Business Email Compromise: All You Need to Know

A guide to understanding and preventing one of the most common and costly cyberattacks.

What is Business Email Compromise (BEC)?

Business Email Compromise (BEC) is a type of cyberattack that targets organizations and individuals who conduct business via email. BEC attackers use various techniques to impersonate legitimate business partners, vendors, clients, or employees, and trick the recipients into transferring money, sending sensitive information, or performing other actions that benefit the attackers.

Why Business Email Accounts Are Compromised?

BEC attackers compromise business email accounts for various reasons, depending on their motives and objectives. Some of the common reasons are:

  • To gain access to confidential or proprietary information, such as financial statements, contracts, invoices, or customer data.
  • To divert payments or funds to their own accounts, or to accounts controlled by their accomplices.
  • To solicit fraudulent payments or donations from unsuspecting victims, such as customers, suppliers, or charities.
  • To conduct further attacks, such as ransomware, malware, or phishing, using the compromised email account as a trusted source.

How does Business Email Compromise Work?

BEC attacks can take various forms, depending on the level of sophistication and preparation of the attackers. Some of the common methods are:

  • Spoofing: The attackers create an email address that looks similar to the legitimate one but with slight variations, such as changing a letter, adding a hyphen, or using a different domain name. For example, could be spoofed as or
  • Hacking: The attackers gain access to the actual email account of the target, either by guessing the password, using malware, or exploiting a security vulnerability. This allows them to send and receive emails as the legitimate owner, and to access their contacts, attachments, and history.
  • Phishing: The attackers send an email that appears to come from a trusted source, such as a bank, a government agency, or a well-known company, and ask the recipient to click on a link, open an attachment, or provide some information. The link or attachment may contain malware that infects the recipient’s device, or the information may be used to access their email account or other online accounts.
  • Social Engineering: The attackers research the target and their business partners, using online sources, such as websites, social media, or public records, to gather information about their names, roles, activities, schedules, or preferences. They use this information to craft convincing and personalized emails that appeal to the recipient’s emotions, urgency, or authority.

Real-World Examples of BEC

BEC attacks have affected organizations and individuals across various sectors and regions, causing billions of dollars in losses and damages. FBI says has cost businesses $26 billion, and it’s only getting worse. BEC attacks involve using legitimate or fake business email accounts to trick employees into sending money or information. In 2022, BEC fraudsters made more than $2.7 billion – more than any other kind of cybercrime. Some of the notable examples are:

  • Ubiquiti: $46.7M

    In August 2015, IT company Ubiquiti filed a report to the U.S. Securities and Exchange Commission revealing it was the victim of a $46.7 million “business fraud.” The company stated in its filing that it discovered the fraud on June 5, and claimed that it was a target of “criminal fraud” that involved “impersonating employees and sending fake requests from an external entity to the Company’s finance department.” The fraudsters somehow managed to convince employees to transfer $46.7 million from one of its Hong Kong subsidiaries to foreign bank accounts owned by the criminals. Brian Krebs, a famous cybersecurity blogger, said the fraudsters used a common technique called “the CEO scam” or “Business Email Compromise”.

  • Quanta Computer: $120M

    Between 2013 and 2015, a sophisticated BEC attack duped Facebook and Google into paying millions of dollars to a fraudulent company. The mastermind behind this scheme, Evaldas Rimasauskas, received a five-year prison sentence in 2019. Rimasauskas and his accomplices created a fake company called “Quanta Computer”, the same name as a legitimate hardware supplier. They then sent Facebook and Google convincing invoices, which they paid to bank accounts owned by Rimasauskas. To make their scam more credible, they also forged lawyers’ letters and contracts to persuade their banks to accept the transfers.

    The Rimasauskas scam serves as a warning to all organizations. If two of the world’s largest tech companies fell victim to BEC for two years — it could happen to any business.

  • Government of Puerto Rico: $2.6M

    The Puerto Rican government found out they had been scammed by a BEC fraud in early 2020. The scam affected Rubén Rivera, finance director of Puerto Rico’s Industrial Development Company who accidentally sent more than $2.6 million to a fake bank account. Rivera had gotten an email saying that the bank account for remittance payments had changed. The email was from a compromised email account of a worker of the Puerto Rico Employment Retirement System.

  • Toyota Boshoku Corporation: $37M

    Toyota Boshoku Corporation, a European branch of Toyota and a big provider of Toyota car parts lost $37 million in a 2019 BEC attack that targeted its finance and accounting department. The attackers pretended to be one of the branch’s trading partners and asked for a transfer to a different bank account, saying the transaction had to be done quickly or parts production would suffer.

  • Homeless Charity, Treasure Island: $625,000

    We found out in June 2021 that Treasure Island, a homeless charity in San Fransisco, suffered a damaging, month-long $625,000 attack when hackers broke into the email system of the organization’s bookkeeper. The hackers located and altered a valid invoice from one of Treasure Island’s partner organizations. Treasure Island staff sent a loan meant for the partner organization directly to the cybercriminals’ bank account. The nonprofit unfortunately did not have cybercrime insurance.

How to Prevent BEC?

BEC attacks can be prevented by implementing a combination of technical, organizational, and behavioral measures, such as:

  • Using strong and unique passwords for email accounts, and changing them regularly.
  • Enabling multi-factor authentication for email accounts and other online services that support it.
  • Installing and updating antivirus software, firewalls, and spam filters on devices that access email accounts.
  • Verifying the sender’s identity, email address, and request, before responding to any email that asks for money, information, or action.
  • Confirming the request by contacting the sender through a different channel, such as phone, text, or in person.
  • Being wary of emails that have poor grammar, spelling, or formatting, or that create a sense of urgency, pressure, or threat.
  • Being cautious of clicking on links, opening attachments, or providing information in unsolicited or unexpected emails.
  • Educating and training staff, partners, and customers about the risks and signs of BEC attacks, and the best practices to avoid them.
  • Reporting and deleting any suspicious or fraudulent emails, and alerting the relevant authorities or parties.
  • Refrain from supplying login credentials or PII in response to any emails. Never click on links or open attachments from unknown or untrusted sources, as they may contain malicious software or direct you to fake websites.
  • Prohibit legacy email protocols, such as POP, IMAP, and SMTP, that can be used to circumvent multi-factor authentication. These protocols are outdated and insecure, and they do not support MFA. Hackers may use them to access your email account without needing your verification code.

If you want to learn more about how to protect your business from email compromise and other cyber threats, we recommend you check out these resources from Microsoft:

We hope you found this blog helpful and informative. If you want to learn more about how Apps4Rent can help you secure your email and business communication, please visit our website or chat with our experts. We offer a range of services and solutions, such as Office 365, Exchange Online, Microsoft Teams, Azure, and more, that can enhance your productivity and security. Don’t let BEC compromise your business. Contact Apps4Rent Support today and get started with enhancing your security.

Comments are closed.

Submit Your Requirement