Zero Trust Networks

Actionable Insights: Reduce Your Organisation’s “BEC Risk” Through Targeted Controls

Share with your network!

Proofpoint Actionable Insights are the additional metrics and insights that the Proofpoint Threat Protection Platform can deliver through our combined data, detection and research. These insights provide the additional detail and context needed to fully understand your threats and the actions you can take to defend against them.

The first instalment of our “Actionable Insights” blog series focused on insights around people risk and the meaningful actions organisations can take using those insights. In our second post, we focused more on risk origination, including how we can easily view this information in the Proofpoint Targeted Attack Protection (TAP) dashboard and the different actions we can take with that information.

In this post, we cover business email compromise (BEC) and how you can use targeted controls to reduce your organisation’s “BEC risk”.

Visibility is a must for understanding types of BEC schemes and preventing attacks

Business email compromise (BEC) is a top-of-mind threat for most organisations, and with good reason: In 2021, this technique accounted for almost 20,000 victims in the United States alone, with an adjusted loss of nearly $2.4 billion — making it the #1 internet crime type by victim loss, according to the FBI’s Internet Crime Complaint Center.

Employing attack techniques like impersonation and account compromise, BEC ranks alongside ransomware in terms of both potential business impact and executive focus. That’s why it’s crucial for information security leaders to have visibility into not only what types of BEC schemes attackers are using to target their specific organisation, but also how these attacks occur and how to prevent them.


The Threat Insight dashboard in Proofpoint TAP responds to this need for visibility by continuing to expand on its existing capabilities for reporting and analysis of BEC activity and risk in an organisation. Recently added trend reports and threat breakdowns bring even more actionable insights to the existing people-centric reports, providing a complete picture of the BEC activity targeting your organisation, including what controls you can implement to help prevent these attacks.

In this section, we’ll dive into five critical questions about BEC that you can answer with the insights found in some of these trend reports.

Question #1. Is my organisation protected against BEC threats?

The first step toward understanding your organisation’s risk from BEC threats is to measure their prevalence within your overall volume of malicious messages. Then, you can assess the relative effectiveness of your solutions against them.

The Email Threats Effectiveness Overview report shows you how well your organisation is protected against all malicious messages combined, as well as by Threat Type. Within the Threat Type breakdown, Impostor Threats represent the BEC messages sent to your organisation.

Email Threats Effectiveness Overview


Figure 1. Email Threats Effectiveness Overview summary chart in the Proofpoint TAP Threat Insight dashboard.

Although BEC attacks (Impostor Threats) may represent a small fraction of your organisation’s overall malicious message volume, their risk to your business can be disproportionately high. These threats tend to be extremely targeted, and will not generate the same volumes that other commodity-based threats tend to generate.

Tracking your overall effectiveness against these threats is important. But having the ability to gauge your effectiveness over time allows your organisation to recognise sudden changes in attack volume or success rates so you can adapt your protections appropriately.

You can filter the Messages Protected Trend report to show BEC messages over time and how any changes in volume might have an impact on your effectiveness against them.

BEC Effectiveness


Figure 2. BEC Effectiveness trend chart in the Proofpoint TAP Threat Insight dashboard.

Question #2. How were certain threats determined to be BEC threats?

Having insight into why specific messages were identified and condemned as BEC threats is an important part of this effectiveness reporting. The Observations section in the message reports details on which indicators were detected for a given message, giving investigation and incident response teams deeper insight into the actions of their Proofpoint solutions.

For example, the Uncommon Sender observation indicates that the sender of the message isn’t a regular correspondent with the intended recipient’s organisation, while the various forms of spoofing and telltale words point to the suspect nature of the message. Taken as a whole, these combined indicators enable the integrated, holistic BEC protection capabilities from Proofpoint to make high-confidence condemnations of BEC attempts against your users.

At the same time, these observations furnish a trove of information about the specific deception techniques employed by BEC actors. The can also help guide the criteria for defining your organisation’s user awareness training content.


Figure 3. Example of BEC detection Observations in the Proofpoint TAP Threat Insight dashboard.

Question #3. What BEC themes are used against my organisation?

BEC threats are not monolithic; in fact, Proofpoint researchers have shown that BEC includes a wide range of tactics and themes. Understanding which themes your organisation faces and to what extent is another vital piece of information for understanding your overall BEC risk.

The Top Threat Themes chart provides this insight by allowing you to see which BEC-specific themes attackers are using against your organisation.

Top Threat Themes (BEC)

theme for BEC

Figure 4. Top Threat Themes for BEC chart in the Proofpoint TAP Threat Insight dashboard.

Question #4. How is each BEC theme being used against my organisation?

Just as malware and phishing campaigns will leverage different lures based on the season or news events to improve their social engineering value, Proofpoint threat researchers have found that BEC themes can also vary with the season, breaking news topics or other external events. For example, BEC messages focused on gift card theft might increase in prevalence during the holiday season, while messages designed to steal personally identifiable information (PII), W-2 forms or other user information can predominate in January and February.

Understanding how these trends manifest in your organisation’s mailflow—as well as changes in who they target—can help your organisation better prepare for likely shifts in BEC threat activity with focused training and additional controls.

The Top Messages Trend chart can be filtered to show BEC Themes and how each one might increase or decrease along with external events.

BEC Themes


Figure 5. BEC Themes trend chart in the Proofpoint TAP Threat Insight dashboard.

Question #5. Who is being targeted by BEC threats in my organisation?

Executives and other sensitive recipients in your organisation are often the primary focus of BEC attacks due to their access to sensitive information or ability to transfer funds and carry out transactions.

Our People report can be filtered for VIPs who are targeted by BEC campaigns to show you exactly who these people might be.

VIPs targeted by BEC

VIP users

Figure 6. People report of VIP users targeted by BEC in the Proofpoint TAP Threat Insight dashboard.

Beyond that first rank, however, are many employees in your organisation who may be subject to less scrutiny or controls but nonetheless may be frequent targets for BEC actors. You can use the same People report to identify this set of users. Then, you can take action based on these insights, such as providing these users with more training or applying more controls to help further reduce the organisation’s BEC risk.

Top intended BEC recipients

Top BEC messages

Figure 7. People report of top intended recipients for BEC messages in the Proofpoint TAP Threat Insight dashboard.

Targeted controls

Going beyond standard reporting and forensics, the actionable insights around BEC in the Proofpoint TAP Threat Insight dashboard enable organisations to also understand which actions they should take to defend themselves, based on the tactics attackers are using to target them.

Frequently recommended actions and controls based on these reports include:

  • Providing additional training for frequently targeted users, with training focused on the BEC themes the organisation is seeing
  • Updating business processes for certain scenarios, such as:
    • Account changes
    • New account requests
    • Employee payroll changes
  • Applying additional financial controls for users targeted by BEC
  • Implementing Proofpoint Threat Response Auto-Pull (TRAP) to pull back delivered BEC messages

If you’d like help identifying the biggest digital threats to your business, please reach out for a free digital risk assessment from Proofpoint. Our complimentary risk assessments are conducted by Proofpoint security experts who can help you identify some of the most significant threats to your organisation—including your BEC risk—and show you how to mitigate them.

To learn more about the capabilities that Proofpoint provides to help protect your organisation from BEC and other email threats, see this page on our website.