BEC | BECause you need to know about Business Email Compromise

Max Harper
13.09.23 12:42 PM Comment(s)

Business Email Compromise is super tricky for your users and security solutions to spot... Here's what you need to know.

What is BEC?

Business Email Compromise, or 'BEC', is a form of phishing /spear phishing attack where a criminal attempts to trick someone into sending money or divulging sensitive information. Unlike standard phishing emails that are sent out indiscriminately to millions of people, BEC attacks are crafted to appeal to specific individuals.

"There's a phish out there for everyone."

BEC in numbers...

77% of organisations faced business email compromise (BEC) attacks in 2021 - up 18% on the previous year - with UK based organisations being heavily targeted. . Source: Proofpoint.

Over 6,000 businesses are targeted with BEC attacks each month. UK Finance recorded over 122,000 instances of this scam in 2019, which cost UK businesses gross losses of £455.8 million Source: Egress.

The FBI reported nearly $2.4 billion in victim loss to BEC scams in 2021, which is 49x as much as the losses from ransomware (as reported to the FBI - $49.2 million), but more than a third of the total cost of cybercrime ($6.9 billion). Source: FBI Internet Crime Report 2021.

How does a BEC attack happen?

BEC attacks capitalise on human pyschology, using social engineering techniques rather than a malicious payload such as a dangerous link or attachment.

Often, impostors will pose as a manager or member of the c-suite to email potential victims with an 'urgent' request. This usually involves sending money via wire transfer, which is difficult to trace and recover.

What to expect when you're expecting... BEC.

Here are some of the most common signs that you're being scammed:

1. Bizarre requests from senior leaders: Many people reply quickly to an email that's come from a manager or member of the c-suite.  The boss is messaging - quick, I need to go back! However, it's important to take the time to consider their request... Does it seem odd? If they're asking you to transfer money or provide confidential information, treat the email with caution.

2. Attempts to sidestep normal channels: Your business likely has a system for processing all payments, regardless of their urgency. Imposters will try to bypass this step. For example, if they're asking for money, they may claim that it needs to be wired over immediately. We heard a real-world example recently from a customer where a BEC attempt sent an email asking them to message over WhatsApp. The target was then asked to get the company credit card and buy a load of gift vouchers and send over the codes - stat!

3. Confidentiality requests: Emails of this nature are often designed to try incite panic. As such, recipients may not take the time to verify the request. However, if the sender is specifically asking you to keep these messages to yourself and only communicate via a certain method, you're probably being scammed.

4. Huh? This doesn't sound like them: Take a close look at the main body of the email. Does it sound like it's come from the alleged sender? For example, it may be in broken English, despite the sender being a native speaker (we'll cover this more in one of the sections below!). Or, they usually greet me with 'Hey' not 'Greetings'.

5. 'Reply To' addresses that don't match the sender address: The impostor's 'Reply to' email address may not be the same as the one it's come from. Sometimes this is hard to spot because they regularly use lookalike domains to fool recipients. e.g an extra character instead of or instead of

Why do security solutions struggle to detect BEC?

If someone in your supply chain has experienced business email compromise and the imposter is using their email account to message you with an urgent request... Your Secure Email Gateway and Anti-Virus will 1. recognise the history between what normally is a trusted sender and 2. scan for links and/or attachments. If there isn't any because they're requesting for i.e a payment to be made. It goes undetected and responsibility falls to your 8th security layer - the user.

How are language model tools and AI changing the game for cyber criminals?

Instead of answering this one ourselves, we thought we'd ask ChatGPT for it's response.

Real-world Examples

Source: Sophos article: Artificial intelligence now a match for natural ignorance

Here is a lure from a BEC scammer trying to redirect someone's paycheque to the attacker's account. On the top is the original handwritten lure from the attacker, on the bottom is one Sophos asked ChatGPT to write:

Another example... Top message again is from a real scammer, the bottom from ChatGPT:

Are these perfect? No. Are these enough? Probably.

It's time to reset our expectations with traditional end-user awareness training

Let's take a look at the main areas we preach during end-user awareness training and how that would be able to help a user (providing they remember) be able to spot and mitigate the risk of falling victim to a BEC attack...

"Have you checked if there is a dodgy link?" 
User: No, there isn't one.
SEG: Yes, there isn't it one.

