Why Organizations Need to Prepare Themselves for BEC Attacks

Josue Ledesma

February 09, 2022

Why Organizations Need to Prepare Themselves for BEC Attacks

Organizations face a number of different attacks across a variety of vectors, which is often why it’s so difficult for leaders to effectively secure their environment. Many attacks are carried out by malicious hackers and bad actors with a number of different priorities. They may be targeting your organization to steal your data, impact your reputation, or just to use you as a platform for reaching another high-value target.

Hackers may also seek financial gain — this is partly why ransomware has become so ubiquitous and prevalent. However, another common attack that directly impacts a company’s bottom line is a business email compromise (BEC) attack.

In this article, we want to show you what a BEC attack is, who’s at risk, and how you can combat it.

What is a BEC?

A business email compromise (or BEC) is an email-based stack where a hacker looks to steal funds from a victim by sending a fraudulent email. The email often contains a fake invoice or impersonates a high-level individual in order to push the email recipient to transfer funds without obtaining further approval.

While BEC attacks are fairly low-tech, (some BEC attacks are carried out in the form of fraudulent gift cards) they are sophisticated in their targeting and can work incredibly well, mixing social engineering and traditional phishing tactics. According to a study from the IC3, BEC attacks are 62 times more profitable than ransomware attacks. BEC attacks are often most effective because they:

Target unsuspecting employees: Unlike spam and phishing attacks that indiscriminately target entire departments and organizations, a BEC attack is done with more research and often targets the individual who can make the fund transfer happen.

The email drives urgency: BEC attacks often drive urgency in order to make the transfer happen as quickly as possible. Depending on who the email is “from,” (the CEO or CFO), the victim may prioritize the email to appease the sender.

It’s highly targeted: These attacks are quite sophisticated in their targeting, often doing their research on the company and their specific victim in order to increase the odds of success.

BEC attacks are quite lucrative and have cost businesses $1.8B in 2021 alone, making it one of the most financially devastating attacks.

Who’s at risk for BEC attacks?

While technically any company is at risk for BEC attacks, larger corporations and enterprise companies are more likely to fall victim to these kinds of attacks. Smaller companies and start ups are less likely to be attacked because they can often be caught before any funds transfer.

However, larger companies, especially banks, who deal with a high number of transactions and invoices are likely to be targeted. Hackers know that large companies often have a longer and slower chain of command so a single invoice is likely to be approved for payment and it’ll take more time before they’re caught, giving hackers ample time to cover their tracks and successfully escape with the stolen goods.

Recent research has also shown that political organizations have suffered from a number of BEC attacks. Because these companies often employ a high number of vendors and outsourced companies, they may not be able to properly distinguish a real invoice from a fake one.

How can organizations defend against this type of attack

Against this type of attack, employees are often the first and only line of defense so any proactive measures need to start there. Here are a couple of key steps.

Security awareness training: If you don’t already have a security awareness program in place, that’s the first step. Your employees should have some kind of understanding of the kinds of attacks that they’re likely to face, including BEC attacks.

BEC specific training: For high-risk individuals or departments (likely the finance department), it may be worth providing training that specifically alerts the team to what BEC attacks are, what they look like, and what to do if they spot one.

Simulation training: To get a better understanding of what your risk of BEC attacks are, simulation training that simulates a BEC attack will give you clear insight into your department's general preparedness while helping you spot individuals who may need more training.

Invoice and fund transfer policies: Setting policies that stop or prevent invoices from being paid without specific approval from certain parties can help protect against BEC attacks by adding verification steps that may catch a suspicious invoice or email before its paid out.

Email monitoring and detection tools: Depending on your organizations risk tolerance, you may want monitoring and detection tools that filter out problematic domains or spoofed email senders. This will hopefully prevent automated attacks and reduce the risk of your employees from even seeing a compromising email.

BEC attacks are dangerous but not invincible

Defending against BEC attacks is crucial but requires a more targeted approach to reduce the risk of it impacting your organization. Make sure your employees know the potential impact of this kind of attack and that it does happen often. Don’t let them think that it’s just a spam attack that can be harmless.

If you are part of a much larger organization, you’ll have to make the case to department heads in legal and finance so take the time to prep your talking points and remember that discussing the risk to the bottom line is often the quickest way to make something happen. BEC attacks do result in stolen funds so it’s imperative to be protected. Beyond training and awareness, email security solutions are effective ways to build in security so you’re not completely reliant on your employees to catch every BEC email that comes their way. 


To learn more about how Bitdefender defends against BEC and other email attacks, check out the GravityZone Email Security solution.


Contact an expert



Josue Ledesma

Josue Ledesma is a writer, filmmaker, and content marketer living in New York City. He covers cyber security, tech and finance, consumer privacy, and B2B digital marketing.

View all posts

You might also like