What is a business email compromise (BEC) attack?

A business email compromise (BEC) scam is a type of phishing or smishing attack in which threat actors pivot to network environments for financial gain. While business email compromise (BEC) via phishing utilizes email, business email compromise (BEC) via smishing uses text messages to target people.

How do business email compromise (BEC) attacks differ from phishing scams?

Unlike traditional phishing scams, which are typically sent in large volumes, business email compromise (BEC) attacks are highly targeted, with attackers conducting extensive reconnaissance to ensure that their fake email requests appear as authentic as possible. When instigating an attack, BEC scammers will seek to build victims’ trust by sending a sequence of emails and will often use language to drive an urgent response, encouraging behaviour that ignores standard security protocols.

How does business email compromise (BEC) work?

A business email compromise (BEC) attack involves the use of email to defraud an employee, customer or supply chain partner into sending money or sharing confidential information. The process starts with the attacker researching their intended victims, then trawling through business websites and social media for personal data relating to that person. Once they gain access to a company’s systems, they closely monitor emails to identify individuals that have the right to access or distribute money. They will then impersonate one of these people by spoofing the email domain before seeking to gain the trust of the email recipient in order to gain access to money or sensitive company data.

How many types of business email compromise (BEC) scams are there?

Business email compromise (BEC) scams can take a variety of forms. One of the most common types is executive fraud, in which an attacker poses as a senior executive and sends email communications to finance teams requesting an urgent wire transfer to an account they control. Another type of business email compromise (BEC) is payroll fraud, in which attackers send emails targeting HR employees to encourage them to update banking details, resulting in bank payments being fraudulently transferred elsewhere.

Which companies and employees are commonly targeted by business email compromise (BEC) scams?

Any type of company can fall victim to business email compromise (BEC) fraud. Scammers frequently target the most senior and the most junior employees within an organization. Because employees such as C-suite executives, HR managers and finance managers often have a high profile on company websites and social media, it can be easy for potential attackers to find some level of personal information for use in the initial scam. New or junior-level employees are often targeted because they may be more susceptible to trusting an unexpected request for information or they may lack knowledge of key security controls.

How do you prevent business email compromise (BEC) attacks?

Mitigating the risks of business email compromise (BEC) requires a layered approach that incorporates several key elements. Companies should nurture an organizational culture that encourages vigilance about potential phishing or smishing scams. They should also set up and enforce robust IT controls such as application-based multi-factor authentication (MFA) and virtual private networks (VPNs). Regular email and cloud security assessments can also be beneficial, alongside solutions such as managed detection and response (MDR) for Office 365 , as these can flag suspicious behavior, ingest mail logs and survey for malicious activity.

What is the potential impact of business email compromise (BEC) fraud?

In 2022, the Federal Bureau of Investigation released an alert about global exposed losses of $43 billion between 2016 and 2021 as a result of business email compromise (BEC) fraud. While much of this can be attributed to the impact of the pandemic, the issue continues to be consequential, presenting significant risk of potential financial and reputational damage to businesses. Even when companies put in a cyber insurance claim to cover their financial losses, these can be denied if the employees involved are shown not to have followed the appropriate security procedures.

Business Email Compromise (BEC) Response and Investigation

In a business email compromise (BEC) attack, fast and decisive response can make a tremendous difference in limiting financial, reputational and litigation risk. With decades of experience investigating BEC scams across a variety of platforms and proprietary forensic tools, Kroll is your ultimate BEC response partner.

Get a Quote

24X7 Hotline

Our experts have honed every step of the investigative process and created unique tools for multiple platforms to deliver timely and defensible answers for BEC challenges—from misdirected payments to the compromise of sensitive data or unauthorized access to the greater network environment.

What is Business Email Compromise?

Business email compromise is the unauthorized access to one or more mailboxes by a threat actor. Threat actors have historically performed BEC attacks in order to commit financial fraud, such as misdirecting payments or wire transfers to an actor-controlled bank account. While financial fraud is still a primary goal, actors are increasingly evolving BEC attacks to gain greater access—from exploring connected SharePoint, OneDrive and Teams areas to pivoting to network environments where they can exfiltrate and sometimes encrypt (ransom) sensitive data.

Explore Cyber and Data Resilience

Cyber Risk Retainer

Cybersecurity Compromise Assessments

Cloud Security Services

Cyber Litigation Support

Common BEC Attack Vectors and Mitigation Steps

BEC attacks most commonly begin with a phishing email message that contains a malicious attachment or layered redirect links to credential harvesting websites. In recent years, Kroll has observed threat actors evolving their tactics to include:

Phishing via voicemail (vishing) and text message (smishing)
Multi-factor authentication (MFA) prompt bombing or MFA fatigue
Adversary-in-the-middle (AiTM) phishing campaigns where threat actors can steal passwords and hijack active user sessions even with MFA enabled.
Leveraging passwords exposed in an unrelated third-party breach, especially in the case of credential reuse (the habit of using the same or similar password for multiple accounts)
Exploiting software vulnerabilities to include those in Microsoft Exchange servers
Exploiting access gained in a ransomware attack to compromise email accounts
Exfiltrating and deleting cloud data and then ransoming to not release the stolen information

Loading component...