"Have you checked if there is a dodgy attachment?"
User: No, there isn't one.
SEG: Yes, there isn't it one.

"Has the email been sent in broken English?"
User: No, looks pretty good to me.
SEG: Nothing triggering for me.

"Have you checked if the sender is really them?"
User: Yes, it's their email address.
SEG: Yes, there's a historic relationship with this recipient.

"How much money did you send?"
User: A lot.
SEG: Nothing to do with me.

So, what can we do? Cyber criminals are forever changing their approaches... it's time we do too!

Introducing the Integrated Cloud Email Security (ICES) layer. The term was first coined in the Gartner 2021 Market Guide for Email Security. ICES solutions were introduced as a new category, and positioned as the best defence against the dark arts advanced phishing threats that evade traditional email controls.

You may be thinking... Shouldn't my Secure Email Gateway do that? While a SEG might be able to detect known threats, an ICES solution takes this to the next level. SEGS can scan links and attachments for malware, but an ICES email security solution uses a variety of advanced detection techniques, including *Natural Language Processing (NLP), **Machine learning, Social Graph Analysis (patterns of email communication), and image recognition.

Findings in IBM's Cost of a Breach Report showed that organisations with AI-based security solutions — such as ICES — experienced a significant reduction in data breach costs, cutting breach costs from $6.71m to $2.90m.

*Machine learning
Contextual machine learning allows a tool to understand user's behaviour in real-time. That includes the message's content, the sender's typical behaviour, their location, and when they're communicating with recipients. That allows the ICES product to spot suspicious activity outside the expected behaviour of a user and their recipients. 

**Natural Language Processing
NLP turns language into actionable data. Attackers often use it to find out sensitive information about a target to launch a spear-phishing attack. That's why it's also an important tool in preventing these types of attacks. An ICES solution that uses NLP can understand the context of an email or attachment as a human would and take action accordingly.

It's saved our bacon!

If you'd like to learn how an ICES layer was able to help save our users from falling victim a BEC attack - you can where we've broken down a full timeline of the attack. 

Alternatively, speak with the team about our free email security assessment and learn if your organisation would benefit from the extra visibility and enhanced email SecOps that an ICES layer provides and the benefit it can have for your users.

Interested to learn how Spear Shield and their customers are able to spot sophisticated phishing attacks that are able to slip through the net? 

Spear Shield are currently running a FREE Email security assessment that can help you identify:

  • Total number of Dangerous and Suspicious emails detected landing into employees inboxes throughout the engagement
  • Insight into the top types of phishing emails your organisation is receiving
  • Insight into the top types of payloads being used in the phishing emails your organisation is receiving
  • Insight into your Supply Chain Health (DMARC status of inbound emails)
  • Insight if there are live phishing attacks sat in employees inboxes that can be remediated together
  • Phishing Simulation results (with and without an ICES solution implemented)
  • Previous caught user analysis breakdown
  • Insight into how many users were stopped in their tracks at the link advisory page
  • Insight into the reporting heroes in your organisation
  • Insight into what device type your employees are engaging business emails on. (mobile, PC, both)
  • Consultative recommendations for security best practice

If you'd like to learn more, you can visit or contact the team today:

01473 948980

About Spear Shield

Here at Spear Shield, we are continuing to invest in our goal to create one of the most cyber-secure client communities in Suffolk, East Anglia and across the UK.

Our approach is to work closely with IT teams and business leaders to help identify cyber risk, understand core business drivers and challenge the conventional approaches to legacy cybersecurity strategies to enable our customers to exceed their cybersecurity goals.

Spear Shield has a portfolio of award-winning cybersecurity solutions and services that we align to enable our customers to be able to solve even the most complex and advanced cybersecurity challenges.

The team at Spear Shield specialises in:
- Mitigating the risk of social engineering attacks and human-activated cyber risk
- Real-time asset discovery, device security and compliance
- 24/7 Managed Threat Hunting and proactive Incident Response

If you would like to learn why organisations are choosing to secure with Spear Shield, please do contact a member of the team to arrange a confidential conversation today.

The team has several year's experience working within both the private and public sector, have a very consultative approach and would welcome the opportunity to learn more about your organisation.

Max Harper