Business email compromise (BEC) attacks rank among the most financially devastating cyber threats facing organizations. The FBI IC3 report estimates annual losses of billions of dollars from BEC, underscoring how quickly a single fraudulent message can cause real financial damage.

What makes BEC especially dangerous is its subtlety. These attacks skip malware and exploit kits entirely. Instead, attackers manipulate human behavior and weaponize trust, slipping past traditional security tools that focus on links, attachments, or known threat signatures. Understanding BEC attacks matters for every organization. But how do you spot the warning signs before damage is done?

Below are the critical BEC attack identifiers that every security team should monitor to prevent devastating financial and reputational losses.

Sender impersonation is one of the most reliable identifiers of a BEC attack because it exploits how quickly users trust what they recognize. Attackers use look-alike domains, spoofed display names, and mismatched sender addresses to make a fraudulent email appear legitimate at a glance.

Common impersonation patterns include:

• Look-Alike Domains: Slightly altered domains, such as adding a hyphen or swapping characters (for example, replacing an “l” with a “1”).

• Typosquatting: Small misspellings of known domains (for example, a double letter).

• Homograph Attacks: Replacing characters with look-alikes from other alphabets.

• Spoofed Display Names: A familiar display name (“CEO John Smith”) masking an external address.

• Personal Email Substitution: An “internal” request coming from Gmail/Yahoo instead of the corporate domain.

These tactics work because many email clients emphasize the display name, and many recipients scan rather than verify. Security teams can reduce risk by training users to expand and inspect sender details, and by monitoring authentication results (SPF, DKIM, DMARC) and sender-domain anomalies.

Behavioral anomalies from a legitimate account often indicate account takeover (ATO), making BEC attempts significantly harder to detect. Attackers commonly gain access via credential phishing or session theft, then use the trusted mailbox to orchestrate fraud from within your organization.

Watch for odd timing, such as emails sent outside the user's normal working hours, especially for financial requests. Be alert to unexpected targets, such as messages to departments, vendors, or external recipients the sender rarely contacts.

Volume spikes, including sudden surges in outbound messages or internal phishing attempts, are also worth investigating. Rule changes, like new inbox rules that delete, redirect, or auto-forward messages to external addresses, are another key signal. Finally, watch for location and device anomalies, including access from unusual geographies, unfamiliar devices, or "impossible travel" patterns.

Because these messages originate from real accounts, legacy controls may allow them through. Detection improves when you baseline user behavior and alert on deviations that correlate with financial workflows, mailbox rule changes, and login anomalies.

Urgency paired with sensitive data requests is a classic BEC pattern because it pressures recipients to act before verifying. Attackers use time constraints to reduce scrutiny and increase compliance.

Look for signals like:

• Urgent Language: “urgent,” “immediate,” “ASAP,” or “important.”

• Deadline Pressure: “by end of day” or “required immediately.”

• Discouraged Verification: “Do not contact me. I’m unavailable.”

• Implied Consequences: “We’ll miss compliance deadlines if this isn’t handled now.”

• Requests for Secrecy: “Please don’t share this. It’s confidential.”

This is a common social engineering play: urgency, secrecy, and authority cues stacked together. These messages often appear most believable when timed to real business events (end-of-quarter closes, audits, active vendor onboarding, or construction/procurement cycles).

A shift in a sender’s normal tone or structure can indicate impersonation or compromise, especially when paired with a sensitive ask. Although generative AI can reduce obvious grammatical errors, behavioral and stylistic mismatches still occur in real-world environments.

Examples worth investigating include a normally detailed executive email that becomes vague and instruction-only, a sender who never uses chatty language suddenly using casual phrasing or uncommon sign-offs, or a typically methodical finance leader requesting payment with minimal context.

Treat tone mismatches as a supporting signal, not a standalone verdict. They are most useful when combined with anomalies in timing, recipients, or workflow (e.g., requesting an off-process wire transfer).

Payment manipulation is a primary objective of BEC, and small changes to payment instructions often have the greatest impact. Attackers frequently impersonate vendors, partners, or executives and leverage urgency to bypass normal controls.

Common red flags include urgency without verification, such as pressure to pay immediately and avoid a callback. Watch for new or unfamiliar bank details, like "we've changed banks" or "use this new account," without formal notice. Non-standard payment methods, such as requests to move to gift cards, payment apps, or cryptocurrency for an established business relationship, are also a warning sign.

Be alert to out-of-character requests, such as a leader asking someone outside finance to initiate a transfer, and to thread hijacking, where a legitimate invoice or procurement thread suddenly introduces updated routing details.

