Business Email Compromise: how to protect your firm against BEC attacks

BEC attacks are on the rise and are now the most common form of cyber fraud. Also commonly referred to as CEO spoofing or Whaling, BEC is now the biggest cyber threat to business, accounting for almost 50% of all cyber attacks. Click here to view the video.

Business Email Compromise (BEC), also commonly referred to as CEO spoofing or Whaling, doesn’t get as much media coverage as some other areas of cyber crime and fraud, perhaps because of its relative simplicity when compared with malicious software and complex ransomware attacks. But BEC is now the biggest cyber threat to business, accounting for almost 50% of all cyber attacks in 2019 and US$1.8bn of financial losses, according to the FBI. 

Unfortunately, BEC is pretty successful as an attack vector. It’s an easy win for cyber criminals and can be devastating for victims, both financially and emotionally, ruining businesses and lives. Firms of all sizes should prioritise the management of this area of cyber risk – and remember that nothing provides better protection against BEC than training and education. 

What is BEC? 

BEC typically involves a criminal actor either gaining access to the email account of a high-level executive of a firm, or creating an email account that appears to belong to that individual. They then begin exchanging emails with the victim – often a member of the finance team – in order to gain their trust. This process is known as social engineering and might involve using language the executive commonly uses, or placing the victim in a perceived position of responsibility (for example, “I need to get this payment processed today and I hope I can rely on you to ensure it’s completed asap.”) The email conversation usually culminates in the perpetrator asking the victim to transfer funds to an offshore account immediately, creating a sense of urgency, perhaps causing the victim to bypass some of the usual checks they may go through in this situation. 

Accessing sensitive data

BEC fraud doesn’t always involve a transfer of funds though; it could be used as a method to gain access to data (which may be utilised for financial gain later) or the firm’s internal systems. A common example of BEC that doesn’t involve financial transfers might be an email appearing to come from a senior member of the IT team such as the CISO (chief information security officer) or the CTO (chief technology officer), updating employees on a “new password policy” and instructing them to follow a link within the email to change their password. Here is a real-life example of this type of phishing email: 

Hi all,

We have recently implemented a new password policy to improve the overall security posture of the business. In order for this new policy to be effective, we require all staff to update their password to meet the following criteria:

  • Minimum of 14 characters.
  • A number must be used.
  • A special character must be used (%&*@$£).
  • Must be different to your 3 most recent passwords.
  • Must not contain consecutive numbers (123, 456).

Sign in using the link below and you will be prompted to change your password.

Reset Password

If you have any questions please contact me.

Kind regards,

The only real giveaway in the above example was that the email address had one letter missing when compared with the authentic address. 

Invoice/supplier fraud

Other types of BEC fraud involve impersonating a supplier and requesting payment of an “overdue” invoice. This type of attack takes advantage of existing trusted relationships between employees and vendors and demonstrates the importance of not sharing too much information about the companies you work with. Many corporate websites list the names of high-profile clients for marketing purposes, but it’s worth considering whether you want that information to be made public. 


Maintaining an up-to-date list of supplier contacts is crucial to ensuring staff know communications are legitimate and with genuine authorised persons. It’s also imperative that contact details are kept secure and not simply written in an address book somewhere which can be accessed by anybody. This type of information might seem insignificant but can be used to build a pretty convincing phishing email (see Facebook and Google example below.)

Typical victims of BEC fraud

Any type of organisation can potentially fall victim to a BEC attack, but criminals tend to focus their efforts on companies which regularly carry out large funds transfers to overseas accounts, thus making their request less conspicuous and far more plausible to the victim. 

Below are a few examples of high-profile BEC attacks that have occurred in recent years. Note that many of these are large corporations in the tech sector which probably employ some of the most stringent cyber security processes available. BEC relies on social engineering to achieve success – something which no software can fully protect against. 

Xoom Corporation: US$30m 

In January 2015, international money transfer firm Xoom revealed in a regulatory filing that an individual impersonating an employee at the firm had convinced someone to transfer US$30.8m to overseas accounts. On the same day, the company also reported that its chief financial officer, who had only been in the role for a month, had resigned. The announcement resulted in a 14% decline in Xoom share prices. 

