Business email compromise, or BEC, is a fraud tactic that uses deceptive email or account compromise to trick people into sending money, data, or sensitive information. It matters because BEC attacks often succeed through trust and process weaknesses rather than malware alone.
What is Business Email Compromise (BEC)?
BEC attacks often involve impersonating executives, finance staff, vendors, or trusted partners to pressure victims into making payments, changing banking details, sharing sensitive documents, or revealing account access. Some campaigns rely on spoofed emails, while others use real compromised inboxes.
These attacks are often carefully timed, socially engineered, and financially motivated, which makes them especially dangerous for organizations that move money or sensitive approvals through email.
Common BEC Scenarios
Common scenarios include fake invoice fraud, payroll diversion, vendor payment redirection, executive impersonation, gift card scams, and requests for confidential financial or HR documents.
BEC vs. Phishing
BEC is a specific form of social engineering and phishing focused on financial fraud, data theft, or high-trust business process abuse. It is usually more targeted and less generic than bulk phishing campaigns.
Frequently Asked Questions
Does BEC always involve malware?
No. Many BEC attacks succeed without malware by using impersonation, compromised email accounts, social pressure, and weak payment or verification processes.
How can organizations reduce BEC risk?
Strong approval controls, out-of-band verification, MFA, email authentication, payment process discipline, and user awareness all help reduce BEC exposure.
