BEC Attacks: Can You Stop the Imposters in Your Inbox?

If asked which of the threat types tracked by the FBI causes the most financial damage, most people would say ransomware.

They’d be wrong.

In 2021, the FBI’s Internet Crime Complaint Center (IC3) received 19,954 Business Email Compromise (BEC) reports, with adjusted losses totaling almost $2.4 billion. That’s an average of more than $120,270 per incident, compared with just under $13,200 per incident for ransomware attacks.

Since the FBI began tracking these threats in 2013, tens of billions in financial losses have been recorded, resulting from nearly 170,000 incidents in 178 countries.

So why hasn’t this threat risen to the notoriety of ransomware?

During many ransomware attacks, business operations grind to a halt. When a company loses access to customer information, payment systems and mission-critical applications, it often becomes clear in short order that something is wrong.

But BEC attacks are comparatively silent. Even when these attacks have a huge impact on an organization’s bottom line, operations can generally continue as usual. As a result, businesses frequently opt to keep these attacks out of the public eye to avoid risking reputation damage and loss of trust.

But although ransomware still dominates security news, the growing frequency, volume and cost of BEC attacks have begun attracting more attention.

As a result, BEC attacks have become a top threat concern for many organizations today, according to a recent SonicWall-sponsored white paper by Osterman Research. “How to Deal with Business Email Compromise” reports primary research data from an in-depth customer survey of 119 respondents, each of which has direct knowledge of how their organization is addressing or planning to address the risk of BEC.

The results from this study offer a look at how security influencers and decision-makers are taking BEC into account when formulating their spending plans for the next 12 months. For example, while just 46% of organizations said they considered protecting against BEC attacks “important” or “extremely important” 12 months ago, 76% said they considered it important or extremely important today.

Image describing BEC Importance


Organizations indicating that protecting against BEC attacks in 2023 is of high importance

The data also shows that three-fifths of organizations in the study view protecting against BEC attacks as one of their top five security priorities.


Organizations ranking protecting against BEC attacks as one of their top five priorities.

How BEC Attacks Fly Under the Radar

But what makes BEC attacks so dangerous when compared with other forms of cyberattacks? And why are they harder to stop?

BEC is a specialized type of phishing attack that relies on social engineering. They often use a proven pretexting technique to engineer a quick introduction and establish a believable scenario in order to manipulate the victim to take a specific action.

While these attacks can target employees at any level of an organization, they generally start with an attacker impersonating a person with authority, such as a CEO or CFO, a manager, or a supplier. The attacker uses the authority figure’s identity to start a chain of plausible (but fake) requests to gain monetary payment. This typically involves instructing someone in accounts payable, someone in HR or even someone with a company credit card to pay a fake invoice, transfer funds, send gift cards or make payroll payouts. The urgent tone of these messages encourages the victim to respond or act quickly, bypassing any checks and balances that may be in place.

Compared with other forms of cyberattacks, BEC attacks are among the hardest to detect because the threat signals are far less obvious. Relying on trickery and impersonation, the approach is very subtle, and the actual delivery generally doesn’t use weaponized URLs or malicious attachments, which are easily detected.

In addition, the email content and the delivery mechanism are usually of higher quality and often tailored to target a specific person or persons. With little to no apparent sign of a threat, these messages can bypass most email security filters to reach the inbox — and the absence of any sort of alert, such as a contextual warning advising them to exercise caution, leaves the victim more vulnerable to falling for the scam.

Because so many of these scams are successful, their use has grown dramatically — today, roughly 80% of companies targeted by BEC attacks each year. While there isn’t much you can do to avoid being targeted, there’s plenty you can do to safeguard your organization’s finances. To learn more about BEC attacks and how to stop them, check out our webinar, “Can You Stop the Imposters in Your Inbox?

BEC Attacks: Inside a $26 Billion Scam

Why would cybercriminals employ obfuscation tools, launch multi-stage cyberattacks, encrypt endpoints and haggle over ransom amounts … when they could just ask for the money? This is the concept behind Business Email Compromise (BEC) attacks — a type of cyberattack that has grown dramatically over the past few years.

The U.S. federal government’s Internet Complaint Center (IC3), which has been tracking these attacks since 2013, has dubbed BEC attacks the “$26 billion scam” — though this moniker is likely out of date due to escalating attack volumes and increased reliance on email throughout the pandemic.

And though high-profile ransomware attacks continue to dominate headlines, far more money is lost to BEC attacks. For example, in 2020, BEC attacks accounted for $1.8 billion in the U.S. alone, and an estimated 40% of cybercrime losses globally.

The Anatomy of a BEC Attack

While they’re considered a type of phishing attack, BEC attacks don’t rely on malicious code or links. Instead, they let social engineering do the heavy lifting. These attacks specifically target organizations that perform legitimate transfer-of-funds requests, and almost exclusively appeal to seniority to secure compliance.

