A MSP’s Guide to Business Email Compromise (BEC)


Business email compromise (BEC) is one of the most financially damaging online crimes. According to the FBI’s Internet Crime Complaint Center (IC3), BEC scams resulted in over $2.7 billion in losses in 2022.

Falling victim to a business email compromise attack can have a devastating impact on finances as well as brand reputation. In this blog, we will guide you through the ins and outs of BEC so you can better detect and mitigate its risks.

What Is A Business Email Compromise?

A business email compromise is a cyberattack technique whereby malicious actors pretend to be someone trustworthy — maybe a colleague, senior executive or a vendor — and try to trick your team into taking a desired action such as:

  • Sending money to fraudulent accounts
  • Diverting payroll
  • Changing bank details for future payments
  • Sharing sensitive information such as customer data, legal documents, financial reports, etc.

BEC Attacks Go Beyond Email Scams

If we consider the fundamental business email compromise definition, this branch of cybercrime starts and ends with email activity to financially defraud businesses. BEC attacks, however, go beyond email mischief and financial losses.

Criminals may use phishing and domain spoofing tactics to negatively impact the company’s image. For instance, an attacker might use compromised accounts to send malicious emails to clients, partners or even the media to spread harmful content that negatively impacts the company’s reputation.

How Business Email Compromise Works

While executing a BEC scam, attackers employ a blend of techniques to deceive victims. For example, they may rely on impersonation and other social engineering techniques, such as phishing, baiting and email spoofing to trick people. The 2023 DBIR report highlights that BEC represents nearly 60% of social engineering incidents.

The five broad categories of BEC attacks are:

Attack type How it works
Account compromise Fraudsters employ phishing techniques or malware to gain unauthorized access to a finance employee’s email account. Then the scammers send fake invoices to the company’s suppliers, instructing them to make payments to fraudulent bank accounts.
CEO fraud Scammers impersonate a company’s CEO or other high-level executives to deceive employees into performing financial transactions or sharing sensitive information.
Lawyer impersonation Fraudsters pretend to be lawyers or legal professionals to deceive employees into taking unauthorized actions such as transferring funds or sharing sensitive data.
False invoice scheme Posing as a trusted vendor your company works with, the scammer emails a counterfeit bill that closely resembles a real one. Alternatively, scammers may request payment be made to a different bank account.
Data theft This scam targets the HR department as a way to obtain personal information about individuals within the company such as senior executives.

Let’s say this type of attack goes undetected for a considerable period of time. In that case, the attacker can easily gain access to all facets of an organization’s data, from vendors to billing systems and human resources data.

Techniques for Business Email Compromise Scams

MSPs should watch out for these top three techniques used to implement BEC scams:

1. Authentication Tokens Misuses

Authentication tokens ensure that only authorized individuals can access specific email accounts without repeatedly providing login credentials. Attackers can manipulate these seemingly harmless tokens to execute BEC attacks. They gain access to these tokens by employing social engineering techniques such as phishing. In fact, IBM reports that phishing is the second most common reason for a data breach — and phishing victims were subjected to financial losses of $4.91 million on average.

Let’s explore a business email compromise example to understand the Achilles’ heel in this token-based security structure. Imagine you log in to your Microsoft 365 account and get a phishing email with a link that promises an exciting article. When you click the link, it’s like opening a door to an attacker.

The multiple tabs on your browser are not isolated environments; they’re interconnected facets of the same browser. As you click on the link, the attacker can secretly take a peek at what you’re doing in your other tabs and grab your email information from one of your open tabs to waltz right into your account without requiring a password. That “token” meant to help you log in faster becomes the key that lets an outside actor in.

Discover the essential steps for MSPs to mitigate a Microsoft 365 breach.

2. Data Exfiltration

Data exfiltration refers to the unauthorized act of moving data from a controlled or secure environment to an external location or destination. At the outset, attackers subtly manipulate email environments. They either create new subfolders or exploit existing ones to establish rules that automatically copy incoming emails. Mimecast’s State of Email Security report found that 75% of companies have reported an increase in email-based threats.

Attackers, once in control, also manipulate email forwarding rules to divert communications. They might even exploit the trust of legitimate users to siphon critical data from platforms like Google Drive. This secret maneuver typically remains unnoticed by both end users and administrators. As a result, business email compromise detection often requires meticulous log analysis.

3. Privilege Escalation

In business email compromise scams, cybercriminals don’t just stop at infiltrating inboxes. They aim to rise through the ranks and gain higher privileges in the company’s security landscape. Once the criminals breach accounts, their focus shifts to discovering the administrators within the system and requesting administrative roles.

Armed with an administrative role, a malicious actor can gain unbridled control through three steps:

  1. Creating administrative accounts
  2. Granting themselves global administrator status
  3. Eliminating existing administrators

To deal with the risk of attackers breaching over-privileged accounts, companies are implementing the least privilege principle to ensure a user only has access to specific data and resources. While the 2021 Global Cybersecurity Survey Report indicates that two out of three organizations now consider least privilege a top priority, many still struggle to eliminate or restrict over-privileged users.

Get started with our SaaS cyber assessment to analyze the current state and vulnerabilities of SaaS applications.

How to Detect Business Email Compromise with SaaS Alerts

To stay one step ahead of cyberattackers launching BEC scams, MSPs need to continuously survey their clients’ applications for anomalies such as:

  • Unexpected token usage
  • Logins from unfamiliar devices or locations
  • Suspicious forwarding/inbox rules activities
  • Irregular data downloads
  • Changes to account passwords, MFA settings or Admin roles

With SaaS Alerts, MSPs can get a unified overview of all their clients and examine specific updates of each account. For instance, by clicking on a red-colored account on the “Account Activity” dashboard, it is clear that the account was accessed outside of the location’s approved by the administrators. The dashboard will show details such as date, time, account details, unauthorized IP address and application.

 A SaaS Alerts dashboard provides global user activity and color-coded signals for every account

SaaS Alerts uses machine learning pattern detection to:

  • Identify breaches by continuously monitoring for unusual actions
  • Create alerts to notify administrators in the event of a suspicious activity
  • Automatically lock affected accounts to prevent further unauthorized actions

Such business email compromise tools offer a crucial window of opportunity to timely respond to the threat and minimize the risk of further harm.

Request a personalized demo to see how SaaS Alerts helps MSPs deliver improved business email compromise detection.

Frequently Asked Questions

How to report a business email compromise?

If your company or your clients face financial loss due to a business email compromise scam, it’s important to act quickly:

What is the difference between business email compromise and phishing?

To understand business email compromise vs phishing, let’s simplify their core characteristics:

  • Phishing: Imagine a scammer reaching out via email, phone or text, pretending to be a legit organization to fool you into sharing personal information like passwords or credit card details. With the rise of phishing-as-a-service, bad actors can now automate phishing campaigns.
  • Business email compromise: BEC is a craftier version of phishing attacks. Here, the attacker breaches into an executive’s email or poses as a legitimate user to manipulate employees into initiating a wire transfer or giving away sensitive information.

What is email spoofing?

Email spoofing is a category of BEC that targets businesses by sending messages with forged sender email addresses. An example would be using the domain @authenticompany.com rather than @authenticcompany.com.

It tricks the recipient into thinking that the email sender is someone they know and trust within the organization or from a credible vendor. Because the recipient trusts the alleged sender, they are more inclined to open the email and interact with its contents, such as a malicious link or attachment.

Get Started

Request a Demo