Business Email Compromise (BEC) Attacks Explained: Are You at Risk?

Why Trust Techopedia

Business Email Compromise (BEC) attacks are a serious issue for many organizations, especially those that use Office 365. Taking basic steps to prevent email compromises now is your best bet for preventing costly implications down the road.

Email has been around for more than 40 years, and it feels like attempts to compromise email accounts have been around almost as long.

Just as the volume of messages continues to grow—some 330 billion messages are sent each day, up from 270 billion five years ago—so do the frequency and sophistication of attacks. One of the worst offenders is known as a business email compromise (BEC) attack.

What is A Business Email Compromise (BEC) Attack?

A BEC attack is a sophisticated form of social engineering in which attackers send messages that look like they came from executives within a company. The goal of this type of phishing attack is to trick the victim into wiring money to an account controlled by the attacker.

Once an attacker starts sending bogus payment requests, they become very difficult to detect. So, a better strategy is to keep them from gaining access in the first place. (Also read: The Best Way to Combat Ransomware Attacks in 2021.)

According to the FBI, cyber criminals stole more than $2 billion from US businesses in 2020 by exploiting cloud-based email services and half of the incidents were identified as BEC related.

Two thirds of the BEC attacks targeted cloud-based email systems, and 98 percent of those were directed at vulnerabilities in Office 365.


How Does a Business Email Compromise Attack Work?

During the height of the pandemic, many companies implemented conditional access policies to protect their networks from phishing attacks when people were working from home. Even if an attacker stole or guessed a legitimate user’s password, they could only log in from a specific location, as determined by their IP address.

In the same year-end report, roughly half of the BEC attacks identified in 2021 were blocked by such conditional access policies. The rest bypassed these policies using VPNs to spoof the attackers’ physical location. Since 2019, researchers saw a 50% increase in the use of VPNs and hosting providers to access compromised accounts. (Also read: A Zero Trust Model is Better Than a VPN. Here’s Why.)

One out of 10 attacks last year managed to circumvent weak multi-factor authentication (MFA) protections—either by accessing mailboxes using legacy protocols that don’t support MFA or using phishing attacks to drive victims to bogus Okta or OneLogin authentication pages.

Attackers then pass the stolen authentication codes to the real Okta or OneLogin pages, using a classic man-in-the-middle attack to gain access to your accounts.

Examples of BEC Attacks

Even organizations with sophisticated security operations have been victimized by BEC attacks. In fact, employees at two very well-known tech companies suffered from the biggest publicly reported BEC scam.

Over a period of three years, a Lithuanian scammer named Evaldas Rimasauskas fooled employees at Facebook and Google into sending him more than $120 million. He did it by creating a fake notebook PC manufacturer with the same name as a real one, then having the companies wire him payments for bogus invoices. (In 2019, Rimasauskas was sentenced to 5 years in federal prison.)

It’s not just the two tech giants. Toyota, the Puerto Rican government, the City of Saskatoon, the French cinema chain Pathe and thousands more have fallen victim.

The moral? If these organizations can get fleeced by a BEC scammer, yours can too.

Who is Most Vulnerable to BEC Attacks?

The overwhelming majority of BEC attacks detected last year targeted Office 365. Fewer than one percent went after Gmail. The reason has to do with how these email systems are set up.

In Office 365 exchange, IMAP and POP 3 protocols are enabled by default. Neither of these legacy protocols support multi-factor authentication (MFA). Office 365 also enables basic authentication, which allows users to access their inboxes by storing their username and password on a device. This makes accounts vulnerable to password spray or brute force attacks.

Google Workspace, on the other hand, disables these features by default, though you can turn them on if you really want to. (Our advice? Don’t.)

Even Microsoft has finally decided to disable Basic Authentication starting in October 2022. But that still gives attackers six months to compromise your business.

How to Protect Against BEC Attacks and Limit Risk

There are a few things you can do to reduce your exposure to BEC attacks, especially if your organization uses Office 365:

  1. Disable access to legacy protocols that don’t support multiple authentication methods. This includes POP 3, IMAP and basic authentication.
  2. Implement higher levels of conditional access for employees who are tempting targets for attackers. For example, this might mean high-level executives or those who have access to sensitive or proprietary data.
  3. Implement MFA. But make sure you deploy phish-resistant security keys supported by the FIDO (Fast ID Online) Alliance. FIDO keys prevent man-in-the-middle attacks by authenticating the browser being used to enter a user’s credentials. (Also read: 10 Best Practices for Encryption Key Management and Data Security.)
  4. Deploy Okta’s adaptive multi-factor authentication (AMFA) features. AMFA can detect and block suspicious authentication attempts involving unusual locations, new devices or log-in attempts from two wildly distant sites in the same day (a.k.a. “impossible travel”).
  5. Keep an eye out for suspicious authentication activity. Azure AD Identity Protection and Microsoft Defender for Cloud Apps are great tools for this. They allow you to monitor common authentication patterns for employees and flag atypical behavior—a possible indication an attack is underway and that an employee’s password needs to be changed.


As long as BEC attacks continue to generate billions in profits for cybercriminals, they’re only likely to increase. And as the industry moves towards “secure by default,” attacks on MFA security will also rise. Taking basic steps to prevent email compromises now is your best bet for preventing some costly implications down the road.


Related Reading

Related Terms

Jon Hencinski
Director of Global Operations
Jon Hencinski
Director of Global Operations

Jon Hencinski is the Director of Global Operations at Expel. In this role, he's responsible for the day-to-day operations of Expel's security operations center (SOC) and detection and response engineering. He oversees how Expel recruits, trains, and develops security analysts. Jon has over a decade of experience in the areas of SOC operations, threat detection and incident response. Prior to Expel, Jon worked at FireEye, BAE Systems, and was an adjunct professor at The George Washington University.