Back

Business Email Compromise (BEC): How These Attacks Work and How to Prevent Them

Daylight MDR Team
Daylight MDR Team
March 10, 2026
Insights
Business Email Compromise (BEC): How These Attacks Work and How to Prevent ThemBright curved horizon of a planet glowing against the dark backdrop of space.Bright curved horizon of a planet glowing against the dark backdrop of space.

Business email compromise (BEC) is a devastating form of email fraud targeting organizations today, and it works precisely because it doesn't look like an attack. Unlike standard phishing, BEC emails often lack malicious attachments and suspicious links, and they don't rely on recognizable malware signatures. 

BEC exploits something no email filter can easily inspect: trust between people.

The FBI's Internet Crime Complaint Center reported $2.77 billion in BEC losses across 21,442 incidents in 2024. That translates to an average loss exceeding $129,000 per incident. 

Despite representing only about 2.5% of total cybercrime complaints, BEC accounts for roughly 17% of financial losses. Over the last three years alone, organizations have lost $8.5 billion to these attacks.

BEC sits in the gap between what technical controls can catch and what business processes should prevent. Closing that gap requires understanding how these attacks work, why traditional defenses miss them, and what combination of technical, process, and people controls actually reduces risk.

TL;DR:

  • BEC is targeted email fraud that bypasses technical controls by exploiting trust and business context.
  • These attacks succeed because legacy email gateways inspect URLs, attachments, and signatures, while BEC emails exploit human judgment through clean text.
  • Preventing BEC requires layered defense across email authentication, phishing-resistant MFA, behavioral detection, and out-of-band verification procedures for all payment changes.
  • The identity and access layer is where most BEC attacks originate. Detecting account compromises, credential abuse, and persistence mechanisms before fraudulent emails are sent is the most effective intervention point.

What Is Business Email Compromise?

BEC is targeted email fraud where attackers impersonate executives, vendors, or trusted partners to manipulate victims into sending money or exposing sensitive data. The attack succeeds through social engineering, not technical exploitation.

If you've built detection rules, this distinction matters immediately. Standard phishing casts a wide net, sending thousands of emails containing malicious links or attachments that signature-based tools are designed to catch. 

BEC is the opposite: 

  • Low volume
  • Highly tailored 
  • Built on reconnaissance

Attackers study organizational hierarchies, learn communication patterns, identify who authorizes payments, and craft messages that read like normal business correspondence.

BEC phishing emails are often customized, targeted attacks that may contain no link or email attachment. The absence of traditional indicators is exactly what makes BEC effective against organizations with mature security programs. 

Your email gateway can be perfectly configured and still let BEC messages through, because there's nothing malicious in the message itself. The damage happens when someone acts on it.

How Do Business Email Compromise Attacks Work?

BEC follows structured, multi-stage attack chains that security teams can map to MITRE ATT&CK for detection engineering. Understanding the playbook is the first step toward breaking it.

1. They Gain Initial Access to Email Accounts

Attackers need a starting position, and they have several paths to get one. 

Credential theft remains the most common entry point:

  • Phishing campaigns harvest login credentials for email accounts that lack strong authentication
  • Password spraying targets accounts without MFA

Once attackers have valid credentials, they operate from legitimate infrastructure, and every email they send passes SPF, DKIM, and DMARC checks.

OAuth application consent abuse represents a more sophisticated vector. Attackers deploy malicious OAuth applications with delegated permissions that allow persistent API access without credentials. 

The critical risk is that OAuth tokens maintain access even after password changes, surviving standard credential reset remediation. A forced password reset, the default incident response action, doesn't actually remove the attacker.

Domain spoofing provides an alternative when account compromise isn't feasible. Attackers register look-alike domains, including cousin domains with subtle character substitutions (compamy.com vs. company.com), homograph attacks, or typosquatting variants.

2. Attackers Conduct Reconnaissance After Compromise

After gaining access, attackers don't immediately strike. They watch. They study communication patterns, ongoing projects, and financial workflows, sometimes for weeks or months before making a move.

During this phase, attackers establish persistence through email forwarding rules that copy incoming messages to external accounts. They create mailbox rules that hide, move, or auto-delete messages to cover their tracks.

They search for keywords like "payment" and "invoice." They map who approves what, how requests are typically phrased, and which vendor relationships involve regular wire transfers. By the time they act, they know enough about your internal processes to craft a request that looks routine.

3. Attackers Execute BEC Fraud

When attackers have enough context, they strike using one of several proven patterns.

