How to Detect and Prevent Business Email Compromise

Business email compromises (BECs) are financial scams that typically target companies and employees that carry out wire transfers. They’re usually more sophisticated than typical phishing schemes, and require a mixture of impersonation, surveillance, and compromised emails of real business contacts.

In this article, we’ll look at how BECs work, how to detect BECs, and a few effective strategies managed services providers (MSPs) can use to help their customers prevent BEC attacks.

How does business email compromise work?

Business email compromises are not high-tech scams. They rely on a sophisticated social engineering process to create a sense of authenticity. Instead of attacking vulnerabilities in cybersecurity systems, BECs rely on weaknesses generated by human behavior and interaction.

BECs usually involve versions of spear phishing and whaling, using social engineering to carry out online attacks. BECs might involve outreach to employees under the guise of communications related to daily operations, or by pretending to be a business contact. But while phishing and whaling scams contact the target directly with fraudulent emails, BECs contact individuals through compromised institutional emails—making them more convincing for the recipient.

Typically, attackers attempt to gain access to a C-suite executive’s account through phishing, malware, and other means. Once they gain access to the corporate email, they monitor the account to learn the communication habits of the executive, the contours of the business, and how it operates. Often, the attacker will send an urgent email requesting the recipient carry out a financial transaction. Because the communication looks like a routine transfer requested by a senior executive, suspicious activities may go unnoticed.

Is BEC the same as ransomware?

BECs are different from ransomware, although the two sometimes share tactics—and both are becoming increasingly common. Ransomware, or ransom malware, locks users out of their system, which usually contains sensitive information and personal files. Victims are then instructed to pay a ransom in order to restore access.

Ransomware, like BECs, often use social engineering tactics to make their deliveries seem more credible. Emails may look like they’re sent from colleagues, business contacts, or trusted institutions. Unlike BECs, however, ransomware attacks don’t require the attacker to gain access to corporate accounts to trick the recipient into carrying out financial transfers. Instead, they tend to target the recipient directly. A common form of ransomware is malspam, which delivers unsolicited emails containing rigged attachments or links to malicious websites.

Can you detect a BEC?

While there are no fail-safe ways for detecting BEC attacks, there are common signs your employees can and should watch out for. Scammers rely on access to corporate information to create a sense of authenticity, so employees should always be cautious when reading internal communications from senior management. Common signs of BEC attacks include:


Emails filled with grammar errors or spelling mistakes should always raise a red flag. When dealing with requests for large financial transactions especially, employees should be suspicious of typos and poorly worded missives. While BEC scams are likely more sophisticated than typical phishing attacks, their messages may still contain typos and grammatical mistakes that help reveal a scam.


By sending emails from C-suite accounts, scammers ensure they gain a psychological advantage over their recipients. When receiving urgent instructions from senior management, employees should reflect whether it’s out of character for a CEO or a CFO to send similar requests, especially if the requests pertain to sensitive information and large financial transactions.


Most organizations, especially those that deal with large, time-sensitive financial transactions, will have strict security procedures in place. Employees should beware of requests that demand they bypass standard procedure for any reason, regardless of who they receive the request from. Requests to skip protocol are usually the best indication of an attack, and employees should always double check the source of the communication before carrying out similar requests. When in doubt, it’s best to reach out in person to the C-suite executive the message looks to be from to confirm.

Finally, organizations should take the time to educate their staff about business email compromises. Update your training tutorials to include the basics of BEC scams, how to recognize them, and establish protocols for responding to scams discovered after the fact.

How do you guard against business email compromises?

While there are no guaranteed ways to prevent employees falling prey to BEC scams, there are steps you can take to make your organization more secure. BECs rely on human fallacies and weaknesses, and you can prevent them by separating duties for carrying out financial transactions among several individuals. This way, you are adding layers of security.

Additionally, businesses can protect their assets by making their mail security systems more robust in the following ways:


Since BECs usually require access to a C-suite account, one way to help prevent BECs is to ensure your executive accounts receive the best protections. Using two-factor authentication increases protection against scammers because it requires, in addition to a set of login credentials, access to the account holder’s device. Using a unique dynamic PIN when accessing the account from new devices will make it less likely that scammers are able to obtain access to executive accounts.


Anti-spam solutions can guard against more sophisticated forms of phishing, such as whaling and spear phishing, and offer ransomware attack protection. But keep in mind that traditional anti-spam solutions are set to recognize falsified emails containing suspicious attachments, and they may have difficulties recognizing emails sent directly from a compromised corporate account. Nevertheless, they’re an essential feature for protecting your assets.

Security software for business emails

Advanced security software can provide threat detection and prevention against multiple forms of attacks. N-able® Mail Assure uses collective threat intelligence and machine learning to guard against BECs, spear phishing, whaling, and ransomware. Mail Assure offers:

  • Sender Policy Framework (SPF): an email authentication standard that allows the owner of the domain to determine the servers that can send emails on its behalf.
  • DomainKeys Identified Mail (DKIM): a security protocol that attaches a digital signature to outgoing emails so that the recipient can verify that the email was authorized by the owner.
  • Domain-based Message Authentication Reporting and Conformance (DMARC): a mechanism that prevents email spoofing through a combination of DKIM signatures and SPF.

One click on an email could have devastating consequences for your business. Ensure your business has what it needs to guard against business email compromises, phishing, and ransomware.


Want to stay up to date?

Get the latest MSP tips, tricks, and ideas sent to your inbox each week.

Loading form....

If the form does not load in a few seconds, it is probably because your browser is using Tracking Protection. This is either an Ad Blocker plug-in or your browser is in private mode. Please allow tracking on this page to request a trial.

Note: Firefox users may see a shield icon to the left of the URL in the address bar. Click on this to disable tracking protection for this session/site