Continue your mission
Business email compromise (BEC) is a category of financial fraud in which an attacker manipulates a business communication channel (primarily email) to redirect money, data, or both to an attacker-controlled destination.
# Business Email Compromise (BEC) Deep-Dive
Business email compromise (BEC) is a category of financial fraud in which an attacker manipulates a business communication channel (primarily email) to redirect money, data, or both to an attacker-controlled destination. The FBI's Internet Crime Complaint Center (IC3) reported $2.9 billion in BEC losses in 2023, making it the highest-dollar cybercrime category by a substantial margin, exceeding ransomware losses by several times over.
BEC is not a single technique. It is a category that encompasses five distinct attack types, each with a different entry point, target role, and fraud mechanism. What they share: a heavy reliance on social engineering, a focus on the financial operations layer of a business, and an increasingly sophisticated use of technical tools to establish legitimacy.
The threat is growing in both volume and sophistication. Where early BEC relied on poorly spoofed display names and awkward prose, modern BEC uses account compromise (attackers operating from inside a legitimate mailbox), AI-generated voice calls mimicking executives, deepfake video conferences, and adversary-in-the-middle (AiTM) session hijacking to steal authenticated sessions without needing the victim's password. The $25 million deepfake video conference fraud that struck a Hong Kong multinational in early 2024, in which every participant except the victim was an AI-generated deepfake of actual company executives, represents the trajectory of where this threat category is heading.
In the Planetary Defense Model, BEC defense spans three domains: TID (Threat Intelligence and Defense) owns detection of BEC indicators and attacker behavioral patterns in email. SPH (Security Posture and Hygiene) owns the email infrastructure hardening that eliminates the technical prerequisites for domain spoofing. IAT (Identity Access and Trust) owns the account security controls that prevent and detect account compromise, the most dangerous BEC variant. No single domain defeats BEC alone.
1. CEO Fraud (Business Executive Fraud)
The attacker impersonates a senior executive, most often the CEO or CFO, via a spoofed email address or compromised account. The target is a financial employee: accounts payable staff, wire transfer processors, or the CFO's assistant. The message creates urgency and confidentiality ("I need you to initiate a transfer today, do not discuss with others, I am in a meeting"). The target initiates a wire transfer to a mule account.
The attack chain: domain research (SEC filings, LinkedIn, company website) to identify the executive and the target employee → creation of a look-alike domain (company.com becomes c0mpany.com or company-inc.com) or spoofing of the display name → crafted email thread that mimics the executive's communication style → escalating pressure to complete the transfer before anyone can verify → funds sent to a foreign mule account followed by rapid conversion to cryptocurrency.
2. Account Compromise (the Most Dangerous Variant)
The attacker does not impersonate anyone. They compromise a legitimate email account and operate from inside it. The fraud request appears to come from a real account, passes all email authentication checks (SPF, DKIM, DMARC), and is sent from a device that has previously corresponded with the target.
Full attack chain for account compromise BEC:
Target identification: The attacker identifies a business with pending financial transactions. LinkedIn reveals the CFO, the accounts payable manager, and their vendors. The company website and SEC filings identify transaction patterns and ongoing business relationships.
Credential acquisition: Two primary methods. First, spear-phishing: a targeted email delivers a credential harvesting page that mimics Office 365 or Google Workspace login. The victim enters their credentials, which the attacker captures. Second, AiTM (adversary-in-the-middle) session hijacking: the attacker deploys a reverse-proxy phishing kit (tools like Evilginx2 or Modlishka) that sits between the victim and the legitimate authentication portal. The victim completes MFA normally, the attacker's proxy forwards the request, and the authenticated session cookie is captured on the attacker's side. Standard MFA does not stop AiTM because the victim is actually authenticating; the attacker is stealing the resulting session.
Email rule creation: After gaining access, the attacker immediately creates email forwarding rules (forward all incoming mail to an attacker-controlled address) and suppression rules (delete alerts, mark security notifications as read, move certain inbox items to obscure folders). This allows the attacker to monitor communications without the victim seeing attacker-related messages.
Reconnaissance: The attacker reads the victim's inbox for weeks. They map active transactions, identify vendors with pending invoices, understand the victim's communication style, and identify the approval chain for large transfers. They are building a pretext, not rushing to execute.
Pretext construction: With a pending wire transfer identified, the attacker crafts a message that fits naturally into the existing email thread, matches the victim's tone and phrasing, and requests a payment instruction change ("our bank is undergoing an audit, please send the next payment to this account").
Execution: The fraudulent instruction is sent from the legitimate account. It passes every technical check. The receiving party has no reason to suspect it. Funds transfer to the mule account.
