Browse Definitions :
Definition

business email compromise (BEC, man-in-the-email attack)

Contributor(s): Matthew Haughn

Business email compromise (BEC) is a security exploit in which the attacker targets an employee who has access to company funds and convinces the victim to tranfer money into a bank account controlled by the attacker.

According to the FBI's Internet Crime Report, BEC exploits were responsible for over $1.77 billion in losses in 2019. Business email compromise is one of the top cyberinsurance claims in 2020, and security vendor Proofpoint has warned businesses that BEC exploits are increasingly being tied to COVID-19. The most common victims of BEC are companies that use wire transfers to send money to international clients.

 

BEC exploits often begin with the attacker using a social engineering scam to trick a C-level target into downloading malware, clicking on an infected link or visiting a compromised website. Once the C-level manager's account has been compromised, it can be used to trick another employee into sending money to the attacker.

 

A popular BEC strategy is to send an official-looking email to someone in the company's finance department. Typically, such an email will say there is a time-sensitive, confidential matter that requires payment be made to a customer's, partner's or supply chain partner's bank account as soon as possible. The attacker hopes that the unsuspecting person in finance will think they are helping their company by facilitating a quick transfer of funds -- when in reality, they are sending money to the attacker's bank account.

There are numerous ways that BEC can be used to defraud targets. Here are a few examples:

  • A compromised employee account requests a change in payee information and transfers payments to the perpetrator’s account.
  • The attacker sends a bogus invoice to partner vendors in hopes they will pay the bill without questioning it.
  • An attorney’s email identity might be used to pressure the target for immediate payment.

Cybercriminals may further use a compromised account (especially those of HR employees) to gain more personally-identifiable information (PII) for later use in defrauding the company or its clients. Measures to prevent this type of financial fraud include employee education, conducing social engineering pen tests and adding a requirement that at least two employees sign approvals for payment change requests.

This was last updated in March 2020

Continue Reading About business email compromise (BEC, man-in-the-email attack)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

File Extensions and File Formats

SearchCompliance

  • risk assessment

    Risk assessment is the identification of hazards that could negatively impact an organization's ability to conduct business.

  • PCI DSS (Payment Card Industry Data Security Standard)

    The Payment Card Industry Data Security Standard (PCI DSS) is a widely accepted set of policies and procedures intended to ...

  • risk management

    Risk management is the process of identifying, assessing and controlling threats to an organization's capital and earnings.

SearchSecurity

SearchHealthIT

SearchDisasterRecovery

  • call tree

    A call tree is a layered hierarchical communication model that is used to notify specific individuals of an event and coordinate ...

  • Disaster Recovery as a Service (DRaaS)

    Disaster recovery as a service (DRaaS) is the replication and hosting of physical or virtual servers by a third party to provide ...

  • cloud disaster recovery (cloud DR)

    Cloud disaster recovery (cloud DR) is a combination of strategies and services intended to back up data, applications and other ...

SearchStorage

Close