Business Email Compromise (BEC): What Is It & Why Is It Dangerous?

December 02, 2021
the slightly blurry image of a cursor hovering over the inbox icon of an email program


What is Business Email Compromise?

Business email compromise (BEC) sometimes called email account compromise (EAC)— is a scam that utilizes legitimate (or freshly stolen) email accounts from a trusted business to fraudulently acquire money, personal information, financial details, payments, credit card numbers and other data from another business. These scams also target businesses that use wire transfers, foreign suppliers and other invoice transactions.   

Business email compromise is a cyberattack

Business email compromise is a cyberattack because it allows cybercriminals to profit. In BEC, they profit by stealing money from an organization, sullying a company’s good name and committing fraud using your company’s business or client relationships.

Business email compromise is fraud

BEC is a type of fraud. A BEC attack is designed to trick people into transferring money or taking a similar action using elements of impersonation, deception and theft.


Learn the secret to ransomware defense in Cracking the RANSOMWARE Code. GET BOOK>>


How Does Business Email Compromise Relate to Phishing?


A phishing message is the most common vector for a business email compromise attack on an organization.. Anti-phishing technology also helps prevent BEC attacks.


How Could Business Email Compromise Impact My Business?


BEC leads to losses that are both financial and reputational. If your business suffers a BEC attack, it’s impact can be devastating to your present and future revenue while also damaging your brand and your business relationships.

Business email compromise leads to business losses

The Federal Bureau of Investigation Internet Crime Complaint Center (FBI IC3) declared BEC an attack that is 64x more revenue damaging than ransomware for businesses. business email compromise schemes were the costliest cybercrime reported to IC3 in 2020, clocking in at 19,369 complaints with an adjusted loss of approximately $1.8 billion. 


What Are Some Business Email Compromise Examples?


Business email compromise is not a one-size-fits-all proposition. It is especially tricky to spot because it is a scheme that can take many forms.

Urgent payment required scams

Fake invoice scams are the most common BEC variation. In this scenario, someone with the authority to pay vendors in an organization is sent a legitimate-looking invoice from a company that their organization does business with demanding immediate payment to avoid loss of goods or services.

Gift cards and wire transfers

Money is the goal behind BEC. Cybercriminals will typically demand that payment for fraudulent reasons be transferred to them via wire transfer, cash app or gift card. An estimated 62% of BEC scams involve the cybercriminal asking for gift cards, cash app transfers or money cards.

Credential compromise scams

In this BEC variant, fraudsters will ask for the victim to provide credentials for a business account or access to a company’s systems or data, often on the pretense that they’ve misplaced credentials or weren’t given the right ones to complete a task.


See how to avoid cybercriminal sharks in Phishing 101. DOWNLOAD IT>>


What Are Some Red Flags of Business Email Compromise?


BEC is very hard to spot but these red flags may indicate an attack.

Bad spelling, grammar and punctuation

Messages that use bad grammar, punctuation, spelling and usage are highly likely to be phishing messages that could be BEC attempts.

Unusual formatting, appearance or domain

BEC perpetrators often use spoofed or imitated email messages from a trusted sender as a lure. Be cautious about interacting with messages that look different than messages from that sender typically do. Also, make sure that an unexpected message comes from the sender’s real domain.

Improper greeting or signature

If the greeting, signature or contact information provided by the purported sender are unusual, that’s a strong indicator that the message is phishing and a potential BEC attack.

The sender will only communicate via email

Alarm bells should ring if attempts to communicate with the sender or verify their identity by phone or video conference are rebuffed.

The sender requests funds sent to an unusual address or in an unusual way

If an unanticipated message requests immediate payment or a transfer of funds to a different address, like a private email account, or in a different way, like cash app instead of check, that’s a hallmark of BEC.

The requested transactions are rushed or otherwise painted as urgent

Social engineering is a big part of BEC and cybercriminals will often try to create a sense of urgency about responding to their fraudulent message to manipulate victims into acting unwisely.

The sender is not using an official email address

If the message does not come from a company’s official email address or domain, like “joe@microsoft.security.com” instead of “joe@microsoft.com” it’s a good possibility that it’s actually a business email compromise attack.


Looking for a security rockstar? Get 5 superstar benefits at 1 low price! SEE THE BENEFITS>>


How Can I Protect My Business from Business Email Compromise?


Protecting your business from BEC is vital. The easiest and most effective way to protect your business from business email compromise is to protect it from phishing.

Protection from phishing

Automated email security is a smart way to protect your business from phishing messages that could carry threats like BEC or ransomware. It’s 40% more effective than conventional security or a Secure Email Gateway (SEG).


The road to security success begins with 5 Steps to Ransomware Readiness! GET IT>>


Stop phishing with Graphus – the most simple, automated & affordable phishing defense available.


Guarding against BEC scams has to be a top priority for every organization. But it doesn’t have to be something that requires a great deal of time and effort from employees, especially chronically overworked IT teams.  By choosing automated, AI-powered email security using Graphus, businesses gain strong protection from phishing-based threats like BEC.  

Sophisticated socially engineered BEC threats don’t stand a chance against smart the triple-layered protection that is provided by Graphus. A powerful defense against phishing starts with TrustGraph, our patented AI-powered automated guardian that spots and stops dangerous messages before they ever reach an employee inbox.  EmployeeShield adds a bright, noticeable box to messages that could be dangerous. Phish911 enables employees to instantly report any suspicious message that they receive.

Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus