{
	"id": "4b19f400-0c90-44c6-9be1-fadeecba4593",
	"created_at": "2026-04-06T00:15:45.959631Z",
	"updated_at": "2026-04-10T03:20:37.327107Z",
	"deleted_at": null,
	"sha1_hash": "a576ac10ea5ff0483dbd0dd77d3113f608c326d0",
	"title": "Business Email Compromise (BEC)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 63829,
	"plain_text": "Business Email Compromise (BEC)\r\nArchived: 2026-04-05 13:25:46 UTC\r\nWhat is BEC?\r\nBusiness email compromise (BEC) is a cyberattack technique whereby adversaries assume the digital identity of\r\na trusted persona in an attempt to trick employees or customers into taking a desired action, such as making a\r\npayment or purchase, sharing data or divulging sensitive information.\r\nAccording to the FBI’s 2022 Congressional Report on BEC and Real Estate Wire Fraud, BEC is “one of the\r\nfastest growing, most financially damaging internet-enabled crimes.” In 2021, claimed losses exceeded $2.4\r\nbillion, a 566% increase since 2016, according to the Internet Crime Complaint Center (IC3). Cases of BEC are\r\nexpected to rise given the increase in remote work and, by extension, the ubiquity of digital communication\r\nchannels like email.\r\nEmail account compromise (EAC) vs BEC\r\nEmail Account Compromise (EAC) is a cyberattack technique in which hackers leverage a variety of methods,\r\nincluding social engineering, malware or password cracking tools, to compromise a legitimate email account.\r\nIn many cases the objective of a BEC attacker and EAC attacker are the same: They want to steal money, data or\r\nother sensitive information. However, the key difference is that in a BEC attack, the hacker is merely posing as a\r\ntrusted figure, such as a business executive, lawyer, or important vendor, usually via a spoofed email account.\r\nThat person then attempts to direct an employee or other person to take a given action, such as wiring funds to the\r\nattacker’s account.\r\nIn EAC attacks, however, the attacker breaches a legitimate email account and acts as the owner of that account.\r\nWith access to real credentials, the actor is able to conduct fraudulent activity and bypass multi-factor\r\nauthentication tools.\r\n5 types of BEC scams\r\nAccording to the FBI, there are five main types of BEC scams:\r\n1. Account compromise\r\nIn an account compromise, an employee’s email account is hacked and used as a vehicle for financial or data-related crimes. In most cases, the attacker will use the account to request payments on behalf of vendors; these\r\nfunds are then transferred to accounts owned or controlled by the attackers.\r\n2. Attorney impersonation\r\nhttps://www.crowdstrike.com/cybersecurity-101/business-email-compromise-bec/\r\nPage 1 of 5\n\nAn attorney impersonation attack typically targets newly hired or junior employees. In this attack, the hacker will\r\npose as a lawyer or legal team member and pressure or manipulate the employee into taking action, such as\r\nsending data or requesting a wire transfer. Because the request is typically framed as urgent, confidential or both,\r\nmany new or relatively inexperienced employees do not know how to validate the request and simply comply in\r\norder to avoid negative consequences.\r\n3. CEO fraud\r\nCEO fraud is similar to an attorney impersonation attack except in this case the attacker poses as the CEO. In most\r\ninstances, the attacker will target a member of the finance team, again claiming to need urgent support on a time-sensitive or confidential matter. In these events, the employee is goaded into transferring money into an account\r\ncontrolled by the attacker.\r\n4. Data theft\r\nBEC attackers can also target a company for data. In a data theft attack, the attacker will most commonly zero in\r\non HR or finance team members and attempt to steal personal information about the company’s employees or\r\ncustomers. This information can be sold on the dark web or used to inform and advance future attacks.\r\n5. Fake invoice scams\r\nIn a fake invoice scam, the attacker poses as a vendor and requests payment from an employee for a service. In\r\nmost cases, the attacker will present themselves as an actual vendor and edit an official vendor invoice template.\r\nHowever, the attacker will alter the account details so that funds will be transferred into an account owned by the\r\nhacker.\r\nHow does a BEC scam work?\r\nMost BEC scams follow the same process, though the identity assumed by the attacker and their targets will vary.