Business Email Compromise

Business email compromise (BEC) refers to all types of email attacks that do not have payloads. Although there are numerous types, there are essentially two main mechanisms through which attackers penetrate organizations utilizing BEC techniques, spoofing and account take-over attacks.

In a recent study, 71% of organizations acknowledged they had seen a business email compromise (BEC) attack during the past year. Forty-three percent of organizations experienced a security incident in the last 12 months, with 35% stating that BEC/phishing attacks account for more than 50% of the incidents.

The FBI's Internet Crime Complaint Center (IC3) reports that BEC scams were the most expensive of cyberattacks in 2020, with 19,369 complaints and adjusted losses of approximately $1.8 billion. Recent BEC attacks include spoofing attacks on Shark Tank Host Barbara Corcoran, who lost $380,000; the Puerto Rican government attacks that amounted to $4 million, and Japanese media giant, Nikkei, who transferred $29 million based on instructions in a fraudulent email.

To thwart a BEC attack, an organization must focus on the Golden Triangle: the alignment of people, process, and technology. Read on to discover best practices every organization should follow to mitigate BEC attacks.


The finance department in every organization has an expenditure authorization policy in place. This policy establishes clear approval levels for any expenditures/payments to safeguard the company's assets.

While all expenditures/payments should be part of an approved budget, this policy provides a tool for the finance department to ensure that each payment is authorized by the right individual or individuals based on the amount.

In some cases, the CEO or president of a company is granted unlimited authority when it comes to requesting payments. Cybercriminals realize this, which is why they spoof the email accounts of high-level individuals.

Given the current cybersecurity landscape, the finance department should re-evaluate this policy to put stricter processes in place. This may mean requiring multiple authorizations for major expenditures paid via check, wire transfer, or any other channel to ensure the payment request is legitimate. It may also spell out how electronic authorizations are obtained.

For example, if someone in the finance department receives an email from the CEO requesting a wire transfer, the administrator processing the request is required to follow the company policy to obtain additional approvals, including sending emails to a pre-approved distribution list to gain electronic approvals along with confirmations via phone. The expenditure amounts dictate who can sign and co-sign and would be based on your organization's risk appetite, that is, how much your company is willing to lose.

As a member of the IT team, you should speak with the finance department to explain how BEC and other spoofing attacks happen. Provide real-life examples of recent BEC attacks and brainstorm what your company would do differently to thwart the attack. Based on these examples, the finance department should re-evaluate the current policy with cybersecurity spoofing and BEC in mind. This may mean that the Chairman of the Board, CEO, or company president cannot be the only signature on major expenditures, the dollar amount based, again, on your company's risk appetite.

Now that the process is established within the expenditure authorization policy, the company now must ensure that its people are trained to follow the policy, without exception.


All company employees must be trained to know what a cybersecurity attack looks like, what to do, what not to do, and this training should be delivered on an ongoing basis since the cybersecurity landscape is changing so rapidly.

Employees in the finance department – or anyone who is authorized to disburse funds in any form – should be trained on what BEC and other spoofing attacks look like.

Emphasize that many of these attacks take the form of emails from high-level executives, they tend to be "urgent" requests, and sometimes the request is sent minutes before the close of business and requires immediate payment. With this training, plus the requirement that all employees follow the expenditure authorization policy, your company should be able to stop BEC attacks.

Many companies purchase insurance to cover these BEC losses, but no organization can be certain that the carrier will pay. For example, trading firm Virtu Financial Inc. lost $6.9 million in a BEC scam but their insurer, Axis Insurance, has refused to pay claiming "the unauthorized access into Virtu's computer system was not the direct cause of the loss, but rather, the loss was caused by separate and intervening acts by employees of Virtu who issued the wire transfers because they believed the 'spoofed' email asking for the funds to be transferred to be true." Virtu Financial Inc. has filed a complaint against Axis Insurance for allegedly breaching the contract by refusing to provide coverage for the cyberattack.


Next-generation, advanced cybersecurity technology can help block any email threat, including spam, phishing, BEC and follow-on attacks, advanced persistent threats (APTs), and zero-day that attack vulnerabilities – all before the threat reaches end-users.

These types of solutions include:

  • An anti-spam engine that blocks malicious communications with anti-spam and reputation-based filters.
  • An anti-phishing engine to detect malicious URLs and prevent any type of phishing attack before it reaches end-users.
  • An anti-spoofing engine to prevent payload-less attacks such as spoofing, look-alike domains, and display name deception.
  • Anti-evasion technologies that detect malicious hidden content by recursively unpacking the content into smaller units (files and URLs) which are then dynamically checked by multiple engines in seconds.
  • Machine intelligence (MI) and natural language processing (NLP) to check for aberrations from the norm in content and context, such as identifying an abnormal writing style, key words that may signify malicious activity, strange IP addresses, geo locations, timing, etc.
  • Detection to prevent advanced threats and zero-day attacks.
  • Ad-hoc email analysis for end-users to identify suspicious emails before taking reckless action.
  • End-user contextual help to flag emails with customizable banners based on policies and rules to provide end-users with additional contextual information and increase their security awareness.

The solution should be able to detect and stop spoofing and account take-over attacks, where a cybercriminal gets access to a legitimate email account and tries to go further into the network.

Final Thoughts

The proficiency of these attacks is why businesses and managed service providers (MSPs) choose to use Acronis Cyber Protection solutions. With a unique combination of machine intelligence (MI), automation, and integration, this all-in-one cyber protection solution is designed to help lower business risk and improve productivity, regardless of how data loss occurs.

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter and LinkedIn to read more exclusive content we post.