Many businesses underestimate the impacts of business email compromise (BEC). It doesn’t cause shutdowns or immediate loss of productivity and therefore often flied below the radar. However, the financial impact felt from BEC can be immense and the losses can be significant. According to Verizon’s 2021 Data Breach Investigations Report, 95% of BECs result in a financial loss ranging between $250 and $985,000, with $30,000 being the median. To prevent BEC, we first need to understand how they happen.

How does a BEC attack happen?

Some common tactics hackers use includes email or website spoofing, phishing, and malware.

  • Email or website spoofing – Hackers make a slight modification to a legitimate company email or website address to fool people into thinking it is authentic.
  • Phishing Phishing is another email that appears to be coming from a trusted sender. This form of attack is aimed at tricking victims into revealing confidential information, including access to company accounts, calendars and data.
  • Malware – Malicious software that infiltrates a company’s networks to gain access to emails about billing and invoices.

It is important to keep in mind that BEC has been around for decades, therefore these attacks have grown more creative and sophisticated over time. Email scammers continuously adjust and update their tactics to prey on uninformed or careless employees.

What should I do after a BEC attack?

If you have fallen victim to a BEC, remain calm and act quickly. Here are four steps you should take to ensure the attack doesn’t get worse:

  • Contact the originating financial institution as soon as fraud is recognized to request a recall or reversal and a hold harmless letter or letter of indemnity.
  • Alert your IT department/manager about the incident and provide as much information about the incident as you can.
  • File a complaint with the FBI’s Internet Crime Complaint Center.
  • Secure email accounts with new and complex passwords. A different one for each service. You should also consider adding multi-factor authentication (MFA).

How can I protect myself from BEC?

Every business can fall victim to a BEC, which is why it is important to always be prepared – just the same as for any cybersecurity attacks. Here are four ways organizations can protect themselves:

  • Training – Because end users are the main target of BEC attacks, it’s important to implement a cybersecurity awareness training program. Individuals should be able to spot the tactics listed above. They should also know what steps to take if they think they’ve encountered a potentially suspicious email.
  • Review your technical security controls – The goal is to look for signs of abnormal activity within any of your systems. Take the time to examine things like suspicious logins that might come from a new location you’ve never seen before.
  • Utilize modern email security solutions – Software can detect a lot of BEC threats. Modern email solutions are monitoring the email text for account numbers, user credentials, credit card numbers, etc., to catch scams early on. These solutions also recognize communication patterns between employees to help flag potential BEC attempts.

While no one wants to be the victim of a BEC, these types of attacks will continue to happen if email is being used in the workplace. It is critical to know the proper protocols and act quickly after a BEC threat to prevent significant financial loss and keep your organization safe.


Raffael Marty

Raffael Marty is senior vice president of security products at ConnectWise. He brings more than 20 years of cybersecurity industry experience across engineering, analytics, research, and strategy to the company. Marty is responsible for developing and executing the ConnectWise cybersecurity strategy. Prior to Connectwise, Marty was head of research and intelligence at Forcepoint, ran security analytics for Sophos, launched PixlCloud, a visual analytics platform, and Loggly, a cloud-based log management solution. Additionally, Marty held key roles at IBM Research, ArcSight and Splunk and is an expert on established best practices and emerging innovative trends in the big data and security analytics space. Marty is one of the industry's most respected authorities on security data analytics, big data, and visualization. He is the author of “Applied Security Visualization” and is a frequent speaker at global academic and industry events. Marty holds a master's degree in computer science from ETH Zurich, Switzerland and is a student of the Japanese tradition of Zen meditation.

How to Make Your Supply Chain Resilient
Subscribe to the Business Resilience DECODED podcast – from DRJ and Asfalis Advisors – on your favorite podcast app. New...
Integrated Third-Party Risk Management: The Key to Creating Resilient Business Outcomes
Third-party risk management (TPRM) has been on the minds of leadership and executives for many years but has garnered even...
Reset and Recover: Navigating the Road to Resilience
Subscribe to the Business Resilience DECODED podcast – from DRJ and Asfalis Advisors – on your favorite podcast app. New...
The Ties Between Business Continuity and Classic Rock
Mission-Critical Applications Correlate With a Strong Safety Program Safety is related to business continuity, but this connection may not be...