BEC - Business Email Compromise

About 2 min read

Business Email Compromise (BEC) is a cybercrime in which an attacker impersonates a trusted person such as a company executive, business partner, or attorney, and uses email to direct fraudulent transfers or the disclosure of confidential information. Because it exploits human trust rather than technical vulnerabilities, it can be considered one of the most sophisticated forms of social engineering. According to the FBI's IC3 (Internet Crime Complaint Center), cumulative BEC losses exceeded 50 billion US dollars between 2013 and 2023, making it the cybercrime that causes the greatest financial damage.

Five Attack Patterns

What these patterns have in common is that the attacker thoroughly researches the target organization in advance. They gather organizational charts, supplier information, and executives' travel schedules from social media and corporate websites, then launch the attack at the most effective moment. The methods overlap considerably with spear phishing and whaling, so comprehensively understanding these attack methods is the first step toward defense.

The Flow of a BEC Attack

Convergence with AI Deepfakes

In recent years, BEC has entered a new phase through its convergence with AI technology. In 2024, a BEC attack using a deepfake video conference occurred at a multinational company in Hong Kong, and approximately 25.6 million US dollars was defrauded. The attacker used AI to generate the video and audio of several executives, including the CFO, and directed a finance employee to make a transfer during a real-time video conference. In an era where not only emails but also voices and video can be forged, the conventional verification methods of "I heard their voice, so it must be them" or "I saw their face, so there is no mistake" can no longer be trusted. The evolution of deepfake technology has dramatically heightened the threat of BEC.

Preventing Impersonation with DMARC

The technical pillar of BEC countermeasures is DMARC (Domain-based Message Authentication, Reporting and Conformance). Based on the authentication results of SPF and DKIM, DMARC can instruct the receiving side how to handle emails that spoof your own domain (reject, quarantine, or accept). However, DMARC prevents spoofing of your own domain; it cannot address attacks from look-alike domains (for example, examp1e.com). Furthermore, if a business partner has not implemented DMARC, attack emails impersonating that partner pass straight through. Technical measures alone are insufficient, and they must work in tandem with human measures.email security books on Amazon are recommended for learning how to implement DMARC.

The Most Effective Countermeasure - Phone Verification Before Transfers

The most effective and low-cost countermeasure against BEC is to establish within the organization a process of directly verifying with the requester in person using a "pre-registered phone number" whenever a transfer instruction is received. The key point here is to call the number registered in the company's internal contact list, not the phone number written in the email, because attackers sometimes include their own phone number in the message. In addition, introducing dual control, which requires approval by multiple people for transfers above a certain amount, is also effective. Please also refer to the guide to phishing countermeasures and social engineering defense.

BEC is a form of phishing, but unlike the spray-and-pray type that targets the general public indiscriminately, it precisely targets specific individuals, which makes the damage amounts orders of magnitude larger. Be sure to also check the latest trends in AI-powered phishing and prepare for evolving threats.