beazley.security
©2025 Beazley Security. All rights reserved
Business Email Compromise (BEC)
Best Practices for Prevention
Start
Introduction
Edge Device Exploitation:�A Threat to Watch
Putting the Risks in Context: �Case Studies & Data
What CISOs Should Know: �Best Practices and Technical Solutions
To Learn More
How can you reduce the risk of financial losses?
What is business email compromise?
Business email compromise (BEC) usually involves social engineering techniques. Most often, a cybercriminal uses stolen email credentials or a spoofed email address that looks like a trusted address.
The goal is to trick an employee into bypassing normal
procedures to gain wanted access to valuable assets.
The cybercriminal may steal funds by misdirecting electronic payments, or steal sensitive data, such as tax or pay information. Or they may convince the employee to open a malicious link or attachment, give up a password, or approve access.
We provide clients with the experience, training, and
technology resources needed to reduce their risk of
financial or data loss from a BEC.
Business email compromise is a targeted cyberattack where threat actors impersonate trusted contacts such as executives, suppliers, or partners to deceive employees into transferring money, sharing sensitive data, or granting access. These scams are often timed to real business activities, making them hard to spot. Below, we explore the most common methods attackers use.
How BEC occurs
Domain and Email spoofing
A cybercriminal conducts a phishing attack by using an email address that closely resembles a trusted source, often impersonating a legitimate business or individual. To increase credibility, they may also create a fake website or email domain that looks nearly identical to the real one, with subtle differences that are difficult to detect at first glance, tricking the victim into believing the communication is authentic.
Stolen email credentials
Using stolen email credentials, the cybercriminal can view all conversations in the inbox, making impersonation easier. The cybercriminal can also research other employees, monitor ongoing conversations, particularly around invoices or payments, and take steps to hide their activities.
Exploit the victim's trust
Having established trust, the cybercriminal can encourage the user to bypass normal procedures and security through a variety of social engineering techniques. Employees targeted in these attacks are often in HR, finance, or have the authority to approve the transfer of large sums of money (particularly in smaller organizations).
CEO fraud
CEO fraud
Fraudulent instruction
Fraudulent instruction
Payroll redirect
Payroll redirect
Invoice manipulation
Invoice manipulation
Loan fraud
Loan fraud
Urgent requests
Urgent requests
CEO fraud
Posing as the CEO, the cybercriminal instructs the employee to make an immediate payment because of a confidential transaction, such as an acquisition or legal settlement.
Fraudulent instruction
Posing as a vendor or supplier, the cybercriminal instructs the employee �to change payment instructions for an electronic payment, so it goes to an account controlled by the cybercriminal. Professional services firms are particularly at risk for incidents where the cybercriminal poses as a party in real estate/property sales or other transaction in order to misdirect payments.
Payroll redirect
The cybercriminal instructs an employee HR to change bank deposit instructions for employee pay.
Invoice manipulation
The cybercriminal may pose as �a vendor or supplier and send fraudulent invoices to misdirect payments, or request refunds for recently completed transactions.
Loan fraud
The cybercriminal may impersonate several employees and subsequently take out several large loans in their name, with losses potentially in the �six-figure range.
Urgent requests
Other common forms of BEC include urgent requests to send sensitive data, such as employee tax statements, or to purchase gift cards, particularly common at smaller organizations.
Common forms of BEC
Business email compromise can take several forms, each designed to manipulate trust and urgency. Below are the most frequent tactics used by attackers.
Actively monitor for account takeover attempts
Missed payments may not be noticed for 45 or 60 days,
so it’s important to look for signs earlier.
Restrict login attempts
Set an alert for multiple unanswered MFA prompts to prevent MFA fatigue. You can set an access policy to lock after 5 or 10 unanswered attempts.
Monitor changes to logging and configuration
Unusual changes to existing rules (such as those involving the RSS folder) or new external forwarding rules may be early signs of activity related to BECs.
Phishing-resistant MFA
Not all forms of MFA are equally secure. MFA should be configured to protect against social engineering attacks. While one-time passcodes and push-based notifications are not as resistant to these attacks, FIDO2 hardware tokens have been more successful. Block legacy email protocols that don’t support modern authentication.
