Business email compromise rarely makes the splashy headlines that ransomware attracts. The losses are quiet, the recovery is messy and the reputational damage tends to land on individuals more than organisations. The economics for the attacker are excellent. A single successful BEC operation can produce six or seven figure payouts with minimal technical sophistication. The defences are largely organisational rather than technical, which is precisely why so many organisations still fall victim.
The Patterns Are Predictable
BEC operations follow recognisable patterns. The attacker compromises or impersonates a senior executive, a supplier finance contact or a trusted external advisor. The victim receives a request for an urgent payment, often timed to coincide with the executive being unreachable. The bank details are new. The justification sounds reasonable. The pressure to act fast prevents the verification that would catch the fraud. A focused Azure pen testing engagement that includes the email environment should validate the controls that should be detecting this pattern.
Account Compromise Versus Domain Impersonation
BEC attacks split into two broad categories. Account compromise involves the attacker actually controlling the legitimate mailbox of the supposed sender. Domain impersonation uses a lookalike domain that resembles a legitimate one but is registered by the attacker. Each requires different defences. Account compromise defences include MFA, behavioural detection of unusual login patterns and inbox rule monitoring. Domain impersonation defences include DMARC enforcement, domain monitoring services and well practised manual verification processes for payment changes.
Expert Commentary
William Fieldhouse, Director of Aardwolf Security Ltd
The BEC cases I have reviewed all had something in common. A payment process that allowed exceptions under time pressure, communicated through email, with insufficient out-of-band verification. The fix is procedural, not technical. Verify payment changes through a separate channel, always, with no exceptions for urgency.
Behavioural Detection Picks Up The Pattern
Behavioural detection picks up the patterns that BEC produces. Inbox rules created suddenly that auto-forward financial conversations. Authentications from unusual locations. Mail flow rule changes outside normal administrative hours. Each of these signals is detectable, and several SIEM products correlate them well. Investing in the detection rules pays off when an account does get compromised. Worth involving finance and procurement in the detection design. They see the operational patterns that security teams miss, and the combined view produces detection rules that catch genuine fraud without burying the response team in false positives.
Out Of Band Verification Stops Most Attacks
Every payment change request, regardless of source, should be verified through a separate channel before action. A phone call to a number already on file. A face to face confirmation. A verification through a known business platform. The verification is mildly inconvenient and catches almost every BEC attempt before money moves. Pair this with a periodic penetration testing quote that includes social engineering scenarios and the resilience increases meaningfully.
BEC is procedural fraud dressed up as a security problem. The fix is mostly process. Business email compromise is procedural fraud at scale. The defences are procedural too, and they work when they are actually followed. Phishing is one of those threats that combines social and technical elements in ways that pure technical defences cannot fully address. The combination of cultural and technical investment produces measurably better outcomes than either approach pursued in isolation.
Business Email Compromise: The Quiet Million Pound Threat
