® 
BEC (Business Email Compromise)
Definition
Business Email Compromise (BEC) is a sophisticated fraud where attackers compromise or impersonate a business email account to trick employees into financial transactions or sharing sensitive information.
Business Email Compromise (BEC) is a sophisticated fraud technique where attackers compromise or impersonate a business email account to trick employees into executing financial transactions or sharing sensitive information. The FBI IC3 Report 2023 documents over $2.9 billion in BEC-related losses in the US alone.
How does BEC work?
BEC attacks require no malware: they exploit human trust and business processes. The attacker gains email access via phishing or credential stuffing, or registers a look-alike domain (typosquatting). From the compromised or impersonated account, the attacker sends convincing emails to employees who can execute financial transactions.
Types of BEC fraud
CEO fraud: attackers impersonate executives requesting urgent transfers. Invoice fraud: attackers modify bank details on legitimate invoices. Vendor impersonation: attackers pose as suppliers reporting changed bank details. Attorney impersonation: attackers pose as lawyers in confidential matters. Payroll redirect: attackers report changed salary details to HR.
Impact on organisations
BEC is one of the most financially damaging forms of cybercrime. Average damage per successful incident amounts to hundreds of thousands of euros. Because BEC contains no malware, technical security solutions do not always detect these attacks. NIS2 requires adequate social engineering protection.
Protection
Implement verification procedures for all financial transactions via a second channel (phone). Train employees to recognise BEC indicators. Configure strict DMARC to prevent domain impersonation. Monitor email rules for suspicious forwarding. Implement approval workflows for large payments.
How DEFION helps
DEFION tests BEC resilience as part of phishing simulations and Social Engineering Assessments. The Email Risk Assessment evaluates how vulnerable the organisation is to email-based fraud.