General security

BEC Attacks: How Email Account Compromise Works

Pedro Tavares
May 10, 2018 by
Pedro Tavares

Business email compromise (BEC) is a form of phishing attack in which a cyber attacker impersonates a high-level executive (often the CEO). From there, they then attempt to get to an unsuspecting employee, customer, or vendor to transfer funds or confidential information. According to an article published by Infosec, BEC attacks are "sometimes called whaling or man-in-the-email, are a way of tricking employees into handing over large amounts of money. "

These kinds of attacks are part of social engineering and humans are the weakest point of security. Because of this, BEC emails often land directly in the employee inboxes.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

What is Email Account Compromise in the BEC-Attack Landscape?

BEC attacks are on the rise and targeting a great number of business companies nowadays.

In many cases, they involve a cyber attacker hacking an employee's email account or even using an email spoof to request for a new password of the employee's account that will be sent to a malicious channel (e.g., hacker's email). With this scenario in mind, the employee is then alerted that there was a problem with a certain payment; and that the employee is required to resend it to a different account.

One of the most recent cases of account compromise occurred with Lazio, a popular Italian football team. As the editor from The Comeback recently wrote, "Lazio apparently paid out that final $2.5M to the wrong bank account, after being convinced to switch account numbers by an email scammer."

How Email Account Compromise Works

Account compromise can be executed by the cyber attacker through two different mechanisms:

  • Email account compromise
  • Email spoofing

What Is Email Account Compromise?

For email compromise to work, the cyber attacker often uses social engineering to coax their victims to install malware or keyloggers onto their workstations or wireless devices. This is an effort to harvest the login credentials as well as to compromise the email account. In many cases, they also use brute-force attacks, which is a way of guessing the password and accessing the target account.

With account access now in hand, the cyber attacker can then monitor emails, intercepting those that contain an invoice. Afterwards, they then change the payment instructions on a chosen invoice and allow it to be processed — with the funds going straight into their bank account.

What Is Email Spoofing?

Another method that is used to access an email account is known as email spoofing. Email spoofing is made possible because the Simple Mail Transfer Protocol (SMTP) does not provide a mechanism for address authentication. Because of this, cyber attackers can send an email header so that the message appears to have originated from someone or somewhere other than the actual source.

This tactic is the most widely used in phishing attacks because people are more likely to open an email when they think it has been sent by a legitimate source.

Another approach that is used by the cyber attacker is to send a phishing email through an email address which looks very similar to the one that they intend to impersonate. For instance, the email address of the target is as follows:

A cyber attacker, for example, can then purchase a very similar domain ( which can be configured to look like the following:

Once this has been done, an executive or employee's email account is then hacked and used to request invoice payments to the vendors listed in their email contacts. Payments are then sent to fraudulent bank accounts of the cyber attacker.

Understanding Email Account Compromise Risks

Because these scams do not have any malicious links or attachments, they can evade just about any means of defense. As a result, the only way to combat this is through consistent employee training and awareness.

It is very important to understand the impact when a cyber attacker has full access to an email account. He or she can send an email on behalf of the impersonated person, and can also:

  • Learn the sort of phrases, greeting and sign-off remarks that the victim tends to use
  • Keep track of deals and payments that are about to transpire
  • Make copies of official invoices and other documents for future reference (for example, editing banking accounts, dates, payment amounts, etc.)
  • Delete fraudulent emails from the Sent folder
  • Delete incoming warning emails from the IT staff
  • Set up email rules to divert incoming messages to an email subfolder so that they can see emails first (before the employee does). This also includes reading, replying and deleting email messages without the victim even realizing that this is actually happening to them

How Can I Protect My Organization From Email Account Compromise?

All employees (including C-level executives) should do the following to help prevent business email compromise:

  • Always confirm with others before sending any money or confidential information and data
  • Require the use of multi-factor authentication in email accounts
  • Lookout for emails with extensions that are similar to the company's email
  • Be cautious about emails requesting out-of-the-ordinary information
  • Carefully scrutinize all email requests before the transfer of funds is initiated
  • Implement appropriate password rotation — for example, every three months — so that the probability of account compromise is mitigated
  • Facilitate security awareness training programs that will help employees make better decisions about the emails they received
  • Establish reliable communication backchannels so that high value, confidential or sensitive requests can be further looked into and subsequently verified

Remember to always report any kind of scam to the authorities so that further action can be taken to prosecute the cyber attacker(s).

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Pedro Tavares
Pedro Tavares

Pedro Tavares is a professional in the field of information security working as an Ethical Hacker, Malware Analyst and a Security Evangelist. He is also Editor-in-Chief of the security computer blog

In recent years, he has invested in the field of information security, exploring and analyzing a wide range of topics, such as malware, reverse engineering, pentesting (Kali Linux), hacking/red teaming, mobile, cryptography, IoT, and security in computer networks. He is also a Freelance Writer.