Monetization: Mule accounts are often controlled by unwitting recruits ("money mule" job scams). Funds are withdrawn in cash, converted to cryptocurrency, or wired internationally within hours. Recovery rate for BEC wire fraud is under 10% after 72 hours.
3. Attorney and Legal Impersonation
The attacker impersonates a law firm or attorney involved in a pending transaction, most commonly real estate closings or M&A transactions. The timing targets the moment when large funds are expected to move. A message from "closing attorney Smith" with updated wire instructions redirects the closing funds to an attacker-controlled account. Real estate BEC alone accounts for hundreds of millions of dollars in annual losses.
4. Vendor Email Compromise (VEC)
The attacker compromises or credibly impersonates a vendor's email account and inserts themselves into an ongoing business relationship. Payment instructions are changed mid-transaction: a legitimate invoice from a vendor is intercepted or replicated, with bank details changed to a mule account. The buyer pays the "vendor" invoice, the funds go elsewhere, and the legitimate vendor eventually follows up demanding payment for work that appears to have been paid.
VEC is particularly difficult to detect because the fraud exploits an established, trusted vendor relationship. The email may come from the actual vendor domain if the vendor's account has been compromised. The invoice amounts and reference numbers match what the buyer expects.
5. Data Theft (W-2 and Payroll Fraud)
The attacker impersonates HR or payroll executives requesting W-2 data for all employees or requesting a change to an employee's direct deposit banking information. Unlike the other BEC types, data theft does not generate an immediate wire transfer. It stages future fraud: W-2 data enables tax refund fraud, and direct deposit changes redirect payroll to attacker accounts. The financial damage is distributed across individual employees rather than appearing as a single large transaction.
In January 2024, a finance employee at a Hong Kong-based multinational attended a video conference with multiple colleagues, including what appeared to be the company's CFO. The employee was initially suspicious of an unusual funds transfer request received by email, but the video conference, populated with convincing AI-generated video representations of real colleagues, dispelled that suspicion. The employee authorized and executed $25 million USD in transfers across 15 transactions.
Every other participant in the conference was a deepfake. The attacker had sourced video and audio of real employees from publicly available recordings and used AI video synthesis to generate real-time convincing facsimiles. This case study represents the convergence of BEC social engineering with generative AI capabilities. The CFO's face, the familiar colleagues' faces, and the conversational flow were all fabricated.
Defenses against deepfake-enabled BEC require process controls, not just technical controls. Pre-arranged code words for large transfer authorizations, mandatory callback procedures to known-good phone numbers (not numbers provided in the suspicious message), and multi-party approval thresholds above defined transaction amounts are process defenses that survive the deepfake threat.
BEC generates specific, high-fidelity detection signals that a well-engineered TID layer can identify:
Email forwarding rule creation to external addresses is one of the highest-fidelity BEC indicators available. Legitimate users rarely create rules forwarding all email to external accounts. When this event fires in the SIEM, it should be treated as a confirmed account compromise until proven otherwise.
Display name spoofing with domain mismatch: the email display name reads "CEO First Last" but the sending domain is not the company domain. Mail security controls that check sender display names against the internal directory and flag mismatches catch a large percentage of executive impersonation attempts.
Look-alike domains: c0mpany.com versus company.com, company-billing.com versus company.com. Domain registration monitoring (alerts when a look-alike domain is registered near your own) provides days to weeks of advance warning before look-alike domains are weaponized.
AiTM session hijack indicators: successful authentication followed immediately by a new session from an unusual geographic location, an unusual device, or at an unusual time. Identity platforms like Azure AD, Okta, and Duo provide impossible travel alerts (authentication from two geographically distant locations within a physically impossible time window) that catch AiTM session theft.
Sudden inbox rule creation after a login event from a new device or location: the combination of an unusual login immediately followed by rule creation is a near-certain indicator of account takeover for BEC purposes.
DMARC enforcement at p=reject eliminates domain spoofing. DMARC (Domain-based Message Authentication, Reporting, and Conformance) at policy level reject instructs receiving mail servers to discard messages that fail SPF or DKIM authentication checks for your domain. An organization with DMARC at p=reject cannot have its domain spoofed in email. This single control eliminates the entire CEO fraud via domain spoofing vector. The implementation requires SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to be correctly configured first, then DMARC policy escalated from p=none (monitor only) to p=quarantine to p=reject as the organization confirms legitimate mail is not being blocked.