Reduce exposure to phishing emails
Implement measures that could change the way suspicious emails are handled (SPF, DKIM, DMARC). Consider blocking email from new domains, which may have been set up by cybercriminals for phishing. Patch on-premises email servers to deprive cybercriminals of any low-hanging fruit.
Improve your email security
Properly securing email accounts and better detecting phishing will help protect against BEC.
Verify requests
Train employees on your procedures for authorized requests. �Requests to change payment instructions or send sensitive data should be checked using out-ofband verification: don’t trust contact information the cybercriminal provided.
Avoid password recycling
Train employees on good password practices, including not reusing passwords for different accounts. Don’t recycle the same password for different work applications or for work and personal accounts. Using a password manager makes it easier to have strong, unique passwords for every account.
Recognize phishing emails and BEC attempts
Train employees to detect spoofed domain names and �not to be confused by subdomains. Be alert for emails making unusual requests, particularly with a sense of �urgency or secrecy.
Employees are the first line of defense
Train your employees to recognize and resist attempts at BEC, look carefully at unusual requests, use out-of-band verification, and resist the ways cybercriminals try to overcome your multi factor authentication (MFA).
How to protect against BEC
How can you reduce the risk �of financial losses?
Awareness and preparedness are keys to success
While there are no silver bullets, understanding the risks, regularly training staff, and having well-defined policies for certain behaviors are key steps in preventing a BEC event. Additionally, tools and technologies can help identify and filter out suspicious activity to minimize potential risks ahead of human interactions.
Train your staff on what to watch out for and how to verify requests
Establish an out-of-band verification process to confirm the identity of the person requesting a funds transfer.��
If the request is by email, then call and speak to the person using a pre-established phone number to get a verbal confirmation.
If the request is by phone call or fax, then use email to confirm using an email address known to be correct.
Do not reply to the email or “verify” using the phone number in the email. If the request is fraudulent, the criminal will have supplied fake contact information, too.� �
For employees who frequently travel and are authorized to request funds transfers, establish a process to confirm requests. For example, set up a predetermined code that a request must include – one that is not documented within the network.� �
Provide periodic anti-fraud training that teaches employees to detect and avoid phishing and social engineering scams.�
Limit the number of employees who have the authority to submit or approve wire transfers.�
Establish dual approvals for financial transactions. The two �parties responsible for dual approvals should not have a supervisor/subordinate relationship as it will undermine the effectiveness of the process.�
Implement two-factor authentication for remote access to �your email system.� �
If you do not have written procedures, develop them.� �
Periodically audit your written procedures and processes to make sure they’re keeping up with changing social engineering techniques.
Train employees on your out-of-band verification process�
If a vendor or supplier requests changes to its account details (including, but not limited to, bank routing numbers, account numbers, telephone numbers, or contact information):��
Confirm all requests by a direct call to the vendor or supplier. Make sure to use a phone number the vendor or supplier provided before the request was received.
Before making any changes, send notice of receipt of the request to someone other than the person who sent the request.
Require review of all requests by a supervisor or next-level approver before making any changes.�
If the request is from a vendor, check for changes to business practices:��
Were earlier invoices mailed but the new one was emailed?
Were earlier payments by check and now the request is for a wire transfer?
Did a current business contact ask to be contacted via their personal email address when all previous official correspondence used a company email address?
Is the address or bank account to which the payment is to be sent different from previous payments to that vendor?�
Be suspicious of small changes in email addresses that mimic legitimate email addresses:��
For example, .co vs. .com, abc-company.com vs. abc_company.com, or hijkl.com vs. hljkl.com.
Forward any suspicious instances to InfoSec or IT for review.�
If the request is for a funds transfer, confirm that the request is consistent with how previous funds transfer instructions have been requested:��
Does the CEO or CFO directly request a wire payment?
Is the request consistent with earlier wire payments – including the timing, frequency, recipient, and country to which prior wires have been sent?
beazley.security
©2025 Beazley Security. All rights reserved
Contact us
We help clients build
cyber resilience
Beazley Security is a global cyber security firm
committed to helping clients develop true cyber
resilience: the ability to withstand and recover from
any cyberattack.
We combine decades of cyber security protection,
detection, response, and recovery expertise with the
actuarial precision and risk mitigation capability of
our parent company, Beazley Insurance.
Find out more about our cyber security solutions.