According to the Osterman white paper sponsored by SonicWall, “How to Deal with Business Email Compromise,” BEC threat actors create email addresses that mimic those used by senior executives, use free services such as Gmail to create email addresses that appear to be an executive’s personal account, or, less commonly, gain access to executives’ actual corporate email accounts using phishing attacks or other means.

Image describing phishing

Above is a BEC email I’ve received. Note the appeal to authority — the message appears to come from SonicWall’s CEO, despite originating from an outside address — as well as the sense of urgency throughout. This is a rather clunky example; many of these emails are much more sophisticated in both language and execution.

Once the attacker has a plausible email account from which to operate, they use social engineering tactics to request the target either divert payment on a valid invoice to the criminal’s bank account, solicit payment via fake invoice or divert company payroll to a fraudulent bank account.

Since these attacks appeal to a sense of urgency and appear to come from a CEO, CFO or someone else in charge, many targets are eager to comply with the requests as quickly as possible. Once they do, the company is out a large sum of money, and the cybercriminal celebrates another payday.

How Common are BEC attacks?

BEC attacks have been recorded in every state in the U.S., as well as 177 countries around the world. Based on the latest report from IC3, nearly 20,000 of these attacks were reported in 2020 alone — likely an undercount, given that Osterman’s research found that four out of five organizations were targeted by at least one BEC attack in 2021. For mid-sized businesses (those with 500-2,500 email users), that number rose to nine out of 10.

Worse, almost 60% of the organizations surveyed reported being the victims of a successful or almost successful BEC attack. For those who were successfully targeted, the costs were significant: a combination of direct costs and indirect costs brought the total financial impact of a successful BEC incident to $114,762. Unfortunately, the direct costs, while significant for an individual organization, are often too small to trigger help from law enforcement agencies and insurance companies.

BEC Attacks Can Be Stopped (But Probably Not in the Way You Think.)

Many other attacks rely on malicious links and code, which can be spotted by anti-malware solutions and secure email gateways. But the sort of social engineering tactics used in BEC attacks — particularly those from a legitimate email address — often cannot be caught by these solutions.

Even so, while three-quarters of respondents say that protecting against these attacks is important to them, many are still depending primarily on technologies that were never designed to stop BEC attacks.

There’s not a lot you can do to prevent being among the 80% (and growing) of companies targeted by BEC attacks each year, but there’s plenty of other things you can do to safeguard your organization’s finances. But they all fall under three primary pillars: People, Process and Technology.

Technology is your first line of defense against BEC attacks. Many solutions claim the ability to combat BEC attacks, but their effectiveness varies widely. For best protection, look for one that will both block BEC attacks and guide employees.

Notice in the example above how there’s an alert warning that the email originated from outside the organization? While simple, these sorts of alerts can make the difference between a BEC attempt that’s ultimately successful, and one that’s scrutinized and deleted upon receipt.

Particularly in companies that are still relying on traditional technology protections, employee training an indispensable backup protection. Employees should be coached to look for spoofed email addresses, uncharacteristic grammar and syntax, and an unusual sense of urgency.

In the case of particularly sophisticated attempts, processes should be in place in case a BEC attempt makes it into the inbox and isn’t identified by the recipient as suspect. Policies such as a multi-person review of requests to change bank account details or mandated out-of-band confirmations are often successful as a last line of defense against BEC.


Report: Business Email Compromise (BEC) Now A $12.5 Billion Scam

Email continues to be the top vector used by cybercriminals, and business email compromise (BEC) is gaining traction as one of the preferred types of email attacks.

BEC attacks do not contain any malware and can easily bypass traditional email security solutions. For cybercriminals, there is no need to invest in highly sophisticated and evasive malware. Instead, they engage in extensive social engineering activities to gain information on their potential targets and craft personalized messages.

What makes these attacks dangerous is that the email usernames and passwords of corporate executives are easily available to cybercriminals on the dark web, presumably due to data breaches of third-party websites or applications.

“Through 2023, business compromise attacks will be persistent and evasive, leading to large financial fraud losses for enterprises and data breaches for healthcare and government organizations,” says Gartner in their recent report, Fighting Phishing – 2020 Foresight 2020.

What is Business Email Compromise?

BEC attacks spoof trusted domains, imitate brands and/or mimic corporate identities. In many cases, the emails appear from a legitimate or trusted sender, or from the company CEO typically asking for wire transfers.

According to the FBI, BEC is defined as a sophisticated scam targeting businesses working with foreign suppliers and/or businesses that regularly perform wire transfer payments. This is a very real and growing issue. The FBI has put up a public service announcement saying that BEC is a $12.5 billion scam.

Types of BEC or Email Fraud

Email has been around since the 1960s and the current internet standard for email communication —  Simple Mail Transfer Protocol (SMTP) — was not designed to authenticate senders and verify the integrity of received messages. Therefore, it’s easy to fake or “spoof” the source of an email. This weak sender identification will continue to present opportunities for creative attacks.

