In early 2024, a Nigerian hacker was arrested for defrauding two U.S. non-profits and stealing over $7 million (USD). He amassed this amount of ill-gotten funds by gaining unauthorised email access to a first charity, posing as an employee, and then requesting a withdrawal of funds from a second charity via email.
This kind of cyber attack known as business email compromise (BEC) has become a lucrative, go-to attack type for bad actors, ultimately costing global organisations $55.5 billion (USD) between 2013 and 2023.
With that kind of potentially negative impact, it’s vital that organisations understand the basics of BEC, why BEC attacks are so often successful, and how to harden defenses against it.
What is Business Email Compromise?
Business email compromise is an email-borne cyber attack technique in which a threat actor attempts to manipulate an individual into initiating a secondary digital or kinetic action for malicious purposes. These actions can include transferring funds, sharing sensitive data, or enabling access to something else of value.
In the early days of BEC attacks, the term was nearly synonymous with account takeover (ATO) attacks, where a threat actor would gain unauthorised access to an email account within an organisation and use that access to send spear phishing emails to other employees or connected businesses and contacts.
However, as threat actors have evolved their tactics over time, BEC attacks have subsequently expanded in scope. Now, in addition to ATO attacks, business email compromise includes several types of email-based scams, which we’ll discuss in detail below.
BEC attacks are both common and costly for victim organisations. According to the 2025 Arctic Wolf Threat Report, 27% of Arctic Wolf® Incident Response cases during the reporting period pertained to BEC, making it the second most prevalent kind of attack. While any industry can be targeted by business email compromise, finance and insurance are the leading industries targeted, and this is not random. Both industries rely heavily on email communications as well as digital funds transfers, making them ripe targets for BEC threat actors.
How Does a BEC Attack Work?
A traditional BEC attack has four broad phases, similar to other kinds of cyber attacks: Preparation, execution, deception, and action.
Preparation
A threat actor uses credential theft, credential harvesting, social engineering, or another tactic such as a vulnerability exploit or bypassing multi-factor authentication (MFA) to steal valid credentials for a business email account.
Execution
A threat actor gains access to an organisation’s email server or a specific user’s email account using these harvested credentials.
Deception
The scam is launched, with the threat actor utilising the accessed email account as the primary vector.
Action
The threat actor, posing as the user, requests a transfer of funds, creates a fraudulent invoice, or asks for access to valuable data or another asset.
To put this into a real-world scenario, let’s go back to the Nigerian threat actor who was arrested in 2024.
In that incident, the threat actor did the following:
1. Gained credentials to the email account tied to a U.S. non-profit.
2. Learned of a second non-profit that owed the first organisation funds
3. Sent an email to the second non-profit, posing as the first, and requested funds
BEC vs. Phishing
In phishing attacks, the email account used in an attack belongs to the threat actor or is fraudulent, and while that can be the case in BEC attacks, sometimes the sender address originates with a third-party email that is disguised to appear trustworthy. Phishing attacks are often broader in scope, targeting dozens or hundreds of accounts at once. A BEC attack is highly targeted with a specific end goal in mind.
However, both kinds of attacks do fall under the umbrella of social engineering, and it’s not uncommon for BEC attacks to use common phishing or spear phishing tactics (such as sounding urgent or using known information about the victim) to steal credentials and gain access to the legitimate business email account. These kinds of attacks are connected in another way as well — phishing is the top root cause of BEC attacks, accounting for 73.5% of Arctic Wolf Incident Response BEC investigations in 2024.
BEC vs. Account Takeover Attacks
ATO attacks and business email compromise (BEC) attacks are commonly linked. As noted above, ATO attacks involve acquiring unauthorised access to an email account within an organisation, and then leveraging that account for secondary attacks, such as spear-phishing.
ATO attacks are often a precursor to BEC attacks; threat actors often seek to gain internal account access via an ATO attack in order to gain a foothold in an environment for the purpose of conducting a more lucrative BEC attack. BEC attacks are sometimes referred to as email account takeovers (EATs), which is a form of an ATO attack.
