What is business email compromise (BEC)?

Aaron Goldstein
February 29, 2024

BEC is a sophisticated type of attack that targets organizations through email. Attackers impersonate trusted individuals within your company, like executives, vendors, or colleagues, to manipulate employees into actions that benefit the attacker. BEC is one of the most prominent attack vectors around today, and it continues to increase year-over-year.    

The facts on BEC:

  • Human errors account for approximately 74% of all security breaches
  • Social engineering attacks capitalize on these human errors, and they now comprise 50% of all security incidents
  • More than 50% of social engineering attacks, such as pretexting, phishing and credential thefts, are related to BEC  
  • The median amount stolen from these attacks has also increased over the last couple of years, from $40,000 to $50,000


BEC attack frequency doubled in 2023, and it is expected to increase again this year, largely due to the massive ROI it promises cybercriminals.  According to FBI data, the average cost of a successful business email compromise attack is more than $125,000.  

Organizations need to be prepared with a high level of security awareness and strong security programs to defend against this pervasive threat. In this blog, we’ll explore more about how BEC attacks work and how you can implement best practices to ensure your organization is safe.  

How does a BEC attack work?

BEC attacks utilize a complex web of social engineering and impersonation to achieve their goals. Here's a breakdown of how they typically work:

Phase one: research and planning

  1. Target selection: Attackers research the organization, identifying key personnel (CEO, CFO, HR) and their communication patterns.  
  1. Information gathering: They collect details like email addresses, titles, ongoing projects, and internal protocols through social media, data leaks, or even malware infections.
  1. Spoofing preparation: Attackers create email accounts with similar names or domains to legitimate ones, mimicking the targeted individual's email address.

Phase two: impersonation and manipulation

  1. Initiating contact: The attacker sends emails using the spoofed email address, impersonating the chosen target and mimicking their writing style.
  1. Building trust: They leverage research to personalize the email, mentioning specific projects, colleagues, or deadlines to establish credibility.
  1. Creating urgency: The attacker fabricates a scenario requiring immediate action, like a confidential payment, urgent change in bank details, or sensitive information request.
  1. Exploiting emotions: They use pressure tactics like fear of losing a deal, job security concerns, or appeals to authority to manipulate the victim into complying.

Phase three: execution and exploitation

  1. Compromising the victim: If the victim falls prey to the manipulation, they might authorize a fraudulent payment, share sensitive data, or unknowingly change financial details to attacker-controlled accounts.
  1. Extracting funds or information: The attacker quickly diverts the funds or utilizes the stolen information for further attacks.

BEC attacks are constantly evolving, so staying informed and implementing security measures like multi-factor authentication, employee training, and email verification protocols are crucial for protecting your organization.

Recent BEC attacks:

  • CEO fraud: Impersonating the CEO to request urgent payments or changes to financial processes.
  • Account compromise: Hacking into a legitimate email account within the organization and using it for fraudulent activities.
  • Fake vendor scam: Impersonating a vendor to request payment to a fraudulent account.
  • W-2 phishing: Targeting employees for personally identifiable information (PII) like Social Security numbers.

Key differences between BEC and phishing  

Both BEC and phishing attacks involve email deception aiming to steal money or information, but they have key differences:


  • BEC: Targets specific individuals within organizations, aiming for high-value transactions or sensitive data.
  • Phishing: Targets a wider audience with generic emails, aiming for broad credential harvesting or malware infection.


  • BEC: Uses social engineering, impersonation, and careful research to create highly personalized and believable emails.
  • Phishing: Often relies on generic emails with urgency, fear, or curiosity triggers, sometimes using malware or malicious links.


  • BEC: Requires significant research and planning, making each attack unique and difficult to detect.
  • Phishing: Can be automated and sent in bulk, sometimes making them easier to identify and block.


  • BEC: Can result in significant financial losses and data breaches, impacting the entire organization.
  • Phishing: Can steal individual credentials or infect devices, but the impact on the organization is often less severe.

How to defend against BEC attacks  

BEC attacks can have devasting impacts to an organization, but proactive measures will strengthen your defenses and make your company much harder to target. A few ways to protect against BEC include:  

1. Cultivate a security-first culture

Employees are your first line of defense against BEC attacks, which is why it’s critical that they’re trained to identify common red flags in emails like spoofed email addresses, urgency tactics, and requests for sensitive information. Regularly test employees with simulated phishing attacks to reinforce training and identify areas needing improvement.

2. Be proactive

Regularly review and update security measures, including employee training, technology solutions, and incident response plans, to stay ahead of evolving attack tactics.

3. Prioritize strong security

Consider implementing Security Information and Event Management (SIEM) and Managed Detection and Response (MDR) solutions to gain broader visibility into network activity and potential threats, allowing for faster detection and response to BEC attempts.  

Multi-factor authentication (MFA) on all accounts is also critical, adding an extra layer of security beyond passwords. This process makes it harder for attackers to gain access, even if they obtain login credentials.  

How Todyl protects against BEC  

BEC attacks are more prevalent than ever, which is why it’s crucial that companies implement strong security programs to combat threat actor’s evolving techniques.  

Todyl’s SIEM identifies suspicious activity on systems, apps, and infrastructure such as unusual login attempts and impossible travel. This also alerts our Managed eXtended Detection and Response (MXDR) team, allowing them to further investigate potential BEC attempts.  

The MXDR team distinguishes genuine threats from false positives and recommends appropriate action such as disabling compromised accounts. This combined approach improves the chances of identifying and stopping BEC attacks before significant damage occurs.

Read how Todyl’s MXDR team jumped in to help a partner after they fell victim to a BEC attack.

Stay up to date

Subscribe to receive the latest insights, news, and updates from Todyl.

Additional reading

Why I Joined Todyl: Spotlight on David Dewey
How Todyl addresses the "Pandemic 11"
Understanding AMSI bypass techniques

Todyl updates

Sign-up to get the latest from Todyl sent straight to your inbox.