\r\nPhase Description\r\n1. Identity\r\nResearch\r\nA skilled BEC attacker conducts thorough research of their desired target and determines what\r\nidentity to assume relative to the action they want to inspire. For example, if the scammer is\r\nlooking for a quick score, they may simply create an email account that is very similar to the\r\ncompany’s CEO or other executive and request that employee purchase and send them several\r\ndigital gift cards as a “bonus” for an internal team or sign of appreciation for a vendor. BEC\r\nscams can also be far more elaborate. For example, a hacker may pose as a new vendor, such\r\nas a payroll provider, and offer a free trial for payroll services — only to steal employees’\r\npersonal information or even divert paychecks during a fictitious trial.\r\n2.\r\nEmployee\r\nResearch\r\nOnce the hacker identifies their attack technique and assumed identity, they must conduct\r\nresearch on their targets. This may involve mining the company website for contact\r\ninformation or to determine the typical email address format; they may also leverage social\r\nnetworking sites like LinkedIn to research names and titles of various team members, as well\r\nhttps://www.crowdstrike.com/cybersecurity-101/business-email-compromise-bec/\r\nPage 2 of 5\n\nPhase Description\r\nas their roles and responsibilities. With substantial research, it is possible that the attacker\r\ncould zero in on a person who has handled similar, legitimate requests in the past, or\r\nemployees who may not be familiar with company processes and procedures.\r\n3. Attack\r\nPrep\r\nWith the identity and target set, the attacker will then prepare other components of the attack.\r\nThis could include creating a spoofed email account, posting a fake company website, setting\r\nup bank accounts, creating invoices or any other asset the attacker will need to substantiate\r\ntheir identity or the request.\r\n4. Attack\r\nLaunch\r\nIn the final stage, the attacker will put their plan into action. BEC scammers will use their\r\ndigital identity to manipulate or pressure the target to take a desired action, often inspiring a\r\nfalse sense of urgency to ensure the person acts on the request without discussing it with\r\nanother employee or fully thinking through the scenario. If the attacker is successful, the attack\r\nwill end with the transfer of money, data or other information to the hacker.\r\n3 BEC techniques\r\nBEC attackers leverage a variety of techniques to carry out their attacks. Three of the most common methods are:\r\nDomain spoofing: Domain spoofing is a form of phishing where an attacker impersonates a known\r\nbusiness or person via a fake website or email domain to fool people into trusting them. Typically, the\r\ndomain appears to be legitimate at first glance, but a closer look will reveal that a W is actually two Vs, or\r\na lowercase L is actually a capital I. Users responding to the message or interacting with the site are tricked\r\ninto revealing sensitive information, sending money or clicking on malicious links.\r\nSocial engineering: Social engineering is the act of manipulating people to take a desired action, like\r\ngiving up confidential information. Social engineering attacks work because humans can be compelled to\r\nact by powerful motivations, such as money, love and fear. Adversaries play on these characteristics by\r\noffering false opportunities to fulfill those desires.\r\nCompromised accounts: A compromised account is an email or system account that has been breached by\r\nan attacker. The hacker can leverage a variety of methods, including social engineering, malware, or\r\npassword cracking tools, to compromise the account. Once they have control, the attacker can then\r\nmasquerade as the user and carry out any activity the legitimate owner is able to do.\r\nHow to protect against BEC scams\r\nBEC attacks rely on a human-to-human connection, as opposed to digital tools like malware or viruses. As a\r\nresult, BEC are difficult to detect or prevent with traditional security tools, such as antivirus solutions or endpoint\r\ndetection and response (EDR).\r\nSince BEC attacks are generally human-centric, the methods of protection and prevention must also be human-centric. Below are some best practices to consider when defending against BEC attacks:\r\n1. Implement a robust cybersecurity training program for all employees.\r\nhttps://www.crowdstrike.com/cybersecurity-101/business-email-compromise-bec/\r\nPage 3 of 5\n\nThe organization’s first line of defense in BEC attacks is their workforce. Therefore, it is essential that the\r\norganization creates a robust cybersecurity training program that includes specific modules about social\r\nengineering techniques. As part of the training program, the organization may wish to test the effectiveness of the\r\ncourse through a variety of simulations or drills.