The Different Types of Business Email Compromise

by Tony Richardson CISSP


They tell you that one of your employees’ email accounts has been hacked and is being used to send out spam. You quickly realize that this could have serious consequences for your business- from lost revenue to damaged reputation. Unfortunately, business email compromise (BEC) is becoming increasingly common, and can cause significant harm to- businesses of all sizes. 

Email is a mainstay of communication in the business world. But what happens when email is used to target businesses for criminal gain? This is business email compromise (BEC), and it’s on the rise. There are different types of business email compromises, and some of them can be much more damaging than others. Stay safe.

What is business email compromise and what are the different types of it

BEC is a form of phishing attack where criminals attempt to trick senior executives into transferring funds or revealing sensitive information. The criminal’s goal with these emails are convincing they request unusual payments, contain links that might lead you onto an ‘offline’ area on their website and viruses hidden under seemingly harmless attachments like invoices etc, which can result in your computer being infected.

The FBI has mentioned five common types of BEC attacks, they apply in the UK too:

1. Email Account

Hackers access your email account and request payment from vendors. The money is then sent back to an attacker-controlled bank transfer, tricking the vendor while their traces  are covered by a complex series of money transfers. 

2. Vendor Email

Companies that deal with foreign suppliers are common targets for vendor email compromise. Attackers will pose as the company’s supplier, request payment on a fake invoice and once they receive it, transfer the money into an account which is fraudulent in nature but still enough to hold valuable data from these organisations.

3. Data Theft 

Data theft attacks are a huge problem for companies. They typically target HR personnel in order to obtain personal information about a company’s CEO or other high-ranking executives which can be used later on like when committing CEO fraud. This is often only part of a BEC strategy by the criminal. Internal employees who commit cybercrime are often data thieves.

4. Legal Representative

It’s not unusual for an attacker to pose as a lawyer or legal representative over email. The common targets for these attacks are those lower-level employees who may be unfamiliar with this scenario – and may mistakenly forgo questioning an urgent request from the sender without a hint of suspicion and this can mean big trouble later down the line . 

5. The “boss” trick

Attackers have been known to impersonate the CEO or executive of a company, and as such request that an employee within the accounting/finance department transfer funds into their own account. Obviously this can lead to catastrophic outcomes but many employees are at risk of falling for this type of scam, particularly those new to a company and eager to please or those who are less tech savvy.

How to protect yourself from email fraud

Here’s a quick checklist for protecting yourself from BEC:

  • Never giveaway your password to anyone
  • Avoid opening superfluous attachments – the ones that you don’t need.
  • Beware of psychological manipulation A.K.A social engineering
  • Do a reality check – does it sound too good to be true? Don’t interact with it.
  • Refrain from clicking links that look strange and don’t sign in if they take you to a sign-in page – this is a classic tactic that makes life very easy for the attacker. You can often tell the difference between a legitimate and fake sign-in page.

Steps to take if you’re already the victim of an attack on your company’s emails

These three prompt actions can go far when trying to mitigate the impact of the BEC attack:

  1. As soon as you become aware that your email account has been hacked, the first thing to do is change passwords. Choosing a strong password without any similarities will help to prevent hackers from getting back into it further down the line.
  2. Now that you’ve secured your account by changing the password, it’s time to let management know about any phishing attacks. You can alert them through email or over chat so they’re aware of what happened and work on preventing future ones from happening.
  3. Once your email account has been hacked, the cybercriminal will be able to pose as you and send emails that appear legitimate. If someone on their contact list receives one of these pretend messages from “you,” there’s a good chance they’ll open it – which could then give hackers more access or exposure than ever before, not to mention damage certain client relationships irreversibly. Swallowing pride about this is most important so you protect as many stakeholders as possible.

It’s hard to believe that something as innocent as an email account could lead to such serious consequences for your business. Fortunately, you can take steps now to protect yourself and your employees from this type of attack in the future. We recommend making sure all company passwords are strong and using two-factor authentication whenever possible. This will not only increase security but also decrease the likelihood of other cyber threats like phishing or ransomware attacks. The last thing you need is a hacker taking over one of your employee’s accounts and sending out costly spam emails on their behalf; it’s up to you to make sure they never have access again! Don’t wait until it’s too late.