What is Business Email Compromise (BEC)
Business email compromise (BEC) is an email-borne cyber attack technique in which a threat actor attempts to manipulate an individual into initiating a secondary digital or IRL action for malicious purposes. These actions can include transferring funds, sharing sensitive data, or enabling access to something else of value.
While early BEC attacks were identical to what is now referred to as account takeover (ATO) attacks — where a threat actor would gain unauthorized access to an email account within an organization – BEC has now evolved to include other tactics and techniques for success.
Business email compromise is a highly common, and costly cyber attack that affects organizations of all sizes and industries. According to The State of Cybersecurity: 2025 Trends Report, 35% of surveyed organizations reported experiencing a BEC attack in 2024. BEC attacks also comprised 27% of Arctic Wolf® Incident Response cases in 2024.
How Does Business Email Compromise Work?
BEC attacks can take many forms with a number of final objectives. The specifics of each BEC attack will vary, as these attacks are often highly researched, personalized, and have a specific – often financial – goal in mind. If we look at the data from the 2025 Arctic Wolf Threat Report, we’ll see that the main root points of compromise for BEC attacks are phishing, previously compromised credentials, and email spoofing, highlighting how threat actors are able to launch these attacks through various methods.
However, all BEC attacks contain four major steps.
- Target Selection. The threat actor chooses the organization, or even the individual, they want to target with the attack. Because BEC attacks are most often financially motivated, this target could be the CFO or someone who works in accounting at an organization.
- Identity Crafting. The threat actor decides who to impersonate, and how, in order to achieve the desired action. This can be (but is not always) done through gaining access to an email account and utilizing it maliciously. It can also be achieved through spoofing.
- Social Engineering. BEC attacks cannot succeed without social engineering, whereas the threat actors compose a believable email message using social engineering techniques (e.g. a sense of urgency, knowledge about the subject, spoofed details), to get the victim to complete the required action.
- Execution and Exfiltration. The threat actor sends the message and is able to obtain funds, data, or access and complete the attack.
Business Email Compromise vs. Spoofing vs. Phishing
BEC Attacks and Spoofing
Email spoofing, like phishing (below) can be a root point of compromise for BEC attacks and is purely a method used in the larger BEC attack. Spoofing involves forging components of the email message (e.g the sender field) so it appears to have originated from a trusted source.
Explore other types of spoofing attacks.
BEC Attacks and Phishing
While BEC attacks can and do often originate with phishing, phishing is just one technique used in the larger attack. Standalone phishing attacks, compared to BEC attacks, are often broader in scope, and are utilized to either install malware, steal data, or gain access to an organization.
Examples of Business Email Compromise Attacks
Massachusetts Workers’ Union
In 2024, a spoofed email, supposedly from an investment manager, tricked this state union into changing the beneficiary bank account for a large payment. As a result, over $6 million (USD) was transferred into the fraudulent account.
Northern Territory Government, Australia
A single individual was able to utilize BEC to get the territory government to transfer them over $3 million (AU) in 2025 through a forged email where the individual pretended to be a third-party contractor from a construction company. The email contained forged details, including a forged vendor identification form.
The Five Main Types of Business Email Compromise
1. CEO Fraud
In a CEO fraud attack, a threat actor will position themselves as the CEO or executive of a company, then (typically) email an individual within the finance department, requesting funds to be transferred to an account controlled by the attacker. CEO Fraud is one of the more common BEC tactics, as individuals are more likely to trust an email seemingly coming from a CEO or other C-suite employee.
2. Account Takeover or Compromise
In this attack, a user’s email account is compromised and used to send fraudulent messages and requests for funds (e.g. to a third-party or subordinate). This method can be highly successful because the email address itself is legitimate.
3. False-Invoice Scheme
In this attack, the threat actor will pose as a third-party supplier and request fund transfers to fraudulent accounts. Because organizations are often dealing with a multitude of vendors, a hacker can exploit multiple organizations at once through this method.
4. Attorney Impersonation
In this form of BEC, a threat actor impersonates a lawyer or legal representative in order to obtain funds or financial information. Lower-level employees are commonly targeted through these types of BEC attacks.
5. Data Theft
This kind of BEC attack specifically targets internal data and often targets HR employees to obtain personal information about individuals to then leverage for future social engineering attacks.
How to Prevent Business Email Compromise
1. Utilize robust access controls, including muti-factor authentication (MFA), which can prevent account compromise.
2. Follow identity and access management (IAM) best practices to prevent credential theft and unauthorized access.
3. Implement Security Awareness Training with BEC simulations to educate users and reduce human risk.
4. Employ a monitoring platform that integrates with email security to monitor for suspicious email-related behavior.
Learn how Arctic Wolf stopped a BEC attack in the manufacturing sector.
Experience BEC Without the Compromise with our on-demand webinar.
