eastbaycyber

Business Email Compromise (BEC): Definition, How It Works, and What to Do

Glossary 7 min read
EC
East Bay Cyber Editorial Team Reviewed 2026-05-16
Definition

Business Email Compromise (BEC) is a form of targeted social-engineering fraud where attackers impersonate a trusted sender (often an executive, vendor, or employee) to trick recipients into sending funds, changing payment details, or disclosing sensitive information. Unlike generic phishing, BEC typically uses realistic context and timing tied to actual business processes.

Business email compromise (BEC) is targeted email fraud that exploits trust and routine workflows (payments, payroll, vendor management) to steal money or sensitive data. Because BEC often looks like “normal business,” it can bypass both human skepticism and basic email filtering.

How BEC works (attack chain)

BEC succeeds by combining three things: (1) a believable identity, (2) a plausible request aligned to a business workflow, and (3) pressure to act quickly or quietly. Most BEC campaigns fall into two primary technical paths—spoofing/impersonation or account takeover (ATO)—with variations that target finance, HR, and operations.

1) Reconnaissance: learning your org’s “how”

Attackers often research: - Org charts, executives, and finance staff on LinkedIn and company sites - Vendor relationships via press releases, procurement portals, or breached data - Email formats (e.g., first.last@company.com) and signature blocks - Common terminology (“ACH,” “wire,” “net-30,” “change of banking details”)

This recon is why BEC emails can look “too normal” to trigger suspicion.

2) Initial access or identity abuse

Common approaches include:

A. Display-name impersonation (low effort, high success) - Email appears as “CEO Name random@gmail.com” - Relies on users focusing on the display name rather than the actual address

B. Domain spoofing / lookalike domains - Spoofing: forging the “From” domain when recipient systems don’t enforce SPF/DKIM/DMARC - Lookalike domain: registering c0mpany.com or company-payments.com to mimic legitimate senders

C. Account takeover (compromised mailbox) - Attacker steals credentials (often via phishing, password reuse, MFA fatigue, or OAuth consent abuse) - Sends from the real mailbox or sets up forwarding rules - Uses existing email threads to reply with payment-change instructions (“thread hijacking”)

Account takeover is especially dangerous because the email is authentically sent from the real domain and may pass authentication checks.

3) The ask: money or data, aligned to routine workflows

Typical BEC asks include: - Invoice fraud / vendor payment redirection: “We changed banks—send next payment to this new account.” - Executive wire request: “I need a wire sent now. I’m in a meeting—don’t call.” - Payroll diversion: “Update my direct deposit details.” - W-2 / employee PII theft: “Send me the employee tax forms / SSNs.” - Gift card scams: still common in smaller orgs, often targeting admins

The language usually emphasizes urgency, confidentiality, and authority—classic social-engineering levers.

4) Monetization and persistence

  • Funds are routed through mule accounts, sometimes quickly converted to other instruments
  • If a mailbox is compromised, attackers may create:
  • Inbox rules to hide replies from finance (“move all from AP to RSS”)
  • Forwarding to external addresses
  • Alternate sign-in methods (app passwords, malicious OAuth apps)

Where BEC appears most often (real-world scenarios)

BEC shows up where email-driven trust intersects with money movement or sensitive records. In practice, you’ll most often encounter it in these moments:

Payment lifecycle events (Accounts Payable / Procurement)

High-risk moments include: - New vendor onboarding (“here are our banking details”) - Bank account changes - Large or unusual invoices - End-of-quarter processing spikes

Operational tell: A “change request” arrives by email only, with no ticket, no prior notice, and a new bank account that doesn’t match historical records.

Executive requests that bypass normal processes

Common in SMBs where executives and finance staff work closely and move fast. Attackers exploit: - Travel schedules (publicly posted events) - Time zone mismatch (late-night urgency) - Informal approval norms (“Just do it and we’ll reconcile later”)

HR and payroll changes

BEC frequently targets: - Direct deposit updates - Employee data exports (PII) - Benefit enrollment information

Why it works: HR teams are used to handling sensitive personal data quickly and may treat requests as routine.

Organizations involved in escrow, legal settlements, or M&A are repeatedly targeted because: - Transactions are large - Parties are distributed across email threads - Timing pressure is intense

After a phishing wave or credential leak

If your organization experiences: - A surge in credential-phishing emails - Alerts about suspicious logins - Reports of “emails I didn’t send”

Assume BEC may follow—often within days—because attackers move quickly from access to monetization.