  • Executive impersonation: Targets finance and accounts payable teams with urgent payment requests that appear to come from the CEO or CFO. The messages reference real projects, use the executive's actual communication style, and create time pressure that discourages verification.
  • Vendor invoice fraud: Uses compromised supplier accounts or look-alike domains to redirect legitimate payments. The attacker intercepts an ongoing conversation about an invoice and provides updated banking details. Because the request arrives within a real email thread about a real transaction, it carries inherent credibility.
  • Payroll redirection: Targets HR with requests to change direct deposit information, often impersonating employees and timing requests around payroll processing windows.
  • Gift card scams: Exploits authority dynamics by impersonating executives, asking employees to purchase cards and send the codes. Lower dollar amounts per request make these harder to flag through financial controls.

Each variant exploits business context and organizational dynamics that aren't available to traditional email security filters.

What Technical Controls Prevent BEC Attacks?

No single control stops BEC, but layered defenses raise the cost of attack and narrow the paths available to attackers.

1. Email Authentication With SPF, DKIM, and DMARC

Email authentication protocols help prevent exact domain spoofing, the most straightforward fraud vector in BEC attacks. The rollout path is well established: start with a DMARC monitoring policy (p=none) to understand your email ecosystem, progress to quarantine, then enforce reject.

Authentication is necessary but not sufficient. When attackers compromise legitimate accounts, emails pass all three checks because they originate from authorized infrastructure. SPF, DKIM, and DMARC stop impersonation from the outside. They do nothing when the attacker is already inside.

2. Phishing-Resistant MFA for Account Takeover Prevention

Account takeover is the primary enabler of BEC, and MFA is the primary defense against it. The type of MFA matters.

SMS-based OTP, push notifications, and TOTP apps are all vulnerable to interception and replay through phishing proxies, SIM swapping, or real-time relay attacks. Only FIDO2/WebAuthn security keys with origin-bound public-key cryptography make credential phishing technically impossible. 

The key only responds to authentication challenges from the legitimate domain, so a phishing site on a look-alike domain can't trigger it.

Organizations should deploy FIDO2 keys for all users, with hardware-bound non-exportable keys for privileged accounts. Layer conditional access policies on top to block legacy authentication, require device compliance, and enforce step-up authentication for high-risk sign-ins.

3. Behavioral Detection and Identity Signal Correlation

Because BEC emails lack malicious payloads, detection depends on identifying behavioral anomalies and correlating them across systems. The signals that matter include:

  • Authentication anomalies: Impossible travel, unfamiliar devices, or logins from unusual locations that don't match a user's established patterns.
  • Mailbox configuration changes: New forwarding rules, auto-delete rules, or delegate permissions added shortly after a login event.
  • Atypical request patterns: Wire transfer requests from sender-recipient pairs that don't normally exchange financial instructions, or requests that bypass established approval workflows.

Isolated, each signal might not trigger an alert. Correlated with the business context, the pattern becomes clear. An unusual login from an unfamiliar location means something very different when paired with a new email forwarding rule and a subsequent wire transfer request.

What Process and People Controls Close the BEC Gap?

Technical controls reduce the attack surface. Process and people controls address the gap that remains, and in BEC, that gap is wide. 

The social engineering at the core of these attacks targets human judgment, not technical vulnerabilities.

Verification Procedures for Payment and Banking Changes

Every payment change request, every new banking detail, every urgent wire transfer should trigger out-of-band verification through a separate communication channel. 

This means a phone call to a previously verified number, not a reply to the email containing the request and not a call to a number provided in that email.

Dual approval workflows add another layer. The principle is the separation of duties applied to financial execution:

  • Dual control: One employee prepares the transaction, and a different employee reviews and approves it. No single person should be able to initiate and authorize a payment.
  • Time delays for new payees: When banking details change, build in a mandatory waiting period before the first transfer processes. This creates a window for verification and gives attackers less room to exploit urgency.
  • Threshold-based escalation: Payments above defined thresholds require additional sign-off, ideally from someone outside the immediate reporting chain of the requester.

These controls work because they directly counter the tactics BEC attackers rely on: urgency, authority, and single points of failure in approval chains.

Security Awareness Training That Addresses Authority Dynamics

Training works when it's consistent and specific. Untrained employees are significantly more susceptible to phishing, but regular training and simulations can materially reduce this risk over time.

Employees need to recognize specific BEC red flags: 

  • Urgency around financial transactions 
  • Domain name variations 
  • Bypassed approval processes 
  • Changes to payment instructions

More importantly, training must address the authority dynamic that BEC exploits. Attackers deliberately impersonate executives because they know employees hesitate to question people above them.

What Should You Do When a BEC Attack Happens?

Speed determines outcome. Every hour between compromise and response directly affects whether funds can be recovered and whether the attacker maintains access.

