What is Business Email Compromise?

Business Email Compromise (BEC) is a type of cyberattack that uses email fraud to trick employees into transferring money or sharing sensitive information. These attacks often impersonate executives, vendors, or legal representatives. They are not random. They are calculated and usually involve weeks of research by the attacker.

BEC is growing fast. The FBI’s Internet Crime Complaint Center (IC3) reported that BEC scams accounted for over $2.9 billion in losses in 2023 alone. That’s more than any other category of internet crime. Attackers target key people in an organization, like CFOs, CEOs, and accounts payable teams, because these individuals can approve payments or access confidential data.

At Doppel, we help organizations spot and stop BEC threats early. Our platform monitors for signs of executive impersonation, spoofed domains, and suspicious email activity by flagging threats in real time. We give businesses the chance to act before any damage is done.

Overview of Business Email Compromise

BEC isn’t just another phishing scam. It’s more advanced. Where phishing casts a wide net, business email compromise is highly targeted. Attackers usually pose as a trusted figure, often an executive or external partner, and use believable pretexts to convince someone to take urgent action.

There are a few key tactics involved:

• Spoofing: Creating fake emails that look like they come from legitimate sources.
• Lookalike domains: Using URLs that mimic real ones (e.g., doppel.co instead of doppel.com).
• Compromised accounts: Hijacking a real email account through phishing or credential theft.
• Thread hijacking: Replying within a real conversation to increase believability.
  
  

The losses from business email compromise attacks are severe. The FBI has seen reports from companies of all sizes, from small nonprofits to global corporations, across industries like finance, healthcare, law, and real estate. Attackers often strike during critical times like mergers, vendor payments, or quarterly reporting to increase urgency and reduce scrutiny.

Common Types of BEC Attacks

BEC attacks come in different forms but rely on trust and timing. Here are the most common types:

‍

CEO Fraud (Executive Impersonation)

In this attack, the criminal pretends to be a high-ranking executive, usually the CEO or CFO. They email someone in finance or HR asking for an urgent wire transfer, often under the pretense of a confidential acquisition or an emergency. These messages usually come outside of business hours to avoid verbal confirmation.

Doppel’s impersonation detection system scans for spoofed sender addresses, name misuse, and new domain registrations that imitate company executives.

Invoice Scams

Attackers either compromise a vendor’s account or create a nearly identical domain. They then send fake invoices or change bank account information on real ones. If the finance team isn’t watching closely, funds can be diverted without anyone realizing it until it's too late.

This type of fraud is prevalent in industries that handle frequent large payments, such as construction, logistics, and real estate.

Account Takeover (ATO)

Here, attackers gain access to an employee’s real email account, often through stolen credentials or a successful phishing campaign. Once inside, they may lurk, reading messages and learning workflows. Then they launch a stealth attack by sending fraudulent requests from the real account.

Because the messages come from a legitimate address, these are much harder to detect. Doppel’s monitoring system helps identify suspicious behavior patterns like unusual sending locations or content inconsistencies.

‍

How Business Email Compromise Works

‍

A successful business email compromise attack doesn’t happen overnight. These schemes are carefully planned and executed in stages, often over weeks or months. The attacker’s goal is to blend into normal business activity by mimicking trusted communication and exploiting existing workflows.

BEC is dangerous because it doesn’t rely on malware or brute-force attacks. It relies on social engineering, tricking people by appearing trustworthy, urgent, or familiar. Most BEC incidents involve multiple steps:

1. Reconnaissance

Attackers begin by learning as much as they can about their target. This step often goes unnoticed because no attack has occurred yet. They gather open-source intelligence (OSINT) to build a detailed profile of the organization and its people. This includes:

• Reviewing company websites for staff names, job titles, email formats, and vendor relationships
• Checking executive bios, news releases, and investor documents
• Monitoring LinkedIn to see who reports to whom
• Searching for public email addresses and guessing internal naming conventions (e.g., jsmith@company.com)
• Looking for leaked credentials on dark web forums

Attackers sometimes create fake social media accounts to connect with employees and gather additional details. This information helps them craft believable emails that fit into the organization’s day-to-day operations.

