” will request the serial numbers for the gift cards, and then use those serial numbers to make fraudulent purchases.

    What are some business email compromise examples?

    BEC attacks take many forms, limited only by the creativity and resourcefulness of criminals. A few of the most common BEC attacks include:

    Spoofed emails to HR professionals asking that an employee’s direct deposit information be changed to an account controlled by a criminal.

    Requests for forms of personally identifiable information such as an employee’s social security number, employee ID, place or date of birth, credit card account number or passport number — information that can subsequently be used to impersonate the individuals, access their resources or establish credit accounts in their names

    Supply chain attacks that infiltrate one supplier’s finance department, surveille its messaging to uncover real transactions, and then intervene with highly realistic fraudulent messages requesting payment on these actual transactions, but to fake accounts.

    How to Protect against Business Email Compromise?

    Align people, processes and technology to prevent costly BEC fraud

    According to the FBI, Business Email Compromise (BEC) is the costliest of internet crimes, accounting for 44% of the $4.1 billion in US losses reported in 2020. It gets worse: half of security executives surveyed by Mimecast say BEC attacks using impersonation fraud rose in 2020. With BEC, attackers generate high ROI from low-tech attacks containing no payload other than social-engineered text. Cybercriminals now use sophisticated intelligence to divert legitimate payroll or vendor payments — and by the time these attacks are discovered, the money is long gone.

    To outsmart BEC attackers, combine better human awareness with more sophisticated machine learning, threat detection and integration. Mimecast’s comprehensive business email compromise solutions can help.

    Implement a complete, holistic strategy for reducing business email compromise (BEC) risk

    Leverage Mimecast’s AI-based Brand Exploit Protect and DMARC Analyzer to monitor and respond to malicious brand impersonation attacks out in the web and through email.

    • Give employees the knowledge and training they need to resist BEC fraud.
    • Support your team with technology that analyzes every email for BEC risk, in real time.
    • Stop emails that rely on domain spoofing before they reach employees or partners.

    Promote employee vigilance more effectively

    Leverage Mimecast’s AI-based Brand Exploit Protect and DMARC Analyzer to monitor and respond to malicious brand impersonation attacks out in the web and through email.

    • Give employees the knowledge and training they need to resist BEC fraud.
    • Support your team with technology that analyzes every email for BEC risk, in real time.
    • Stop emails that rely on domain spoofing before they reach employees or partners.

    Systematically analyze every inbound email for business email compromise (BEC) risk before it’s delivered

    Most BEC attacks impersonate real people or organizations: executives, colleagues, partners, customers, lawyers. Inbound BEC fraud may originate from compromised accounts or spoofed domains, and rely on lengthy intelligence gathering to make emails appear realistic. Even vigilant employees need technology help to prevent such attacks. Mimecast’s cloud-based Secure Email Gateway with Targeted Threat Protection safeguards them, no matter what cloud or on-premises email platform is used.

    With Mimecast’s Impersonation Protect service, every inbound message is analyzed in real time for signs of risk, from sender spoofing to suspicious international characters or body content. Email administrators have granular control over how risky messages are handled and centralized tools for managing, reporting and uncovering attacks. Plus, using Mimecast’s unmatched library of off-the-shelf integrations and open APIs, threat intelligence can be shared instantly across your security stack, empowering all security systems to respond more quickly and effectively.

    Prevent business email compromise

    The DMARC authentication standard has rapidly matured into a key element of a layered-defense strategy against BEC. DMARC can help protect employees against BEC phishing attacks that seem to originate within your organization but were actually crafted by distant criminals. It can also help protect business partners against fraudulent emails that look like they came from your organization, so criminals can’t divert payments.

    With Mimecast’s 100% SaaS-based DMARC Analyzer, applying DMARC is finally practical. A valuable complement to Mimecast Secure Email Gateway with Targeted Threat Protection, it empowers organizations to authenticate email more reliably, identify senders and block delivery of unauthenticated messages from their domains. Many BEC attacks that rely on domain spoofing can now be halted before they arrive on employees’ devices or those of third-party partners.

    Stop business email compromise with Mimecast

    Mimecast simplifies and reduces the cost of email security, email archiving and email continuity. Mimecast's comprehensive security services provide data leakage prevention tools, 100% anti-malware protection, cloud-based email filtering for spam, secure email options, and Targeted Threat Protection to combat business email compromise and other advanced targeted threats. Mimecast email security services protect users on all the devices they use, including desktop, mobile and personal devices. This is a critical benefit for organizations where employees' personal devices are not protected at the same level as corporate devices, or where organizations lack comprehensive web security and endpoint protection. And as a fully integrated subscription service, Mimecast security solutions can be implemented quickly without additional infrastructure or IT overhead costs.

    Business Email Compromise FAQs

    Why is business email compromise (BEC) protection important?

    Business email compromise protection is crucial because of the profound risks BEC attacks create. BEC attacks can cause serious financial loss to companies, and can be equally costly to the employees, customers or partners who are victimized. When employees, customers, or partners are victimized because an organization failed to adequately protect against BEC, this can profoundly damage the organization’s reputation — costing it the confidence and trust that it needs to operate successfully.

    How can organizations respond to business email compromise?

    Organizations need a comprehensive, layered strategy for resisting BEC attacks. Central to deterrence is effective, continuous security awareness training that goes beyond boring PowerPoints to compel attention, engage employees, and clarify the right actions to take when confronted with a possible attack. Training should be linked to strong policies — for example, independently verifying every request to change a payment account. As organizations reduce human error through training, they can also prevent delivery of many BEC emails through a cutting-edge cloud-based secure email gateway, as well as an impersonation protection service that uses machine learning to analyze individual message risks in real-time. Beyond this, DMARC solutions may help protect an organization’s partners by halting spoofed fraudulent emails designed to closely resemble those sent by the organization itself.

    Back to Top