Business Email Compromise (BEC)

Business Email Compromise (BEC) is a financially motivated attack in which threat actors gain unauthorized access to — or convincingly impersonate — a legitimate corporate email account to manipulate employees, vendors, or partners. Unlike phishing campaigns that rely on malware, BEC is largely social engineering: attackers exploit trust and urgency to authorize fraudulent wire transfers, gift card purchases, or credential disclosures. The FBI consistently ranks BEC as the costliest cybercrime category, with billions in annual reported losses.

BEC attacks frequently go undetected for weeks because they leverage valid credentials and blend into normal mail flow, leaving no malware signature for traditional defenses to catch. A single successful intrusion can result in six- or seven-figure financial losses, regulatory exposure under data protection laws, and lasting reputational damage with clients and partners. Early detection through behavioral and mail-flow forensics is critical to containing the blast radius.

Attackers typically begin by credential-phishing or password-spraying a target mailbox, then establish persistence by creating inbox rules that silently forward or delete emails to cover their tracks. They conduct reconnaissance inside the mailbox — studying payment processes, vendor relationships, and executive communication styles — before impersonating a trusted party to request a fraudulent action. In more sophisticated campaigns, threat actors register lookalike domains and grant OAuth app consents to maintain access even after a password reset. The full attack chain can span days to months before any money moves, making timeline reconstruction essential for incident response.