Recently, Kroll experts demonstrated an evolution in threat actor tactics by using the data transfer program Rclone via a compromised M365 account to download a massive number of files from SharePoint—all without remote access to a host. This new tactic, M365 Theft/Extortion, follows a similar threat actor pattern commonly seen in more traditional incident response type matters.

Kroll offers a number of solutions in order to protect your organization from falling victim to a business email compromise attack:

Full Service BEC Investigations

Our forensic investigators and analysts can do a full tenant review, including full log analysis where Kroll reviews for suspicious activity related to previously identified indicators of compromise (IOC), as well as foreign logins or access to mailboxes within an email environment, Enterprise mail rule review and a detailed forensic report.

Fixed Fee BEC Solution

Our experts have created an efficient, budget-friendly automated tool that provides a simplified report of the investigative findings. This tool will answer key questions to help determine the extent of the compromise on an effected account/tenant.

Loading component...

	Fixed Fee BEC	Full Service BEC
Covering the Affected M365 Accounts(s)
Full tenant review for IOCs
Tenant wide (all accounts) log analysis	Optional add-on
Triage for initial compromise vector (phishing email, impersonation, etc.)	Optional add-on
Identification and preservation of unauthorized emails (auto-forwarded, sent externally by threat actor, etc.)	Optional add-on
Client deliverable	Factual report (spreadsheet)	Narrative report
Pricing structure	Fixed fee	Custom
Suspicious behaviors pattern analysis (impossible travel, etc.)
Unauthorized access evidence
Unauthorized access duration
Access method (IMAP, POP, Web, Mail Client, etc.)
Mailbox sync activity evidence
Search results export
Covering the M365 Enterprise/Tenant(s)
Mailbox rules review

Loading component...

Kroll is a Recognized Global Leader in Business Email Compromise Investigations

Our experts are well-equipped to help you during every step of a BEC investigation. Kroll forensic investigators possess industry-leading forensic training and certifications, including GCFE, CFCE and GCFA, and extensive knowledge of email systems, including Microsoft Azure, Microsoft 365, Exchange and many APIs that can greatly expedite the investigation and uncover hard-to-spot activity. Kroll’s team consists of hundreds of examiners based in more than 16 countries across five continents and can meet varying needs for geographical-based legal requirements for client data storage, as well as residency requirements for examiners handling sensitive data.

Our team also has litigation support expertise, including several Relativity certifications and global forensic labs, so we can more efficiently and quickly perform managed mailbox review. Additionally, we work closely with 60+ cyber insurance carriers and hundreds of law firms so investigations are protected and move seamlessly.

Read more business email compromise case studies from our library to see our experts in action.

Take the Proactive Step – Business Email Compromise Prevention and Monitoring

In order to best prepare your organization against a BEC attack, Kroll experts can perform email and cloud security assessments to help harden mailboxes, assist with cloud system configuration and monitoring, and conduct simulated phishing attacks to help educate your staff. Additionally, Kroll Responder provides managed detection and response (MDR) monitoring for Office 365 to flag any suspicious behavior as well as ingest mail logs and survey for malicious activity.

Business Email Compromise Response via a Retainer

BEC can often be one aspect of a deeper compromise and may require deeper incident response, litigation support and even data breach notification support. Kroll clients can package full service or fixed fee BEC solutions with Kroll’s Cyber Risk Retainer, which gives you prioritized access to elite investigators and flexibility to allocate incident response resources as well as all other cybersecurity solutions offered by Kroll.

Loading component...

Frequently Asked Questions

BEC is the acronym for business email compromise, a form of social engineering in which a threat actor uses email to defraud a person into sending money or sharing confidential company data.

Loading component...

Connect With Us

Katherine Keefe

Global Cyber Insurance Industry LeadCyber and Data ResiliencePhiladelphia

Katherine Keefe

Loading component...

Stay Ahead with Kroll

Cyber and Data Resilience

Kroll merges elite security and data risk expertise with frontline intelligence from thousands of incident responses and regulatory compliance, financial crime and due diligence engagements to make our clients more cyber- resilient.

Learn More

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Learn More

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.

Learn More

Data Recovery and Forensic Analysis

Kroll's expertise establishes whether data was compromised and to what extent. We uncover actionable information, leaving you better prepared to manage a future incident.

Learn More

Incident Remediation and Recovery Services

Cyber incident remediation and recovery services are part of Kroll’s Complete Response capabilities, expediting system recovery and minimizing business disruption.

Learn More

Loading component...

Let's solve for the future

Yes, I would like to receive periodic event invitations, reports and news from Kroll.