Types of BEC Attacks
As mentioned above, the scope of BEC attacks has expanded beyond account takeover attacks and now falls into six categories.
Types of business email compromise include:
1. CEO/Executive fraud
Attackers will attempt to impersonate the CEO or another executive of a company. In this kind of attack, threat actors will typically email an individual within the finance department and request funds be transferred to an account controlled by the attacker.
2. Account compromise
This occurs when an employee’s email account is hacked and is used to request payments to vendors. This type of BEC attack remains popular for the financial gains it can provide threat actors, and with relative ease. In one case from 2024, the Homeland Security Investigations (HSI) Baltimore, U.S. Department of State’s Diplomatic Security Service in Washington, D.C., and Baltimore Police Department were able to arrest and convict a cybercriminal who had stolen over $1.5 million (USD) through a series of BEC scams.
3. False-Invoice schemes
In this instance, attackers will pose as a company supplier and request fund transfers to fraudulent accounts. Some cybercriminals invert the above attack, an adversary poses instead as a company submitting or requesting a bid. For example, in March 2024, Bleeping Computer reported that threat actors were using BEC attacks to pose as government entities like the U.S. Department of Transportation, the U.S. Department of Agriculture (USDA), and the U.S. Small Business Administration (SBA) inviting targets to click a link to being the bidding process. These pdf attachments include QR codes which lead to spoofed, official-looking phishing websites.
4. Attorney impersonation
In this attack, a cybercriminal will impersonate a lawyer or legal representative. Lower-level employees are commonly targeted through these types of BEC attacks. In one recent example, a Paris real estate developer was targeted by threat actors impersonating lawyers of an established French accounting firm, requesting the urgent, immediate transfer of a large sum of money. Over a matter of days, they were able to steal nearly €38 million.
5. Data theft
These attacks see threat actors posing as someone with access to personal or sensitive information and then request copies of it, or access to it, from another employee. Often, this could target HR employees, as well as CEOs or executives. This data can then be leveraged for future attacks such as phishing, fraud, or ransomware.
6. Product Theft
An attacker, imitating a customer, will trick an organisation into selling (and shipping) a large quantity of product on credit.
How To Defend Against Business Email Compromise
It can be difficult for organisations to defend against BEC attacks, which is one of the reasons this kind of incident is so common. The rise of digital transactions, email correspondence, and supply chains involving third parties means that not only are attack surfaces sprawling outwards, but there are also more accounts for threat actors to gain access to and use for nefarious means.
The needed defenses are multi-faceted, and it takes more than a single tool or a single focus. While every organisation has different security and business goals, and exist at varying maturity levels, implementing the following steps is the best defence against this common and costly attack.
1. Utilise access controls such as MFA
BEC attacks start with access. While a threat actor may already have stolen credentials, or may gain access through credential harvesting, having secondary access controls such as phishing-resistant MFA can stop the attack before it begins.
2. Follow identity and access management (IAM) best practices
In addition to MFA, ensuring that your organisation’s identity and access structure is secure at every point can prevent credential theft (a root cause of BEC), as well as unauthorised access to important assets or communications that may help a BEC attack succeed. Additionally, it’s important to ensure your identity sources are monitored for unusual or unauthorised behaviour that could indicate an incident is in progress.
3. Implement security awareness training with BEC simulations
Because human risk accounts for 99.2% of root causes of BEC attacks, reducing that risk is paramount to preventing this kind of attack. Strong security awareness training that utilises micro-learning, up-to-date information, and simulations of business email compromise can help harden your human attack surface.
4. Employ a monitoring platform that integrates with your email security
A major issue in modern cybersecurity is that organisations rely on too many siloed tools. Because BEC attacks often evade traditional security tools, organisations need monitoring software that can ingest and correlate data from different parts of the environment, that works with email providers and can alert organisations quickly to unusual activity. Even better is utilising a monitoring platform that can easily integrate with your existing email security software for advanced threat correlation, threat detections, alert prioritisation, and more.
Learn how Arctic Wolf stopped a BEC attack in the manufacturing sector.
Explore the threat of business email compromise in depth.
Experience BEC Without the Compromise with our on-demand webinar.