\r\nSpecific points to cover in the training may include:\r\nWhat constitutes an unusual, atypical or inappropriate executive request, such as requests for personal\r\ninformation about a specific employee\r\nProper processes and procedures for financial transactions, including who is approved to conduct such\r\nactivity and how to inform that person of a request made to another team member\r\nProper processes and procedures for managing vendor invoices, even for urgent requests\r\nExamples of how the attacker may use fear, intimidation, confidentiality or urgency to manipulate an\r\nemployee\r\nHow to identify spoofed email addresses or domains, as well as mismatched “reply to” addresses\r\n2. Implement a Zero Trust strategy.\r\nZero Trust is a security concept that requires all users to be authenticated and authorized before being granted\r\naccess to applications and data. Execution of this framework combines advanced technologies such as risk based\r\nmulti-factor authentication, identity protection, next-generation endpoint security, and robust cloud workload\r\ntechnology to verify a user or systems identity, consideration of access at that moment in time and the\r\nmaintenance of system security. This is especially important in preventing EAC attacks, where the adversary\r\nassumes the identity of a legitimate system user and masquerades as that person.\r\n3. Monitor the deep and dark web for signs of compromise.\r\nThe dark web is the part of the internet where users can access unindexed web content anonymously through\r\nspecial web browsers like TOR. Dark web monitoring tools are similar to a search engine (like Google) for the\r\ndark web. These tools help to find leaked or stolen information such as compromised passwords, breached\r\ncredentials, intellectual property and other sensitive data that is being shared and sold among malicious actors\r\noperating on the dark web\r\n4. Make an inventory of actors who leverage BEC as an attack technique.\r\nFor large organizations that face a high level of risk, it may also be wise to track and analyze the actors who apply\r\nBEC. This typically involves partnership with a trusted cybersecurity solution provider that can help the\r\norganization identify the adversary universe and zero in on those actors and techniques that are most likely to\r\naffect the organization.\r\n5. Implement an incident response (IR) plan.\r\nIncident response (IR) is the steps used to prepare for, detect, contain and recover from a data breach. The two\r\nmost well-respected IR frameworks were developed by NIST and SANS to give IT teams a foundation to build\r\ntheir incident response plans on.\r\nhttps://www.crowdstrike.com/cybersecurity-101/business-email-compromise-bec/\r\nPage 4 of 5\n\nBEC and EAC solutions\r\nAs with so many cyberattacks, the organization’s best and most important line of defense against BEC and EAC\r\nwill be an engaged, knowledgeable and vigilant workforce.\r\nHowever, even though BEC attacks target humans, there are still steps organizations can take to reduce risk and\r\nstrengthen their defenses against such attacks.\r\nCrowdStrike Falcon® Intelligence Recons is a security solution that enables security teams to track adversaries\r\nand their activities outside the network perimeter. With this tool, organizations can:\r\nMonitor the criminal underground\r\nIdentify exposed confidential data\r\nDiscover domain impersonations\r\nAssign, track and manage alerts\r\nBuild adversary profiles\r\nDiscover external attack vectors\r\nCrowdStrike Falcon® Identity Threat Detection is a security solution that enables hyper-accurate detection of\r\nidentity-based threats in real time, leveraging AI and behavioral analytics to provide deep actionable insights to\r\nstop modern attacks. With this tool, organizations can:\r\nUnlock insights and analytics for all credentials\r\nDetect lateral movement for authenticated accounts\r\nEnable AD security without using logs\r\nSource: https://www.crowdstrike.com/cybersecurity-101/business-email-compromise-bec/\r\nhttps://www.crowdstrike.com/cybersecurity-101/business-email-compromise-bec/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://www.crowdstrike.com/cybersecurity-101/business-email-compromise-bec/"
	],
	"report_names": [
		"business-email-compromise-bec"
	],
	"threat_actors": [],
	"ts_created_at": 1775434545,
	"ts_updated_at": 1775791237,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a576ac10ea5ff0483dbd0dd77d3113f608c326d0.pdf",
		"text": "https://archive.orkl.eu/a576ac10ea5ff0483dbd0dd77d3113f608c326d0.txt",
		"img": "https://archive.orkl.eu/a576ac10ea5ff0483dbd0dd77d3113f608c326d0.jpg"
	}
}