Ubiquiti: US$46.7m stolen 

Ubiquiti, a California-based technology supplies company was hit by a colossal BEC attack in 2015. The fraud resulted in the transfer of funds totalling US$46.7m from the company’s Hong Kong subsidiary to fraudsters’ bank accounts overseas. “As soon as the Company became aware of this fraudulent activity it initiated contact with its Hong Kong subsidiary’s bank and promptly initiated legal proceedings in various foreign jurisdictions,” said Ubiquiti in a statement. The company eventually managed to recover US$8.1m of the stolen funds. 

Facebook and Google: US$120m stolen

‍Facebook and Google were hit by a combined invoice and BEC scam between 2013 and 2015 orchestrated by Lithuanian-based fraudster, Evaldas Rimasauskas. He pretended to be an employee of a supplier – computer manufacturer Quanta Computer – and by sending false invoices via email for two years he was able to convince the tech giants to send him a combined total of US$120m. According to the US Justice Department, he was able to back up his requests with fraudulent confirmation documents. Rimasauskas “forged invoices, contracts and letters that falsely appeared to have been executed and signed by executives and agents of the Victim Companies, and which bore false corporate stamps embossed with the Victim Companies’ names, to be submitted to banks in support of the large volume of funds that were fraudulently transmitted via wire transfer.”

BEC is evolving

BEC fraudsters are continuously working to find new ways to make easy money. A study by email security experts Agari, which analysed thousands of BEC attempts, has revealed details of a new type of BEC scam known as a “capital call” scam. Specifically targeting Wall Street firms, the scam involves fraudsters mimicking investment or insurance firms and asking for funds previously pledged by an investor to be immediately transferred. The average amount requested in this type of scam is US$809,000 – seven times higher than the average US$72,000 sought in most BEC attacks, according to Agari. 

BEC perpetrators tend to focus on these types of high-pressure transactions because the victim is often working against a tight deadline and will be keen to get the deal finalised. Another common target is estate agents or house buyers about to close on a house sale. 

Cosmic Lynx

If you work in the field of cyber security, you will probably be familiar with a new group of cyber fraudsters focussing largely on the BEC attack vector, known as Cosmic Lynx. Believed to be Russian-based, the group is targeting senior-level executives, with around three quarters of individuals targeted holding the titles of Vice President, General Manager, or Managing Director.

A worrying feature of Cosmic Lynx-originated attacks is their ability to override DMARC controls. DMARC (Domain-based Message Authentication, Reporting and Conformance) helps provide protection against phishing and BEC attacks by identifying illegitimate email sources before they arrive in your inbox. Cosmic Lynx attacks exploit this function by forging email headers of high-level executives. “For organisations that have implemented an established DMARC policy set to reject (p=reject) or quarantine (p=quarantine), Cosmic Lynx modifies the display name impersonating a CEO to include their email address, which still gives it the look that the email is coming from the CEO’s account,” explains Agari. 


Tackling this area of cyber risk requires a focus on the perpetrators’ strongest tool – trust. Cyber criminal groups like Cosmic Lynx use data gleaned from thousands of phishing emails to tailor their attacks for success. If you receive an email which looks like it’s from your boss, sounds like it’s from your boss and to which you get an immediate response when you reply, why would you question it? The key to avoiding being taken in by a BEC scam is to always question emails that involve a request for funds or data. 

Multi-factor authentication methods

Use of multi-factor login processes for company emails is one way of preventing hackers from gaining access to a genuine email account and wreaking havoc. This type of authentication would look something like this:

  1. Username and password
  2. One-time authentication code sent to another device such as mobile phone
  3. Biometrics such as voice, face or fingerprint recognition 

BEC attacks usually start with stolen credentials. If someone can get into the email account of any employee of a firm, they can work their way up from there – even if their point of entry isn’t through a senior individual. This means that any email asking for information that could help someone gain access to a company’s internal systems or data should be put through a manual check process first. For example, an email seemingly from a member of the IT team announcing that all email passwords must be changed immediately “via this link” for security purposes, should go through a series of checks like this: 

Check 1: Confirm that the email address looks valid – not just the email contact header displaying the person’s name, but the actual address itself. 

