Three Common Business Email Compromise Tactics and How to Fight Back

Share with your network!

Seven years after the FBI coined the term “business email compromise,” or BEC, the list of victims—and the tally of multimillion-dollar losses—continues to grow. BEC has resulted in more than $26 billion in potential losses since 2013.

And the rise in BEC schemes reveal another growing trend: attackers are increasingly shifting their gaze from infrastructure-focused attacks to attacks that target people directly.

BEC starts with an email in which the perpetrator poses as someone the victim trusts. The message makes a seemingly legitimate business request, usually sensitive information or a wire transfer. BEC is hard to recognize because, to the target, the requests seem so routine.


Here are the most common techniques used in BEC attacks. Cyber criminals often use multiple techniques in tandem.

1)Display-name spoofing

This scheme uses the name of the spoofed executive in the “From” field. But the email address actually comes from an outside service such as Gmail that belongs to the attacker. Proofpoint has found that this method is used in more than 90% of attacks.

Look closely if you receive such an email. The CEO’s name may be in the body of the email, but the sender’s email address may not be the corporate email address you would expect the CEO to use.

2)Domain spoofing

This tactic involves an attacker hijacking your domain to send fraudulent emails to your employees, partners and customers. Attackers exploit the trust people place in your company brand name to steal money and valuable information.

Without the proper controls in place, anyone can use your trusted domain to send messages to anyone they want.

3)Lookalike domains

Say you’re walking down the street and a sidewalk vendor is selling Louis Vuitton handbags at super low prices. But if you look closer, the bag is labeled a “Louie Vittan.” Lookalike domains use the same approach.

In this form of email fraud the attacker registers a domain that looks confusingly similar to a trusted legitimate domain.  The lookalike domain could be just one letter off from the real one: “” for “,” for example. Or it could use an alternate character set that looks the same. Then the attacker sends email from that domain, duping recipients.


BEC may be new to some organizations, which can make developing a defense strategy challenging. We believe the key to developing a strong defense strategy is to take a layered approach focused on the people targeted in these attacks.

Here are some steps you should consider as a starting point.

Deploy advanced email security

BEC doesn’t use malware or direct users to malicious sites. But both are ways attackers can get control of your users’ legitimate accounts and use them for BEC attacks against other users within your organization. For the most robust protection, consider an email gateway that can stop today’s most advanced malware and phishing attacks.

To stop BEC attacks directly, get email protection that can spot signs of fraud using dynamic classification. Dynamic classification analyzes and manages email based on several factors, including:

  • The email’s content
  • The sender’s reputation
  • The relationship between the sender and recipient

Authenticate your email

Domain-based Message Authentication Reporting and Conformance, or DMARC, protects an organization’s trusted domains from spoofing attacks. DMARC validates that the email sender is who they say they are and that they’re authorized to send on the organization’s behalf.

With DMARC, you get visibility into all the email being sent using your email domain, including trusted third-party senders such as Marketo, Salesforce or SurveyMonkey. With this visibility, you can authorize all legitimate senders trying to send email on your behalf—and block any malicious use of your trusted domains to steal money or hurt your brand. Learn more about getting started with DMARC here.

Protect your Very Attacked People™

You might expect the CEO, CFO or the VP of Human Resources to be targeted by BEC and other cyber attacks. But in our research, we have found that lower-level workers can be targeted just as heavily.

It’s easy to see why. Many sensitive documents sent to or received by senior management also at least pass through the email accounts of their support staff. And workers at any rung of the corporate ladder might have access to key data, systems and other resources that attackers want. We call these users Very Attacked People, or VAPs.

To protect them from BEC attacks, your security team needs to identify employees who are especially vulnerable, face an unusually potent mix of attacks, or have privileged access to critical data and systems. You need to apply adaptive controls to these users and watch for signs that their accounts may have been compromised.

Train users to be more resilient and security-aware

Effective security awareness training turns your end users into a strong last line of defense against cyber attacks. All employees need security awareness training, especially your VAPs.

Knowledgeable users are key to identifying and stopping BEC and other attacks that slip through perimeter defenses. The best training programs—which should include simulated attacks—are informed by real-world threats and attack techniques.

Consider extending your training regimen to contractors, suppliers, consultants, lawyers, accountants, and anyone else outside your company that has access to your data and systems. These “almost insiders” can be especially vulnerable to BEC attacks from attackers posing as your people.

Automate your organization’s response

As in most cyber attacks, a timely response is critical to stopping or containing BEC threats. When investigating a BEC attack, you will have questions such as:

  • Who else received this suspicious message?
  • Was the attack aimed at a key department such as finance, the CFO or the entire executive suite?
  • Did any targets fall for the scam?

With automated remediation, you can investigate and respond to attacks much faster. Consider solutions that can identify all the people who received the suspicious email and automatically pull those messages.


Want to learn more about BEC attacks and how you can prevent them? Download our guide to  Stopping Email Fraud.