What to do if you suspect BEC (priority actions)

Immediate actions (first 15–60 minutes)

  1. Pause the transaction - If a payment is pending, stop it and escalate to finance leadership immediately.
  2. Verify out-of-band - Validate any payment/bank-detail change using a trusted channel (known phone number from vendor master data/internal directory—not the email signature).
  3. Contain possible account takeover - Reset password(s), revoke sessions/tokens, and disable suspicious OAuth app grants.
  4. Preserve evidence - Keep the email (headers intact), note timestamps, and document who received/sent what.

If money was sent

  • Contact your bank immediately and request a recall / fraud escalation (speed matters).
  • File appropriate reports based on your jurisdiction and internal policy (law enforcement, regulators, cyber insurance).
  • Start an internal incident process: scope impacted mailboxes, vendors, and payment workflows.

Technical notes: quick indicators to check (email + identity)

If you suspect BEC, verify both the message authenticity and mailbox integrity.

1) Look for mailbox forwarding/inbox rules (Microsoft 365)

Use Exchange Online PowerShell to check for suspicious rules and forwarding:

# List inbox rules that may hide or forward mail
Get-InboxRule -Mailbox user@domain.com | Format-List Name,Description,Enabled,RedirectTo,ForwardTo,DeleteMessage

# Check for SMTP forwarding
Get-Mailbox user@domain.com | Format-List ForwardingSmtpAddress,DeliverToMailboxAndForward

Red flags include rules that: - Move emails from finance/vendor domains to RSS/Archive - Auto-delete messages containing “wire,” “invoice,” “payment” - Forward all mail externally

2) Check sign-in activity (Microsoft Entra ID / Azure AD)

Look for: - Impossible travel (geo-velocity) - New devices or unfamiliar user agents - Legacy authentication attempts

Example query patterns to hunt for: - Multiple failed logins followed by a successful login from a new ASN/country - OAuth consent grants to unfamiliar apps shortly before suspicious emails

3) Validate SPF/DKIM/DMARC posture (domain-level)

BEC spoofing is easier when DMARC isn’t enforced.

At minimum: - SPF: restrict who can send on your behalf - DKIM: sign outbound mail - DMARC: enforce policy and get reports

A practical goal for many orgs is DMARC policy = quarantine or reject, once legitimate senders are aligned.

Prevention: controls that reduce BEC losses

Email and identity hardening

  • Enforce MFA (prefer phishing-resistant where possible) and block legacy auth.
  • Disable auto-forwarding to external domains (or tightly restrict it).
  • Turn on alerts for new inbox rules, forwarding changes, and anomalous sign-ins.

If you need 24/7 help investigating suspicious mailbox activity and coordinating response, consider a managed detection and response provider; see our glossary entry on MDR: what is mdr

Payment process controls (most effective)

  • Require two-person approval for new vendors and bank changes.
  • Use positive pay / payee validation where available.
  • Maintain a “trusted callback” directory for vendors and internal approvers.
  • Treat any “urgent” or “confidential” payment email as a verification trigger, not an approval.

Endpoint and business security basics (supporting controls)

BEC is email-driven, but compromised endpoints and reused passwords often enable account takeover.

  • Standardize endpoint protection and ensure telemetry is available to IR teams (guide: best antivirus for windows business endpoints 2026/).
  • Reduce password reuse and tighten shared access—finance and HR should use a business password manager. If you’re evaluating options, 1Password is a common fit for small teams: Try 1Password →.

Related terms

Phishing

Deceptive messages that trick users into clicking links, opening attachments, or sharing credentials. BEC is often more targeted and process-driven than mass phishing.

Spear phishing

Targeted phishing aimed at specific individuals or roles. BEC commonly uses spear-phishing techniques.

Email spoofing

Forging the “From” address/domain to appear as a trusted sender. Strong DMARC enforcement reduces this risk.

Lookalike domain (typosquatting)

Registering a domain similar to yours (e.g., swapped letters) to impersonate legitimate senders.

Account takeover (ATO)

When an attacker gains access to a real mailbox and uses it to send messages, read threads, and set rules/forwarding.

Invoice fraud / vendor fraud

BEC variant focused on redirecting payments by changing bank details or inserting fraudulent invoices.

Wire transfer fraud

BEC variant that pushes urgent wire/ACH transfers, often impersonating executives or vendors.

Social engineering

Manipulating people into taking actions that bypass controls. BEC is fundamentally social engineering with email as the delivery mechanism.

DMARC / SPF / DKIM

Email authentication standards that help prevent domain spoofing and improve detection/visibility.

Out-of-band verification

Confirming payment or bank-detail changes via a separate trusted channel (phone number from an internal directory, vendor master record, or contract—never the email signature).

Last verified: 2026-05-16

Disclaimer: This article may contain affiliate links. We earn a commission on qualifying purchases at no extra cost to you.