Vendor-focused scams often show up as vendor fraud, where attackers insert themselves into real payment conversations rather than starting new ones.

Thread hijacking increases BEC success rates by leveraging existing trust and context. After compromising an account, attackers observe active conversations and then inject a message at a moment that aligns with legitimate business activity.

A typical example is a “reply” from a vendor stating that banking details have changed and all future payments should be routed to a new account.

Attackers commonly:

• Map Relationships: Identify who approves payments and who executes them.

• Mirror Style: Copy formatting, signature blocks, and reply cadence.

• Reference Real Projects: Use accurate project names, invoices, or timelines.

• Time the Ask: Intervene right before a scheduled payment or approval.

Because the message lands inside a familiar thread, it often receives less scrutiny. Detection improves when you correlate thread context with behavioral indicators (sender authentication results, unusual reply timing, and payment detail changes).

Unexpectedly missing “external sender” banners can be a BEC clue, especially when the message is asking for money, credentials, or sensitive data. When a message appears to be external but lacks the usual warning, it warrants closer review.

Common ways attackers attempt to avoid banner cues include:

• Lookalike Domains: Small domain variations that resemble your own.

• Header Manipulation: Tweaking metadata to influence how messages render.

• Compromised Accounts: Sending from a real internal mailbox after takeover.

• Configuration Gaps: Exploiting tenant settings that strip or inconsistently apply warnings.

Use this as a trigger to inspect message headers and authentication results (SPF/DKIM/DMARC), rather than assuming it is only a mail client glitch.

Attachments are not required for BEC, but unusual file types can indicate a blended campaign that includes malware, credential theft, or initial access tooling. Treat unexpected attachments as higher risk when they arrive alongside urgency, secrecy, or an off-process request.

Watch for compressed files, such as .zip or .rar archives, used to hide payloads, as well as encrypted attachments, such as password-protected files, that evade automated inspection. Unusual file formats, such as .iqy, .iso, or other uncommon document types, should also raise concern, as should macro-enabled documents that prompt the user to "Enable Content."

If a sender deviates from normal behavior (for example, a vendor that always sends PDFs suddenly sends encrypted archives), that mismatch can be as important as the attachment itself.

Redirect chains are a common BEC and phishing technique because the first visible domain can look legitimate while the final destination is malicious. These attacks frequently use open redirects or trusted platforms to obscure the true endpoint.

Common tactics include:

• Trusted Redirect Abuse: Using reputable services as the first hop.

• Multi-Hop Chains: Several redirects to hide the final destination.

• Parameter-Based Redirects: URLs that use redirect parameters to disguise targets.

Even when a link looks familiar, security teams can reduce risk by inspecting the full redirect path and correlating it with sender behavior, recipient targeting, and conversation context.

QR-code phishing ("quishing") is a growing BEC-adjacent tactic because it sidesteps many email link inspection controls. Attackers embed a QR code in an email or attachment and rely on the recipient scanning it with a mobile device.

This is effective because the encoded destination may not be visible to standard URL scanners, often routes victims onto personal devices outside corporate web controls, and frequently uses redirect chains and "human verification" friction to evade automation.

Treat unexpected QR codes with the same level of suspicion you would an unsolicited login link, particularly when paired with urgency or a request to "re-authenticate."

Generative AI enables more polished, personalized BEC lures, reducing the usefulness of grammatical or spelling errors as detection cues. Instead, teams often get better results by focusing on behavioral alignment and request legitimacy.

Indicators that can appear in AI-assisted BEC include a polished but generic tone, in which grammatically clean writing lacks the sender's typical quirks. Another sign is accurate context with missing familiarity, such as correct project references but missing the shorthand, process detail, or interpersonal cues the real sender uses.

Campaign consistency is also worth monitoring when multiple employees receive similarly structured requests within a short timeframe.

Because the content can appear "professional," treat AI-generated content with suspicion and verify the sender's identity and authenticity.

BEC increasingly spans email plus collaboration platforms, which can make the attack feel more credible and compress the response window. Attackers who compromise one identity often try to reinforce the story in Teams, Slack, or SMS to push targets past verification.

Common patterns include:

• Following an email with a chat message that says, “Did you see my note? Need this processed now.”

• Switching channels to avoid email scrutiny or banner cues.

• Targeting executive assistants or finance approvers across multiple tools.

Coverage improves when your detection and response playbooks treat collaboration tools as part of the same social engineering surface as email.

Adversary-in-the-middle (AiTM) phishing is a major enabler of BEC-driven account takeover because it can capture session cookies alongside credentials. In these campaigns, a proxy sits between the victim and the real login service, relaying authentication while harvesting the resulting session artifacts.

