Business Email Compromise Time to detect: 19 minutes
Join us for our latest real-world incident timeline launch as we walk you through an email account takeover involving a customer in the manufacturing industry, and how the Arctic Wolf team detected the attacker in only 19 minutes, with the dedicated team of security experts investigating and alerting the customer in less than 10 minutes.
View Timeline Navigation
12:57
Source: Adversary
The impact of email account takeover
Organisations rely on email to conduct business, communicate, share information and set meetings on a daily basis. Business email compromise (BEC) is an unsettlingly common method of attack for attackers and can have a huge impact on your business.
12:58
Source: Duo
The impact of email account takeover
83% of organisations experienced at least one instance of account takeover in the past year.
13:16
Attacker Active
Attacker opens existing calendar event for “Best Practices Training” and updates with their own information.
Attacker begins adding forward and delete rules to [USER 01] inbox.
13:16
Active: Office 365 Logs
13:18 | Following Investigation
Investigation Begins
The Arctic Wolf Triage Teams begins investigation into [USER 01] activity.
13:22
Ongoing Investigation
Attacker's Access
An attacker uploads phishing PDFs to OneDrive with the intent to disseminate emails to recipients of calendar invitations.
13:25
Begin Escalation
The Arctic Wolf Triage Team investigates and alerts [CUSTOMER] that [USER 01] has been compromised.
Arctic recommends [CUSTOMER] the account and forces a reset of credentials.
Begin Post-Incident Zone
13:25
Remediation
[CUSTOMER] confirms that [USER 01] has been compromised and proceeds to disables the account.
The Arctic Wolf Concierge Security® Team works with the customer to examine log data for any customer users accessing phishing PDF. CST confirms remediation occurred before any users accessed the PDF. CST assists customer in remediating actions taken by the adversary.
Next, the security journey continues
Attack Timeline:
with our concierge security team
The Arctic Wolf Concierge Security® Team works with customer to examine log data for any customer users accessing phishing PDF. CST confirms remediation took place before any users accessed the PDF. CST assists customer in remediating actions taken by the adversary.
The Arctic Wolf Concierge Security® Team supports your team with coverage, operational security expertise, and strategically tailored recommendations to continually enhance your overall security posture.
Real-World Examples
BEC Fraud Comes In Many Forms
In the example above, credentials were stolen via phishing email. Do you think you or your company’s employees could identify the various types of email compromise methods that have been used in different attacks?
Account Compromise
In this classic form (which also gives rise to the BEC synonym email account compromise, or EAC), rather than simply masquerading as a trusted email account, an attacker succeeds in gaining access to an entire legitimate email account and uses it to carry out the scam by sending and replying to emails from the hijacked account, sometimes using filtering tools and other techniques to prevent the real account holder from noticing the activity
Data Theft
An attacker targets HR and finance employees to obtain personal or sensitive information about individuals within the company, such as CEOs and executives. This data can then be leveraged to enable future cyber attacks.
In rarer instances, an attacker masquerading as a customer or vendor may ask a recipient (e.g., in a legal or technical role) to send intellectual property or other sensitive or proprietary information.
CEO/Executive Fraud
An attacker masquerading as the CEO or another senior executive within an organisation emails an individual with the authority to transfer funds, requesting a transfer to an account controlled by the attacker.
Attorney Impersonation
An attacker impersonates a lawyer or legal representative for the company and emails an employee requesting funds or sensitive data. Junior employees are commonly targeted through these types of BEC attacks.
Product Theft
A relatively new twist, in which an attacker imitating a customer tricks an organisation into selling (and shipping) a large quantity of product on credit.
False-Invoice Scheme
An attacker posing as a known vendor or supplier emails an individual with the authority to transfer funds, requesting a transfer to an account controlled by the attacker.
As of March 2025, there's been a 30% increase in BEC attacks.*View Source
In the new normal of hybrid working environments, account takeover risk is more serious than ever.
