(also BEC, email account compromise, EAC)
A business email compromise (BEC) is an email scam targeting businesses where a malicious party attempts to defraud the company. In a BEC scam, cybercriminals send an email that appears to come from a known, legitimate source. The email typically asks the recipient to send a wire transfer, purchase something, or pay an invoice.
Send spear phishing emails. Spear phishing is a targeted cyberattack during which criminals disguise themselves as trusted senders to extract sensitive data. The acquired information allows criminals to access the company’s accounts, enabling them to carry out BEC schemes.
Spoof an email account. Criminals may set up fake email addresses with slight variations from the original (e.g., firstname.lastname@example.org vs. email@example.com). These variations can be challenging to spot and trick victims into thinking they’re authentic.
Use malware. Criminals may use malicious software to infiltrate company networks and access business email threads about invoices and billing. They may use this information to time their BEC scams (e.g., emailing accountants when a payment is usually due). .