Business Email Compromise

Business Email Compromise (BEC) is a form of targeted cyber-enabled fraud in which actors use social engineering and unauthorized access to business email accounts to induce organizations or employees to send funds or sensitive data to accounts the actors control.

Expanded Explanation

1. Technical Function and Core Characteristics

BEC uses tactics such as spear phishing, credential theft, account takeover, and spoofed or lookalike domains to impersonate executives, vendors, or business partners. Actors craft messages that appear to originate from trusted internal or external parties and request wire transfers, changes to payment details, or disclosure of confidential information.

BEC campaigns often avoid malware and instead rely on authenticated email sessions, cloud email access, or protocol abuse to remain within normal communication channels. Attackers commonly study organization structures, payment workflows, and timing patterns to align fraudulent requests with real business processes and reduce detection.

2. Enterprise Usage and Architectural Context

In enterprise environments, BEC targets functions such as finance, accounts payable, treasury, payroll, procurement, and executive administration, where staff can authorize or initiate payments or access data. Attackers may compromise or impersonate cloud-based email systems and collaboration platforms that integrate with identity providers and mobile access.

BEC risk intersects with email security gateways, secure email gateways, domain-based message authentication, logging and monitoring, identity and access management, and incident response workflows. Organizations address BEC through technical controls, process controls for payment verification, user training, and integration of fraud detection across email, Emergency Response Plan (ERP), and banking interfaces.

3. Related or Adjacent Technologies

BEC relates to phishing, spear phishing, whaling, and account takeover attacks that also target user credentials and email workflows. It interacts with authentication protocols and controls such as Multifactor Authentication (MFA), OAuth-based access, and conditional access policies that govern how users and applications access email services.

Adjacent technologies include secure email gateways, cloud email security supplements, domain authentication protocols such as Stream Processing Framework (SPF), DKIM, and DMARC, and fraud analytics that monitor payment requests and vendor master data. Digital Forensics and Incident Response (DFIR) services also address BEC incidents through log analysis, email header analysis, and coordination with financial institutions and law enforcement.

4. Business and Operational Significance

BEC creates direct financial loss through fraudulent transfers, diversion of vendor payments, or payroll redirection, and can expose sensitive data such as tax records, banking details, or customer information. It affects organizations of various sizes across sectors including corporate enterprises, government entities, healthcare providers, and educational institutions.

Because BEC exploits trusted communication channels and normal business workflows, it affects Enterprise Risk Management (ERM), internal controls over financial reporting, cyber insurance underwriting, and regulatory compliance programs. BEC incident patterns inform board-level cyber risk discussions, security awareness programs, and alignment between Security Operations (SecOps), finance, and legal functions.