What is BEC?

BEC stands for Business Email Compromise, a form of email-based cyber crime most commonly used to trick email recipients into releasing money or information by posing as a known and trusted sender.

Typically a BEC attack will identify a specific employee or role in the targeted company (often through freely available public information- scraping names and job titles from social media or networking websites for example) then send them a spoofed email that appears to be from Senior Management or a familiar and trusted customer making an urgent request for payment or information.

The email contains no malicious payloads or attachments and looks for all intents and purposes like a legitimate email. The recipient, believing they are acting under the relevant authority will often proceed to action the request resulting in financial loss or a data breach. What’s worse, more often than not once an attack has succeeded once it’s likely there will be further attacks to follow- the attackers will keep ringing the bell as long as someone is opening the door.

Educating staff on the business processes and how to spot fraudulent emails the main defence against BEC, although fraudsters will often acknowledge the extraordinary nature of the request in an attempt to explain any deviation from standard procedures.

BEC is reported to have netted cyber criminals over $5 billion between 2016 and 2018 alone, so it has potentially huge returns for minimal risk.

Though tricky to stop completely, to effectively guard against BEC (and other spear phishing or social engineering attacks) it’s key to have clearly defined procedures and practices communicated to staff at every level of the business, so staff have the knowledge and the backing to challenge and validate anything out of the ordinary.