Phishing-resistant MFA (FIDO2 hardware keys, passkeys, or certificate-based authentication) eliminates AiTM session hijacking. Standard TOTP (time-based one-time password) codes and push notifications do not stop AiTM because the attacker's proxy forwards them in real time. Phishing-resistant MFA is cryptographically bound to the origin domain, meaning the credential cannot be captured and replayed from an attacker-controlled proxy. Microsoft Authenticator number matching and Conditional Access policies that require compliant devices also reduce AiTM risk.
Financial controls. Technology can be circumvented. Process controls as a second layer: dual authorization requirements for wire transfers above a threshold (two people must approve any transfer above $25,000, for example), callback verification procedures (before changing payment instructions, call the requestor at a phone number from the company directory, never from the email), and time delays on new payee setup (24-hour cooling period before a new wire recipient is active).
AI-powered BEC detection. Modern email security platforms (Abnormal Security, Proofpoint, Microsoft Defender for Office 365) use behavioral models trained on normal email patterns to flag anomalous messages. A message that arrives from a domain with a two-day-old registration, uses language patterns inconsistent with the purported sender's historical messages, and requests a financial action scores as high-risk without requiring a signature match.
$2.9 billion in 2023 FBI IC3 losses understates the real figure because BEC is severely underreported. The embarrassment of being defrauded through social engineering, the difficulty of attributing losses to this category rather than internal errors, and the lack of mandatory reporting requirements all contribute to a reporting rate estimated below 20%.
The business impact extends beyond the direct loss. Recovery costs, legal fees, regulatory scrutiny (especially in financial services under the SEC's cybersecurity disclosure rules), and reputational damage to vendor relationships add significant secondary costs. Organizations in real estate, manufacturing, and professional services, sectors with large, frequent wire transactions, face elevated BEC risk relative to their cybersecurity investment levels.
The CISO's challenge with BEC is that it does not cleanly live in any single security domain. Email security vendors solve the technical impersonation layer. Identity teams own account compromise prevention. Finance teams own procedural controls. Without a framework that maps all three layers to a single defense architecture, BEC defense is fragmented across organizations.
BEC is one of the clearest illustrations of why the PDM's concentric model outperforms domain-siloed security programs. No single domain defeats BEC alone.
SPH (Security Posture and Hygiene) owns email hardening: DMARC/SPF/DKIM implementation and enforcement falls under APC (Autonomous Posture Command). SPH-B01 in the TOP covers this directly. An organization without DMARC at p=reject has a permanent, trivially exploitable gap in their terrain-layer email controls regardless of what they spend on detection.
IAT (Identity Access and Trust) owns the account compromise prevention layer. ZPA (Zero Possession Architecture) mandates phishing-resistant MFA for any account with financial authorization. IAT-H01 covers MFA hardening and specifically includes phishing-resistant MFA deployment. AiTM attacks against standard MFA are a solved problem when phishing-resistant MFA is enforced.
TID (Threat Intelligence and Defense) owns behavioral detection for BEC indicators. PDI (Predictive Defense Intelligence) applies here: detection rules for email forwarding rule creation, AiTM session indicators, and look-alike domain alerts are the TID layer that provides warning when SPH and IAT controls have been bypassed or when an attack is in early stages.
RGA (Risk Governance and Assurance) owns the financial process controls. Wire transfer authorization policies, dual-approval requirements, and callback verification procedures are governance controls that survive even sophisticated technical attacks. PCA (Perpetual Compliance Assurance) ensures these controls are documented, tested, and measured.
On The Shield diagnostic, a client with low BEC defense scores will show amber or red in the SPH ring (email hardening), the IAT ring (MFA and account protection), and the TID ring (BEC behavioral detection). The fix is not one control; it is a coordinated program across three domains. CDA's cross-domain view is what maps the full defense architecture rather than recommending a single email security vendor and calling the problem solved.
FBI Internet Crime Complaint Center (IC3). 2023 Internet Crime Report. FBI, 2024. https://www.ic3.gov/Media/PDF/AnnualReport/2023_IC3Report.pdf
CISA. Business Email Compromise: The $50 Billion Scam. CISA, 2023. https://www.cisa.gov/news-events/alerts/2023/09/18/business-email-compromise-50-billion-scam
MITRE Corporation. MITRE ATT&CK: Phishing for Information (T1598). https://attack.mitre.org/techniques/T1598/
Microsoft Security. AiTM Phishing and BEC Campaigns. Microsoft Threat Intelligence, 2022. https://www.microsoft.com/en-us/security/blog/2022/07/12/from-cookie-theft-to-bec/
CDA, LLC. Planetary Defense Model Master Reference. CDA Canon, 2026.
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.