Business Email Compromise (BEC)

Trusted by more than 3,000 customers—including 25% of the Fortune 500

Business email compromise is one of the most financially devastating cybercrimes, causing more than $2.77 billion in losses in 2024 alone. Leveraging social engineering and text-based emails with no traditional indicators of compromise, cybercriminals evade legacy email security solutions and manipulate targets into divulging sensitive information or completing fraudulent financial requests.

Business Email Compromise by the Numbers

$2.77B

Total losses attributable to BEC in 2024

Source: 2024 FBI IC3 Report

Source: Verizon DBIR

400+

BEC attacks Abnormal stops per year for each customer

Source: Abnormal Data

Source: Verizon DBIR

54%

Increase in BEC attacks between 2023 and 2024

Source: Abnormal Data

Source: Verizon DBIR

THE IMPACT OF AI

AI technologies offer threat actors the perfect bar for mixing malicious cocktails that are targeted, unique, and generated at scale—think spear phishing and business email compromise attacks on steroids.”

—Osterman Research

Download the Report

Anatomy of a BEC Attack

Real-World Example of Business Email Compromise

How BEC Works

A standard BEC attack has two common traits:

Attackers impersonate a trusted identity like an executive or vendor, either by compromising their account or creating a convincing lookalike.
They use urgency to make an innocuous request: paying an invoice, logging into an account, downloading a file, or sharing data.

What BEC Looks Like

In this example, an attacker compromises a trusted vendor’s legitimate email account. They use the account to request all future invoices be paid to a different bank account, attaching a branded PDF with updated financial information. At first glance, the email comes from a legitimate sender, and it doesn’t have any malware or suspicious links. It can bypass a traditional email security solution and trick an unsuspecting recipient.

Source: BEC Attack Requests New Payment Methods for Outstanding Invoices in Attempted Payment Fraud

See More Examples of Real BEC Attacks

Generative AI Makes BEC More Effective and Scalable

91% of security professionals reported experiencing AI-enabled cyberattacks in the past six months.

Generative AI enables scammers to craft unique email content quickly, making detection difficult for traditional security software.

AI simplifies the creation of sophisticated social engineering threats, empowering even novice cybercriminals to up-level their attacks.

Malicious AI tools are designed specifically for criminal activities, enabling attackers to convincingly compose deceptive content.

How to Defend Against Business Email Compromise

Support a Culture of Healthy Skepticism

Because attackers have an untold number of strategies for deceiving your workforce, employees should be encouraged to approach some requests with a reasonable level of suspicion.
They should also feel comfortable pursuing external verification via means other than email. Foster an environment where the unofficial cybersecurity motto is “Better safe than sorry.”

Source: Verizon DBIR

Perform Social Engineering Penetration Testing

Assess workforce susceptibility to common social engineering attacks by sending emails that leverage the same tactics real-world attackers use and observe whether employees engage.
Evaluate the effectiveness of your security awareness training, compliance with security policies and protocols, and the strength of your company's network security controls.

Source: Verizon DBIR

Implement the Right Technology

The most effective way to protect your workforce is to invest in modern technology that proactively blocks attacks.
Unlike a SEG, an API-based security solution uses AI-native detection engines to ingest, analyze, and cross-correlate behavioral signals to spot anomalies in email patterns that indicate a potential attack. It then remediates malicious emails in milliseconds to prevent end-user engagement.

Source: Verizon DBIR