For example, here is a screenshot of a recent spoofing email that I encountered. The messaging seemingly originated from my colleague. The displayed sender’s name invokes an immediate recognition for the recipient. But a closer examination of the sender’s domain reveals the suspicious nature of the email.

Now, let’s look at the different types of spoofing techniques a threat actor might use to initiate an attack:

Display Name Spoofing
This is the most common form of BEC attack. In this case, a cybercriminal tries to impersonate a legitimate employee, typically an executive, in order to trick the recipient into taking an action. The domain used could be from a free email service such as Gmail.

Domain Name Spoofing
This includes either spoofing the sender’s “Mail From” to match that of the recipient’s domain in the message envelope, or using a legitimate domain in the “Mail From” value but using a fraudulent “Reply-To” domain in the message header.

Cousin Domain or Lookalike Domain Spoofing
This type of attack relies on creating visual confusion for the recipient. This typically involves using sister domains such as “.ORG” or “.NET” instead of “.COM,” or swapping out characters, such as the numeral “0” for the letter “O,” an uppercase “I” for a lowercase “L.” This is also sometimes referred to as typosquatting.

Compromised Email Account or Account Take Over (ATO)
This is carried out by compromising legitimate business email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds or data theft.

Best Practices for Stopping BEC Attacks

Concerned your organization could fall prey to business email compromise? Here are some email security best practices that you can implement to protect against sophisticated BEC attacks.

  1. Block fraudulent emails by deploying Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM) and Domain-Based Message Authentication, Reporting and Conformance (DMARC) capabilities.
  2. Enable multi-factor authentication and require regular password changes to stop attacks from compromised accounts.
  3. Establish approval processes for wire transfers.
  4. Deliver periodic user-awareness training for a people-centric approach to combat email attacks.

How to Stop Email Spoofing

Whether it’s CEO fraud, forged emails, business email compromise (BEC), impostor emails or impersonation attacks, all email spoofing attacks present a dangerous risk to organizations. Review the solution brief to gain four key best practices to help mitigate the email spoofing attacks that impact your business.

SonicWall Email Security Wins Coveted 2018 CRN Annual Report Card (ARC) Award

Once again, SonicWall Email Security has been recognized at the top of its class for protecting the No. 1 threat vector: email. The solution was named the overall winner by sweeping the 2018 CRN Annual Report Card (ARC) email security category.

The solution has won three prestigious security awards to date in 2018. This is a testament toward the innovation and effort the SonicWall team has invested the last 18 months in key focus areas: advanced threat protection, administrative ease, product support and channel enablement.

“An ARC award is one of the industry’s most prestigious honors. It symbolizes a vendor’s dedication to delivering high quality and innovative product and program offerings to their channel partners,” said Bob Skelley, CEO, The Channel Company. “CRN’s Annual Report Card provides solution providers with the rare opportunity to offer their invaluable insight on vendors’ products and services, as well as their partner programs. As a result, the technology suppliers are equipped with actionable feedback to bolster their efforts to remain the best-of-the-best.”

The Annual Report Card summarizes results from a comprehensive survey that details solution provider satisfaction across product innovation, support and partnership for hardware, services and software vendors. The vendors with the highest ratings are named to the prestigious Annual Report Card list of winners and celebrated as best-in-class by their partners.

The results also provide the IT vendor community with valuable feedback — directly from their solution providers — that can be used to refine product offerings, enhance support and improve communication with partners.

This year’s group of honorees was selected from the results of an in-depth, invitation-only survey by The Channel Company’s research team. More than 3,000 solution providers were asked to evaluate their satisfaction with more than 65 vendor partners in 24 major product categories.

SonicWall Email Security is a multi-layer solution that protects organizations against advanced email threats such as targeted phishing attacks, ransomware and business email compromise. The key capabilities include:

  • Real-time threat intelligence feeds from over 1 million security sensors deployed globally and delivered through the SonicWall Capture Cloud Platform.
  • Dynamic scanning of suspicious email attachments and embedded URLs using the award-winning, multi-engine SonicWall Capture Advanced Threat Protection (ATP) sandbox service with Real-Time Deep Memory Inspection (RTDMITM).
  • Anti-phishing technology uses a combination of methodologies such as machine learning, heuristics, reputation and content analysis.
  • Powerful antispam and antivirus engines to protect against known malware and spam.

The solution can be deployed as hardened physical appliances, robust virtual appliances or a resilient cloud email security service. And whether an organization uses on-premises email servers or cloud services, such as Microsoft Office 365 or Google G Suite, SonicWall’s solution delivers best-in-class threat protection through seamless and simple integrations.

Given that email continues to be a top attack vector in the cyber arms race, SonicWall is committed to enhancing the solution to better protect its users from advanced email threats.

The 2018 Annual Report Card results can be viewed online at