2. Exploitation

Once they have enough intel, attackers move into the exploitation phase. Here, they create the entry point for the fraud. This may involve:

• Spoofed email addresses: They send emails from domains that closely resemble the legitimate company (e.g., doppel.co instead of doppel.com).
• Compromised accounts: They steal credentials through phishing or reuse passwords found in past data breaches.
• Fake domain registrations: They set up domains that imitate partners, clients, or executives.
• Thread hijacking: If they gain access to a real account, they reply within ongoing email threads to avoid suspicion.
• Forged invoices or contracts: They create documents with convincing details like logos, real PO numbers, and signatures.

Some attackers use malware, usually lightweight spyware or keyloggers, to maintain access or collect passwords. Others rely on people's trust in familiar names and fast-moving business processes.

3. Action

With their trap set, attackers launch the final phase. This is where the real damage happens. Common tactics include:

• Asking for an urgent wire transfer to a “new vendor account”
• Requesting sensitive documents like W-2s, payroll data, or client lists
• Instructing an employee to change invoice payment details
• Posing as a lawyer or regulator needing confidential files

These requests are usually timed for maximum pressure. For example, they might be sent late on a Friday, during a holiday week, or when the real executive travels. The attacker may reference actual projects, deadlines, or deals to appear legitimate.

If successful, the victim sends the money or data, believing they’re following a standard internal process. By the time anyone realizes what happened, the attacker is long gone.

Why This Process Works

The success of BEC comes down to human psychology. These attacks exploit:

• Authority: Emails appear to come from senior leaders.
• Urgency: Targets are told to act quickly, often in secret.
• Familiarity: Messages include known names, roles, or context.
• Routine: Requests are designed to blend in with normal workflows.

Even well-trained employees can fall for these tactics. That’s why early detection and real-time monitoring, like Doppel’s impersonation alerts and spoofed domain detection, are so critical to prevention.

‍

Business Email Compromise Prevention Strategies

‍

You can’t rely on one solution to stop BEC. It takes a combination of people, technology, and policy.

‍

A layered defense strategy should go beyond just technology and include employee training, external monitoring, and policy enforcement. For a more hands-on guide, discover actionable steps for a robust brand protection strategy that can help you build resilience against impersonation-based threats.

Email Authentication Protocols

SPF, DKIM, and DMARC help validate legitimate senders and block spoofed messages. However, these tools aren’t perfect. They only work if properly configured; even then, attackers can still create lookalike domains or use compromised accounts.

It’s critical to audit these settings regularly and enforce policies across all owned domains.

Executive Monitoring and Domain Defense

Attackers often impersonate high-profile leaders or register lookalike domains. Doppel automatically scans for suspicious domain activity and executive impersonation attempts, giving security teams a heads-up before the attacker hits send.

Monitoring executive name misuse and domain spoofing is critical. Doppel’s platform helps identify and respond to these early warning signs. To understand the broader landscape of digital impersonation, learn key concepts and strategies for brand protection.

Employee Training and Procedures

Educating staff to recognize suspicious emails, verify unusual requests, and follow secure protocols is key. Finance and HR teams should be trained to question last-minute changes in payment instructions or unexpected attachments.

Encourage a culture where it's okay to double-check, especially when money or data is involved.

Real-Time Threat Intelligence

Doppel combines AI, automation, and human oversight to track impersonation campaigns as they evolve. When threats are found, Doppel provides alerts and can help initiate takedown requests for spoofed websites or malicious infrastructure.

Business email compromise is only one of many digital threats that organizations face. Doppel’s tools are designed to give you visibility and control across your external digital attack surface. To see how these defenses fit into a larger cybersecurity strategy, understand the broader scope of digital risk protection.

‍