Train your staff on what to watch out for and how to verify requests
FR
DE
English
French
What is business email compromise?
Business email compromise (BEC) usually involves social engineering techniques. Most often, a cybercriminal uses stolen email credentials or a spoofed email address that looks like a trusted address.
The goal is to trick an employee into bypassing normal
procedures to gain wanted access to valuable assets.
We provide clients with the experience, training, and
technology resources needed to reduce their risk of
financial or data loss from a BEC.
The cybercriminal may steal funds by misdirecting electronic payments, or steal sensitive data, such as tax or pay information. Or they may convince the employee to open a malicious link or attachment, give up a password, or approve access.
What is business �email compromise?
How BEC occurs
Common forms of BEC
How to protect �against BEC
How can you reduce the �risk of financial losses?
Contact us
How BEC occurs
A cybercriminal conducts a phishing attack by using an email address that closely resembles a trusted source, often impersonating a legitimate business or individual. To increase credibility, they may also create a fake website or email domain that looks nearly identical to the real one, with subtle differences that are difficult to detect at first glance, tricking the victim into believing the communication is authentic.
Domain and Email spoofing
Stolen email credentials
Using stolen email credentials, the cybercriminal can view all conversations in the inbox, making impersonation easier. The cybercriminal can also research other employees, monitor ongoing conversations, particularly around invoices or payments, and take steps to hide their activities.
Exploit the victim's trust
Having established trust, the cybercriminal can encourage the user to bypass normal procedures and security through a variety of social engineering techniques. Employees targeted in these attacks are often in HR, finance, or have the authority to approve the transfer of large sums of money (particularly in smaller organizations).
What is business �email compromise?
How BEC occurs
Common forms of BEC
How to protect �against BEC
How can you reduce the �risk of financial losses?
Contact us
Business email compromise is a targeted cyberattack where threat actors impersonate trusted contacts such as executives, suppliers, or partners to deceive employees into transferring money, sharing sensitive data, or granting access. These scams are often timed to real business activities, making them hard to spot. Below, we explore the most common methods attackers use.
Common forms of BEC
CEO fraud
Posing as the CEO, the cybercriminal instructs the employee to make an immediate payment because of a confidential transaction, such as an acquisition or legal settlement.
What is business �email compromise?
How BEC occurs
Common forms of BEC
How to protect �against BEC
How can you reduce the �risk of financial losses?
CEO fraud
Fraudulent instruction
Payroll redirect
Invoice manipulation
Loan fraud
Urgent requests
Fraudulent instruction
Posing as a vendor or supplier, the cybercriminal instructs the employee �to change payment instructions for an electronic payment, so it goes to an account controlled by the cybercriminal. Professional services firms are particularly at risk for incidents where the cybercriminal poses as a party in real estate/property sales or other transaction in order to misdirect payments.
Payroll redirect
The cybercriminal instructs an employee HR to change bank deposit instructions for employee pay.
Invoice manipulation
The cybercriminal may pose as �a vendor or supplier and send fraudulent invoices to misdirect payments, or request refunds for recently completed transactions.
Loan fraud
The cybercriminal may impersonate several employees and subsequently take out several large loans in their name, with losses potentially in the �six-figure range.
Urgent requests
Other common forms of BEC include urgent requests to send sensitive data, such as employee tax statements, or to purchase gift cards, particularly common at smaller organizations.
Contact us
Business email compromise can take several forms, each designed to manipulate trust and urgency. Below are the most frequent tactics used by attackers.
CEO fraud
Fraudulent instruction
Payroll redirect
Invoice manipulation
Loan fraud
Urgent requests
How to protect against BEC
Employees are the first line of defense
Train your employees to recognize and resist attempts at BEC, look carefully at unusual requests, use out-of-band verification, and resist the ways cybercriminals try to overcome your multi factor authentication (MFA).
Verify requests
Train employees on your procedures for authorized requests. �Requests to change payment instructions or send sensitive data should be checked using out-ofband verification: don’t trust contact information the cybercriminal provided.
Avoid password recycling
Train employees on good password practices, including not reusing passwords for different accounts. Don’t recycle the same password for different work applications or for work and personal accounts. Using a password manager makes it easier to have strong, unique passwords for every account.
