Proofpoint BEC

Business Email Compromise (BEC)

A familiar name in your inbox isn't always who you think it is.


Impostor emails trick people into sending money—sometimes hundreds of thousands of dollars in a single wire transfer—or sensitive corporate or personal data. They appear to come from the CEO or other high-level executive and urge the recipient to keep the details confidential.  

Understand The Threat


Impostor email or email fraud is known by different names, often also referred to as business email compromise (BEC) or CEO fraud. This threat is designed to trick the victim into thinking they received an email from an organization leader like the CEO or CFO asking for either: A transfer of money out of the company (this is usually the case) or Employee personally identifiable information (PII) such as W2 forms.

These threats are extremely targeted and start with a great deal of research to find the right person within an organization, find out their chain of command, and identify the best time to send the email – ideally when the “sender” is traveling in order to maximize success. But despite the amount of work required, these threats are not seen in low numbers, many thousands of companies get impacted by these threats every month. The FBI initially estimates that impostor emails cost organizations over $2 billion in 2015.

Because these threats rely on social engineering rather than malware, impostor emails can often evade security solutions that look for only malicious content or behavior.



Many security defenses look for malicious documents or known blacklisted URLs to identify emails as suspicious. Impostor emails threats, though, rarely have these tell-tale features. They rely instead on social engineering and busy, tired, or naive employees responding to fake requests for money and information. Vigilant employees are the last line of defense against impostor threats. As with so many phishing schemes and other email-based attacks, impostor email threats bear common hallmarks that should send up a red flag for users if these messages make it past your organization's defenses:

  • High-level executives asking for unusual information: How many CEOs actually want to review W2 and tax information for individual employees? While most of us will naturally respond promptly to an email from the C-suite, it's worth pausing to consider whether the email request makes sense. A CFO might ask for aggregated compensation data or a special report, but individual employee data is less likely.
  • Requests to not communicate with others: Impostor emails often ask the recipient to keep the request confidential or only communicate with the sender via email.
  • Requests that bypass normal channels: Most organizations have accounting systems through which bills and payments must be processed, no matter how urgent the request. When these channels are bypassed by an email directly from an executive requesting, for example, that an urgent wire transfer be completed ASAP, the recipient should be suspicious.
  • Language issues and unusual date formats: Some lure emails have flawless grammar, and some CEOs write emails in broken English. But the presence of European date formats (day month year) or sentence construction that suggests an email was written by a non-native speaker are common in many of these attacks.
  • “Reply To” addresses that do not match sender addresses: This is rarely obvious in email clients or webmail applications, but impostor email threats are generally characterized by spoofed sender addresses. They may also use lookalike domains to fool recipients at a glance ( instead of, for example).



Here are a few tips to keep organizations safe in the face of these increasingly common attacks:

  • Be suspicious. Asking for clarification, forwarding an email to IT, or checking with a colleague is better than wiring hundreds of thousands of dollars to a fake company in China.
  • If something doesn't feel right, it probably isn't. Encourage employees to trust their instincts and ask "Would my CEO actually tell me to do this?" or "Why isn't this supplier submitting an invoice through our portal?"
  • Slow down. Attackers often time their campaigns around our busiest periods of the day for good reason. If a human resources manager is quickly going through emails, she is less likely to pause and consider whether a particular request is suspect.

Perhaps the most important message is that robust email, network, and endpoint security solutions must work alongside user-education initiatives.


Defend Against Imposter Emails with Proofpoint Email Protection. Email security to protect against threats such as impostor email, phishing, spam, bulk email, and viruses.


Credential Phishing

Your people are now the primary exploit target. You need to protect them the way they work and identify assets and risks before you are compromised.

With an increasing amount of sensitive and confidential information—and an expanding attack surface of devices, cloud apps, and mobile locations—you cannot afford to rely on traditional defenses.

This white paper is intended to help you understand how Proofpoint Targeted Attack Protection helps you detect, mitigate, and respond to credential phishing attacks before they succeed.

Proofpoint Wins Best Email Security Solution Trust Award from SC Magazine

Cloud-based Enterprise Protection solution combines next-generation email security and compliance to stop messaging threats.

Business Email Compromise Attacks Increase, $3.1B in Exposed Losses: FBI Warning

The need to protect organizations, both large and small, from BEC threats has never been greater.

Proofpoint Positioned as a Leader in the 2015 Gartner Magic Quadrant for Secure Email Gateways

Proofpoint, Inc. announces Gartner, Inc. has positioned Proofpoint in the leader’s quadrant of its “Magic Quadrant for Secure Email Gateways”for the seventh consecutive year.