7 Types of Business Email Compromise Attacks Targeting Your Organization

Impersonation fraud attempts have been around for millennia. Think of a long-lost “cousin” who arrives on scene to claim a large inheritance. Or a traveling salesman with dubious medical credentials who convinces victims to buy his miracle cures. But email, social media and most recently, artificial intelligence (AI) have made it easier than ever for anyone to masquerade as someone with authority. Deepfakes have upped the ante considerably – allowing malicious actors to mimic people’s image, voice and personality through digital media. According to the FBI, business email compromise (BEC) attacks cost U.S. organizations $55 billion over a ten-year period from October 2013 to December 2023. And the risk is only getting bigger.

What are the Primary Types of Business Email Compromise Attacks?

Today’s business email compromise attacks use a variety of impersonation techniques to trick employees into taking urgent action that could pay a fraudulent invoice, provide unauthorized access to proprietary information, or even purchase gift cards or equipment for a third party.

Understanding how these attacks are perpetuated and who is being targeted can help your organization educate employees and stop BEC threats before someone commits what could be a very expensive mistake.

Let’s walk through the seven types of business email compromise attacks.

CEO Fraud

One of the most common business email compromise attacks is when a malicious actor impersonates the CEO, CFO or other senior executive through either a spoofed or a compromised email account. The imposter typically asks an employee in the HR department to provide sensitive information or instructs someone in finance to initiate a seemingly genuine wire transfer. This is effective because it leverages established hierarchies and people’s respect for authority.

The threat actor, posing as the CEO in this case, asks the person to keep the fact they shared information or transferred money confidential. This gives the perpetrator more time until their ruse is discovered, which increases the odds that your organization’s money is gone for good and the wire transfer can no longer be stopped.

Account Compromise

Attackers can also use compromised email accounts to spread additional business email compromise attacks to other, unsuspecting users – such as a request between two accountants. They can also spread malware, ransomware and other malicious content through this legitimate channel.

Vendor Impersonation

Attackers often impersonate a supplier or partner your organization works with and send fake invoices that look real and may contain privileged information that only you and your vendor would know. The request is often not new, not suspicious and may be a regular ask based on an established schedule – making it extremely difficult to detect and stop. It could be the same amount you always pay, but this time they request it go to a new business account, one that is secretly controlled by cybercriminals. Having a secondary communication channel (a phone or messaging app, for example) or a secret passcode allows you to confirm requests if something smells fishy, but many users solely rely on email to conduct business with a vendor or partner. If in doubt, pick up the phone and call your contact based on a phone number you already have for them.

Attorney Impersonation

Attackers who impersonate attorneys take advantage of people’s innate fear of legal repercussions. Seriously, when was the last time a lawyer contacted you out of the blue with good news? The impersonator’s request for confidentiality helps as well, because it often prevents the target from discussing communications with anyone else, including fellow employees who might know that the scenario seems unusual. People tend to jump when someone claiming to be a lawyer makes a request.

Payroll Diversion

Business email compromise can also hijack your paycheck. Payroll diversion attacks spoof an employee’s email account and make a formal request to the accounts payable department to change direct deposit details. The new accounts belong to the scammers and by the time the employee notices the missing paycheck, the money is likely long gone. Imagine how profitable this type of attack is, at scale.

Data Theft

Money isn’t the only goal for business email compromise attacks. Impersonators also request sensitive data that they can use to create fraudulent credit cards, bank accounts and other personal identity scams. Human resource employees are a particularly enticing target, because they have access to a treasure trove of employees’ personal information at their fingertips – from banking information to addresses to social security numbers.

Gift Card Scam

One of the lowest forms of business email compromise is gift card scams. Someone pretending to be the CEO or other high-ranking executive will send a request to an employee to purchase gift cards for a customer giveaway, rebate program or other contest. “Just submit an expense report, and we’ll pay you back,” the message will say. But by the time it goes through the appropriate channels and is flagged for review, the gift cards will have been cashed in and the money is gone forever. These attackers count on people not being able to say ‘no’ to the boss, and it works.

Learn How to Detect and Stop BEC Attacks

Technology is making it easier than ever to impersonate people – especially an authority figure like the CEO or a direct manager. People will likely take what these people say at face value rather than risk disappointing them. This is why it’s crucial to share this type of information with colleagues.

Learn more about how you can protect your organization from these business email compromise attacks by watching the Bitdefender webinar Hit from All Sides: Cyber Fraud Targeting Organizations. And stay up to date on today’s cyber threats by subscribing to the new Bitdefender podcast, CYBERCRIME: From the Front Line.