Business Email Compromise (BEC)

Business Email Compromise (BEC)
From: ceo@comp4ny.comSubject: Urgent Wire Transfer$⚠ RED FLAGS• Urgency/pressure• New bank account• Secrecy requested• CEO bypasses CFO

How BEC attacks use email impersonation and social engineering to steal money, and how to stop them.

Business Email Compromise (BEC)

Business Email Compromise is one of the most financially damaging cyber crimes. Unlike ransomware, it doesn’t rely on malware — it exploits trust, authority, and urgency through carefully crafted emails.

The BEC Attack Flow

ATTACKER Research target on LinkedIn SPOOFED EMAIL From: ceo@c0mpany.au “Urgent — transfer $120k today. Secret.” 👤 Finance staff member Feels pressured TRANSFER $120,000 sent to attacker STOP IT: Call CEO on known number BEC caused $2.9 billion in losses in 2023 — more than any other cybercrime category

What Is BEC?

BEC attacks involve an attacker impersonating a trusted person — often an executive, supplier, or colleague — to trick employees into:
  • Transferring money to a fraudulent bank account
  • Changing supplier payment details to an attacker-controlled account
  • Disclosing sensitive information like employee payroll data

Common BEC Attack Types

TypeImpersonationGoal
CEO FraudExecutive to financeUrgent wire transfer
Invoice FraudSupplier updating bank detailsRedirect legitimate payment
Payroll DiversionEmployee to HR/payrollChange bank account before pay run
Legal ImpersonationLaw firm on confidential dealTransfer funds for “settlement”
IT SupportHelpdesk requesting credentialsAccount takeover

Red Flags Checklist

BEC RED FLAGS — if any of these are present, verify by phone before acting 🚩 URGENCY “Must be done today” “No time to call” “I’m in a meeting” . 🚩 SECRECY “Don’t tell anyone” “Keep this between us” Bypasses normal process 🚩 NEW ACCOUNT Request to change bank/payment details to an unknown account 🚩 WRONG EMAIL ceo@c0mpany.au vs ceo@company.au Gmail for “work” email
⛔ Important
Verify every payment change by phone — using a number from your records, not from the email. This one control stops the majority of BEC attacks. No legitimate supplier or executive will object to a quick verification call before a large transfer is made.

Protective Controls

  1. Dual approval for all payments above a threshold — requires two separate people
  2. Call-back verification for any payment account change
  3. Check the full sender address — not just the display name
  4. Email banners flagging external emails (helps staff identify impersonation)
  5. Finance staff training on BEC — they are the primary target
Could a fake invoice fool your finance team?
BEC steals more money than any other cybercrime — and it doesn’t need malware, just one convincing email. Mobile Techs IT Service helps Gold Coast businesses shut the door on it — anti-spoofing email authentication (SPF, DKIM, DMARC), external-sender banners, mailbox monitoring for account takeover, and targeted training for the finance staff attackers aim at. Home users welcome too — on-site or remote, anywhere in Australia.