Check 2: Does the request sound reasonable and within company protocol? Unusual requests which demand a quick or immediate response should raise a red flag. 

Check 3: Get a second opinion. BEC attempts often try to prevent this by saying “this is confidential” or “please keep this to yourself.” If it sounds suspicious, get a second opinion from a trusted senior member of staff. Or for those responsible for writing email policy, ensure that staff know how to react to a suspect email request, including how and where to get verification. 

Check 4: Call the individual the email is purported to be from and check authenticity. Be sure to use the contact details you already have recorded for that person – don’t trust the number listed on the email. Or better still, if you are in the same building, go and see the person face to face. 

Be consistent with email policy compliance

Probably the best way to ensure staff aren’t duped by this type of email is to avoid sending genuine emails like this yourself and to ask all senior executives to do the same. If you make it company policy not to ask for funds transfers via email without prior notification by other means, staff will (hopefully) be immediately cautious when they receive an email of this kind. Staying in touch with staff about attempted BEC attacks is also crucial. This will help increase awareness and ensure staff remain alert and realise just how common this type of fraud is. Sharing examples of spoof emails is a great tool for demonstrating how convincing phishing emails can be. This is something which should be a continual feature in staff security training at every level of the company – from the CEO to the receptionist – and shouldn’t simply be reserved for new recruits. 

Implement the right software

Although education and training are probably the most important forms of defence against BEC attacks, the right security software can also help prevent some of these emails from appearing in your inbox in the first place. 


Cyber security expert Graeme McGowan at Optimal Risk Group advises considering the following two points: 

  1. DMARC Implementation: The DMARC framework needs to be effectively implemented with the policy progressed from ‘None’ to ‘Reject’ by analysing aggregate reports. This would entail identifying and authorising all of the legitimate email sending sources.
  2. Inbound DMARC Check: Enabling the DMARC check for your incoming emails is a simple step, done through the admin access of your email gateway. Simply check the box for the option to enable DMARC on incoming email traffic.

Conduct regular phishing reviews 

Phishing reviews, or phishing simulations as they are also known, are a useful tool for stress testing your resilience to a potential BEC attack, allowing you to identify weak points in your defence and provide staff with relatable examples. 

Endpoint security

Phishing is the most common attack vector for endpoints (endpoints are anything that connects to the network, such as the server, a PC, tablet, smartphone or any other internet-enabled device.) Mass remote working has left many endpoints vulnerable to cyber attack as it is more difficult to ensure security software is up to date – or indeed installed at all – when someone is accessing the network from their personal device or from home. Conducting thorough endpoint monitoring is key to ensuring all access points remain secure. Use of personal devices should also be covered by policies and procedures so all staff are aware of permissions in relation to how and where they access the network. 

Why the right Governance, Risk, Audit and Compliance solution is important for managing BEC risk

RiskBusiness’ tailored GRAC solution allows for full visibility and monitoring of emerging risks through our Newsflash service, alongside a comprehensive KRI library and KRI monitoring function, providing the necessary metrics to detect and monitor an event such as a BEC attack. Preparing a response to this type of event is also key. Our Scenarios Library and Scenario Assessment functions allow for analysis of the potential impact of a BEC attack on your firm as well as potential mitigation factors. Contact or visit to find out more.

Further reading and useful resources

Deepfakes: What the financial services sector needs to know, a report by RiskBusiness

Global Cyber Academy, training and resources for understanding technology and business

Cultural values and cyber security: shaping behaviour to improve compliance, by Chris Rivinus for Risk Universe

Key business concerns for 2021 and beyond , a report by RiskBusiness

Crime script analysis: an ally against cyber crime, By Gianluca Riglietti for  Risk Universe