Once an attacker has a valid session, common post-compromise actions include:

• Replaying Sessions: Using stolen session cookies to access cloud services.

• Creating Inbox Rules: Hiding security alerts or vendor replies.

• Sending Payment Requests: Targeting finance roles from a trusted mailbox.

• Expanding Access: Attempting additional sign-ins using captured credentials.

Risk reduction typically includes phishing-resistant MFA for high-risk roles, strong conditional access policies, and detection focused on session anomalies and mailbox configuration changes.

Email authentication reduces exposure to domain spoofing and strengthens your overall BEC posture when deployed with enforcement. SPF, DKIM, and DMARC do not stop every BEC variant (for example, compromised internal accounts), but they can meaningfully reduce direct impersonation using your domains.

• SPF (Sender Policy Framework): Publish DNS TXT records listing authorized sending IP addresses so receiving servers can verify sender legitimacy.

• DKIM (DomainKeys Identified Mail): Use strong keys and rotate them regularly, and sign outbound messages.

• DMARC (Domain-Based Message Authentication, Reporting & Conformance): Deploy in phases: start with monitoring, move to quarantine, then enforce reject after validating legitimate email flows.

Organizations that stop at monitoring policies gain visibility but limited enforcement. Attackers can still spoof domains if receiving systems do not reject or quarantine failing messages.

A workable BEC detection framework assigns clear detection and verification responsibilities across roles. That clarity improves triage speed, reduces payment fraud risk, and supports audit readiness.

Your focus is on integrating BEC detection into a broader security strategy:

• Establish Layered Defenses: Combine SPF, DKIM, and DMARC with behavioral analysis to detect suspicious communication patterns.

• Define Response Protocols: Create clear escalation paths for suspected BEC, including out-of-band verification for sensitive financial requests.

• Prioritize High-Risk Targets: Focus protections on finance, executives, and vendor relationships, and document verification requirements for payment changes.

You put detection systems into daily operation:

• Deploy Behavioral Detection: Use AI-powered email security to surface anomalies in sender behavior, recipient targeting, and request patterns.

• Monitor for Compromise Signals: Track forwarding changes, inbox rule creation, sign-in anomalies, and unusual device or location access.

• Automate Alerts: Trigger notifications for payment instruction changes, sensitive data requests, and off-process approval attempts.

Your role ensures detection aligns with regulatory obligations and reporting needs:

• Document Controls: Map BEC controls to SOX, HIPAA, and General Data Protection Regulation (GDPR) requirements.

• Preserve Audit Trails: Ensure systems log detection events and verification steps to support audits.

• Track Risk Metrics: Incorporate BEC indicators into risk assessments and reporting cycles.

You configure and tune detection systems at the technical layer:

• Map to ATT&CK: Align monitoring to techniques such as Valid Accounts (T1078) (Valid Accounts) and Email Forwarding Rule (Email Forwarding Rule).

• Establish Baselines: Define normal patterns for each user (timing, recipients, and typical actions) so deviations are detected quickly.

• Correlate Signals: Feed authentication failures, mailbox rule changes, and login anomalies into centralized triage workflows.

When every function knows its role in detection, your organization builds layered, proactive defenses against BEC threats across people, processes, and platforms.

Training reduces BEC risk most effectively when it reinforces verification habits tied to real workflows. Generic phishing simulations help, but BEC-focused training is more effective when it mirrors the approval paths and communication channels employees use day-to-day.

Effective BEC training programs include:

• Role-Specific Scenarios: Finance teams practice verifying payment changes; executive assistants rehearse validating leadership requests.

• Realistic Simulations: Include BEC-style lures, and measure both interaction and reporting.

• Out-of-Band Verification Drills: Confirm sensitive requests via a known channel rather than replying in-thread.

• Continuous Delivery: Use short, ongoing refreshers based on observed attack patterns.

BEC attacks use a wide range of tactics: impersonation, account takeover, thread hijacking, redirected links, QR codes, AI-generated content, and multi-channel social engineering. While the signals can be subtle, they are often detectable when you correlate identity, behavior, and process context.

A durable approach combines enforced email authentication, phishing-resistant MFA for high-risk roles, behavioral detection, and consistent verification training.

Modern threats demand modern defenses. Abnormal's AI-native platform analyzes behavior, detects anomalies, and flags subtle signs of social engineering across email and collaboration tools, adapting as threats evolve.

Want to see how it works? Book a demo and explore how Abnormal protects your inbox from even the most sophisticated BEC attacks.