Recognize phishing emails and BEC attempts
Train employees to detect spoofed domain names and �not to be confused by subdomains. Be alert for emails making unusual requests, particularly with a sense of �urgency or secrecy.
Improve your email security
Properly securing email accounts and better detecting phishing will help protect against BEC.
Phishing-resistant MFA
Not all forms of MFA are equally secure. MFA should be configured to protect against social engineering attacks. While one-time passcodes and push-based notifications are not as resistant to these attacks, FIDO2 hardware tokens have been more successful. Block legacy email protocols that don’t support modern authentication.
Reduce exposure to phishing emails
Implement measures that could change the way suspicious emails are handled (SPF, DKIM, DMARC). Consider blocking email from new domains, which may have been set up by cybercriminals for phishing. Patch on-premises email servers to deprive cybercriminals of any low-hanging fruit.
Actively monitor for account takeover attempts
Missed payments may not be noticed for 45 or 60 days,
so it’s important to look for signs earlier.
Restrict login attempts
Set an alert for multiple unanswered MFA prompts to prevent MFA fatigue. You can set an access policy to lock after 5 or 10 unanswered attempts.
Monitor changes to logging and configuration
Unusual changes to existing rules (such as those involving the RSS folder) or new external forwarding rules may be early signs of activity related to BECs.
What is business �email compromise?
How BEC occurs
Common forms of BEC
How to protect �against BEC
How can you reduce the �risk of financial losses?
Contact us
How can you reduce the risk �of financial losses?
Awareness and preparedness are keys to success
While there are no silver bullets, understanding the risks, regularly training staff, and having well-defined policies for certain behaviors are key steps in preventing a BEC event. Additionally, tools and technologies can help identify and filter out suspicious activity to minimize potential risks ahead of human interactions.
Establish an out-of-band verification process to confirm the identity of the person requesting a funds transfer.��
If the request is by email, then call and speak to the person using a pre-established phone number to get a verbal confirmation.
If the request is by phone call or fax, then use email to confirm using an email address known to be correct.
Do not reply to the email or “verify” using the phone number in the email. If the request is fraudulent, the criminal will have supplied fake contact information, too.� �
For employees who frequently travel and are authorized to request funds transfers, establish a process to confirm requests. For example, set up a predetermined code that a request must include – one that is not documented within the network.� �
Provide periodic anti-fraud training that teaches employees to detect and avoid phishing and social engineering scams.�
Limit the number of employees who have the authority to submit or approve wire transfers.�
Establish dual approvals for financial transactions. The two �parties responsible for dual approvals should not have a supervisor/subordinate relationship as it will undermine the effectiveness of the process.�
Implement two-factor authentication for remote access to �your email system.� �
If you do not have written procedures, develop them.� �
Periodically audit your written procedures and processes to make sure they’re keeping up with changing social engineering techniques.
Train your staff on what to watch out for and how to verify requests
Train employees on your out-of-band verification process�
If a vendor or supplier requests changes to its account details (including, but not limited to, bank routing numbers, account numbers, telephone numbers, or contact information):��
Confirm all requests by a direct call to the vendor or supplier. Make sure to use a phone number the vendor or supplier provided before the request was received.
Before making any changes, send notice of receipt of the request to someone other than the person who sent the request.
Require review of all requests by a supervisor or next-level approver before making any changes.�
If the request is from a vendor, check for changes to business practices:��
Were earlier invoices mailed but the new one was emailed?
Were earlier payments by check and now the request is for a wire transfer?
Did a current business contact ask to be contacted via their personal email address when all previous official correspondence used a company email address?
Is the address or bank account to which the payment is to be sent different from previous payments to that vendor?�
Be suspicious of small changes in email addresses that mimic legitimate email addresses:��
For example, .co vs. .com, abc-company.com vs. abc_company.com, or hijkl.com vs. hljkl.com.
Forward any suspicious instances to InfoSec or IT for review.�
If the request is for a funds transfer, confirm that the request is consistent with how previous funds transfer instructions have been requested:��
Does the CEO or CFO directly request a wire payment?
Is the request consistent with earlier wire payments – including the timing, frequency, recipient, and country to which prior wires have been sent?
What is business �email compromise?
How BEC occurs
Common forms of BEC
How to protect �against BEC
How can you reduce the �risk of financial losses?
Contact us
Set up the right processes to minimize potential losses
