Business Email Compromise (BEC)

Definitive Email Security Strategy Guide


Business email compromise scams trick people into sending money—sometimes hundreds of thousands of dollars in a single wire transfer—or sensitive corporate or personal data. They appear to come from the CEO or other high-level executive and urge the recipient to keep the details confidential.

Understand the Threat

What is BEC and How Does it Work?

Business email compromise (BEC) is known by different names, often also referred to as email spoofing, imposter emails or CEO fraud. This email fraud threat is designed to trick the victim into thinking they received an email from an organization leader like the CEO or CFO asking for either: A transfer of money out of the company (this is usually the case) or Employee personally identifiable information (PII) such as W2 forms.

These BEC threats are extremely targeted and start with a great deal of research to find the right person within an organisation, find out their chain of command, and identify the best time to send the email – ideally when the “sender” is travelling in order to maximise success. But despite the amount of work required, these threats are not seen in low numbers, many thousands of companies get impacted by these BEC scams every month. The FBI initially estimates that business email compromises cost organisations over $2 billion in 2015.

Because these business email compromise threats rely on social engineering rather than malware, impostor emails can often evade security solutions that look for only malicious email attachments content or behaviour.

BEC Email Example

How Do I Protect Against Business Email Compromise?

Many security defences look for malicious documents or known blacklisted URLs to identify emails as suspicious. BEC scams, though, rarely have these tell-tale features. They rely instead on social engineering and busy, tired, or naive employees responding to fake requests for money and information. Vigilant employees are the last line of defence against impostor threats. As with so many phishing schemes and other email-based attacks, BEC scams bear common hallmarks that should send up a red flag for users if these messages make it past your organisation's defences:

  • High-level executives asking for unusual information: How many CEOs actually want to review W2 and tax information for individual employees? While most of us will naturally respond promptly to an email from the C-suite, it's worth pausing to consider whether the email request makes sense. A CFO might ask for aggregated compensation data or a special report, but individual employee data is less likely.
  • Requests to not communicate with others: BEC scam emails often ask the recipient to keep the request confidential or only communicate with the sender via email.
  • Requests that bypass normal channels: Most organisations have accounting systems through which bills and payments must be processed, no matter how urgent the request. When these channels are bypassed by an email directly from an executive requesting, for example, that an urgent wire transfer be completed ASAP, the recipient should be suspicious.
  • Language issues and unusual date formats: Some lure emails have flawless grammar, and some CEOs write emails in broken English. But the presence of European date formats (day month year) or sentence construction that suggests an email was written by a non-native speaker are common in many of these attacks.
  • “Reply To” addresses that do not match sender addresses: This is rarely obvious in email clients or webmail applications, but BEC scam emails are generally characterised by spoofed sender addresses. They may also use lookalike domains to fool recipients at a glance ( instead of, for example).


Here are a few tips to keep organisations safe in the face of these increasingly common BEC attacks:

  • Be suspicious. Asking for clarification, forwarding an email to IT, or checking with a colleague is better than wiring hundreds of thousands of dollars to a fake company in China.
  • If something doesn't feel right, it probably isn't. Encourage employees to trust their instincts and ask "Would my CEO actually tell me to do this?" or "Why isn't this supplier submitting an invoice through our portal?"
  • Slow down. Attackers often time their campaigns around our busiest periods of the day for good reason. If a human resources manager is quickly going through emails, she is less likely to pause and consider whether a particular request is suspect.

Perhaps the most important message is that robust email, network, and endpoint security solutions must work alongside user-education initiatives.

Defend Against Imposter Emails with Proofpoint Email Protection. Email security to protect against threats such as impostor email, phishing, spam, bulk email, and viruses.

Proofpoint Credential Phishing Whitepaper cover

Credential Phishing

Your people are now the primary exploit target. You need to protect them the way they work and identify assets and risks before you are compromised.

With an increasing amount of sensitive and confidential information—and an expanding attack surface of devices, cloud apps, and mobile locations—you cannot afford to rely on traditional defences.

This white paper is intended to help you understand how Proofpoint Targeted Attack Protection helps you detect, mitigate, and respond to BEC scams and credential phishing attacks before they succeed.

Proofpoint Wins Best Email Security Solution Trust Award from SC Magazine

Cloud-based Enterprise Protection solution combines next-generation email security and compliance to stop messaging threats.

Business Email Compromise Attacks Increase, $3.1B in Exposed Losses: FBI Warning

The need to protect organisations, both large and small, from BEC threats has never been greater.

Proofpoint Positioned as a Leader in the 2015 Gartner Magic Quadrant for Secure Email Gateways

Proofpoint, Inc. announces Gartner, Inc. has positioned Proofpoint in the leader’s quadrant of its “Magic Quadrant for Secure Email Gateways” for the seventh consecutive year.