What is Business Email Compromise (BEC)?
Business Email Compromise (BEC) is a sophisticated form of social engineering attack in which cybercriminals impersonate high-level executives or leaders within an organisation.
By exploiting the perceived power associated with these leadership roles, attackers attempt to manipulate employees into doing something for their financial gain. These attacks exploit established trust relationships and organisational hierarchies rather than technical vulnerabilities.
Key characteristics of Business Email Compromise attacks
Target selection
BEC attacks specifically target employees with access to company finances or sensitive information. The attackers deliberately impersonate leadership figures, because the people who are more likely to be in the position of requesting financial transactions or payments are likely to be at the management level.
Psychological manipulation
These attacks exploit several psychological factors:
Power dynamics: “The higher you go in an organisation, the more likely you will find the person who is being impersonated in one of these attacks,” says Luigi Pardey, a security engineer at Fourthline. Remember: BEC attacks work because the targeted victims feel a sense of trust, respect, or a real power difference between themselves and the supposed sender.
Urgency: Attackers often create a sense of immediate need that pressures victims to act quickly, without stopping to verify that the requester is really the person they say they are.
A "team player" mentality: BEC attacks exploit the part of a person's psychology that rewards cooperative behaviour. “The part of your psychology that says, 'I have to be a team player’ or ‘I have to do what my boss tells me’ — that is what is being exploited in these attacks,” explains Pardey.
Common tactics used in BEC attacks
A typical BEC attack might involve an email that appears to come from a CEO or CFO with urgent instructions like: "Hey, I forgot to pay an invoice to this company. Please go to this link and take care of the payment for me."
The goal is almost always financial: Business Email Compromise aims to get money into the attacker's hands.
Organisational vulnerabilities
A heavily hierarchical culture, in which employees feel intimidated by or unwilling to contradict leaders, is a major risk factor for Business Email Compromise.
Why? Because this is exactly the type of culture in which an unusual or last-minute request from a leader is likely to be approved without further questioning.
Organisations that promote a more open security culture are generally better protected against attacks that exploit authority. But this isn't always the case, and some leaders may choose to exercise their power in ways that make their organisations particularly vulnerable to BEC.
Risk factors for BEC include:
Leadership communication that's inconsistent or lacks established protocols
Executives who bypass or ignore standard security procedures
Employees who fear questioning requests from authority figures
Verification processes for financial transactions that are weak or non-existent
How to mitigate the risks of BEC attacks
Set up clear and consistent communication channels
“The more consistent you are in communicating with other employees, the more they learn to expect what is likely to be a fraud and what is likely to be a legitimate request,” explains Pardey.
As a business leader, it’s your job to establish and maintain clear patterns for how executives communicate, especially regarding financial matters.
Create a culture of healthy suspicion
An open and secure culture is one in which an employee can confidently say, "If somebody asks me for something, I have the right to validate that their request is legitimate." It sounds like a small change to make, but this cultural shift is crucial for empowering employees to verify suspicious communications without fear of repercussion.
Make your executive team aware of the threat
As a C-level executive or senior-level people manager, you must be aware of the different types of social engineering attacks that may attempt to exploit your identity. You have a lot of power and responsibility, and you can create risk by not wielding it carefully.
Pardey advocates for “specific training at the management level,” so that every leader understands the weight of the individual responsibility they hold.
But it only takes one person for an attack to work. This is why leadership teams need to work together, hold each other accountable, and ensure that the other employees in the company know what to expect in terms of executive communication.
Also: follow your own rules. Executives should adhere to the same security protocols as everyone else, as exceptions create opportunities for attackers.
Implement multi-factor verification
Humans are prone to making errors in judgement. You can cover for some of these errors by implementing additional verification protocols, so that no financial decision can be made unilaterally and without proper authentication. Consider implementing the following safeguards:
Secondary confirmation through different communication channels (in case one channel is compromised)
In-person verification for transactions above certain thresholds
Multi-person approval for financial transfers above certain thresholds
Safeguard your organisation against social engineering attacks
Business Email Compromise ranks among the most financially damaging types of social engineering attacks. Unlike mass phishing campaigns, these highly targeted attacks are custom-designed for specific organisations, making them particularly effective and difficult to detect without proper training and awareness.
By understanding the psychological principles behind BEC and implementing appropriate safeguards, organisations can significantly reduce their vulnerability to these increasingly sophisticated social engineering attacks.
This article incorporates insights from Luigi Pardey, a Security Engineer at Fourthline. It is for informational purposes only and does not constitute legal advice.
