Understanding Business Email Compromise Attacks

Stephanie Gray
August 7, 2018



Business Email Compromise (BEC) attacks are a cyber security attack that couples sophisticated social engineering and phishing emails with the intent of defrauding an organisation. The basic premise of the idea, the simple act of deception, is one that has been around for a long time. BEC attacks, however, are relatively new but are certainly a business threat that can’t be ignored. The combination of trust, authority, and familiarity is resulting in billion-dollar losses. The FBI has calculated, based on BEC attacks that it is aware of, that between October 2013 and May 2018, there has been $12.5 billion in global losses.

BEC attacks happen when emails are infiltrated using advanced methods relying on identity deception. BEC attacks often go undetected as they don’t use detectable payloads such as URLs or attachments. The attack takes place when a colleague or a trusted person is impersonated via email, and the recipient is asked to make a payment or share sensitive data. As the attack comes from a forged invoice, a compromised account of an actual employee, or a fake email address, it can look incredibly realistic.


BEC attacks happen when hackers manage to infiltrate the ranks of a business to a level that enables them to impersonate a trusted source. There are three main phases to a BEC attack:

  1. Business infiltration – cyber attackers launch BEC attacks by firstly carefully researching their victims. Attackers will use phishing techniques, potentially using frequently used websites, to harvest employee account credentials. This research phase allows hackers to gain an understanding of the organisation and its employees and gain access to its mail servers.
  2. Social engineering – this phase is about surveillance of the target, often top executives. Cyber attackers will research payment processes and vendors and will sift through previous emails. Scammers take weeks to analyse organisations to build up a profile of employees and interactions that can be mimicked.
  3. Impersonation – the attackers will craft legitimate looking email addresses to impersonate a trusted source be it a vendor, employee or a company’s CEO. Emails are often sent to junior staff and will demand wire transfers or sensitive data. The emails will typically be urgent and to make them look more legitimate will often include paperwork that has been found during the research phase.

There are three principal techniques that cyber hackers use to impersonate trusted sources, spoofing, look-alike domains and display name deception. Spoofing is the falsification of an email header including the sender’s name and email address as well as the formatting of the message itself to appear from a legitimate source. The attacker inserts these forged emails directly into the mail stream with forged delivery paths. Look-alike domains are deceptive-looking domains which are under the control of the hacker. These domains traditionally look like the domain of the impersonated organization. In a display name deception, the attacker uses a free webmail account and changes the display name to correspond to the impersonated individual or organization. Recent research from our partner, Agari, showed 82% of BEC attackers use display name deception to impersonate a trusted party, and without detection from secure email gateways.


Over the past few years, BEC attacks have become commonplace and are growing in frequency. In fact, although less extravagant than super-hacks we see in the media, BEC attacks present the highest number of victims and direct loses to businesses. Agari’s research found 96% of organisations analysed have received at least one BEC attack in the second half of 2017. Due to their relative simplicity and success rate, BEC attacks are a risk that will continue to escalate and so will the losses to businesses. BEC attacks do not discriminate based on industry, size or existing security and, as such, are a critical issue for all businesses, everywhere.  Attacks can range from simple display name attacks to multi-level global organisations using a combination of techniques. Anyone can fall victim by merely following poor online security etiquette and performing fairly basic online transactions. In fact, small businesses are an easy target as one person is often responsible for multiple transactions and there are likely to be fewer security protocols. Combatting against BEC requires more than infrastructure and robust security, organizations need to be educated and the workforce security-aware.

Contact Infotrust today on +61 2 9221 5555 to find out how we can help your organisation mature your security posture against these types of threats.