Immediate Containment Steps for BEC Incidents

The first priority is cutting off attacker access while preserving your ability to recover funds:

  • Credential and session reset: Reset passwords for all compromised accounts, enforce MFA, and revoke all active sessions and authentication tokens. Review and remove any OAuth application grants, because OAuth tokens survive password resets.
  • Mailbox cleanup: Examine and remove malicious email forwarding rules, auto-delete rules, and any unauthorized delegate permissions. These are the persistence mechanisms attackers rely on to maintain access after you've changed passwords.
  • Financial recovery: If fraudulent transfers occurred, contact your financial institution within hours. Request immediate transaction reversal and account freeze. File a detailed complaint via the FBI IC3 reporting page with complete banking information, transaction amounts, dates, and reference numbers.

The urgency of financial recovery can't be overstated. The longer fraudulent transfers sit in the banking system, the harder they are to claw back. Within the first day, financial institutions can often freeze and reverse wires. 

After a few days, funds have typically moved through intermediary accounts and become far more difficult to recover.

Preserving Evidence After a BEC Compromise

Preserve original email messages with full headers, capture authentication and session logs, document SPF/DKIM/DMARC results, and maintain chain of custody. Additionally, retain audit logs for at least six months to support forensic investigation. 

This evidence is critical for both law enforcement and for understanding how the compromise occurred, so you can prevent recurrence.

Longer-Term Hardening After a BEC Incident

Conduct a lessons-learned review within two weeks while details are still fresh. The review should drive concrete changes, not a slide deck that gets filed away. Priority hardening actions include:

  • Close the entry point: Deploy phishing-resistant MFA if not already in place. Block external email auto-forwarding at the tenant level so attackers can't re-establish persistence through forwarding rules.
  • Reduce social engineering surface: Implement email banner warnings for external messages so employees have a visual cue when a message originates outside the organization.
  • Tighten financial controls: Strengthen payment verification procedures based on how the specific attack bypassed existing checks. If the attacker exploited urgency, add mandatory cooling periods. If they exploited a single approver, add dual control.
  • Update training: Incorporate the actual attack pattern your organization encountered. Real incidents are far more effective training material than generic phishing simulations.

Every BEC incident reveals gaps. The organizations that get hit once and harden effectively look very different from the ones that treat incident response as a checkbox.

Why BEC Defense Is an Identity Investigation Problem

BEC detection depends on connecting signals that span identity systems, email platforms, endpoints, and business applications. The challenge isn't a lack of data. It's that signals arrive in separate tools, investigated by separate processes, without the business context needed to distinguish a legitimate executive request from a fraudulent one.

This is a structural gap in how most MDR providers operate. Daylight’s architecture connects signals across identity, email, endpoints, and business systems while adding the business context needed to interpret them. 

This allows investigations to run automatically, quickly determining whether activity represents a legitimate business action or a BEC attack and responding accordingly. 

Traditional MDR services may focus more on endpoint and network alerts, leaving identity and email threats handled through separate workflows. That means the layer where BEC attacks actually originate, compromised credentials, OAuth abuse, persistence through mailbox rules, falls outside the scope of the service that's supposed to protect you.

BEC is one piece of a broader identity threat landscape. For more on how modern security teams approach detection across identity, email, and cloud environments, visit the Daylight Security blog.

Frequently Asked Questions About Business Email Compromise

What Is the Difference Between BEC and Regular Phishing?

Regular phishing casts a wide net with mass emails containing malicious links or attachments designed to trick recipients into downloading malware or entering credentials on fake sites. BEC is targeted, low-volume, and relies on impersonation and social engineering rather than technical payloads.

Why Can't Email Gateways Detect BEC Attacks?

Secure Email Gateways were designed to inspect message content for malicious indicators: URLs, attachments, and known malware signatures. BEC emails are clean text. They contain no payloads for a gateway to catch. 

Effective BEC detection requires behavioral analysis and identity correlation, examining who is sending the message, whether their behavior is anomalous, and whether the request aligns with established business patterns. This data lives in identity providers and business applications, not in the email content itself.

How Do Attackers Maintain Access After Compromising an Email Account?

The most common persistence mechanisms are email forwarding rules that silently copy messages to external addresses, mailbox rules that hide or delete specific messages, and OAuth application grants that provide API access independent of credentials. 

Standard password resets don't remove OAuth tokens or mailbox rules, which is why attackers frequently maintain access even after organizations detect a compromise and reset passwords. Comprehensive remediation requires revoking OAuth grants and auditing all mailbox rules.

Table of content
Example H2
Example H3
form submission image form submission image

Ready to escape the dark and elevate your security?

button decoration
Get a demo
moutain illustration
Cookie Notice

We use cookies to improve your experience on our website. By continuing to browse, you agree to our use of cookies.

Got it