Cybercriminals Exploit B2B Lead Generation Tools for Business Email Compromise Attacks

Discover how cybercriminals obtain corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks.
June 5, 2024

Business email compromise (BEC) represents one of the most insidious and costly cyber threats facing organizations today—with losses reaching $2.7 billion last year alone. Unlike many attacks involving malware or technical exploits, BEC is a fundamentally human-centered form of fraud perpetrated through careful social engineering and deception.

At a high level, BEC attacks typically involve a threat actor impersonating an executive, vendor, or other trusted entity to trick an employee into wiring funds, paying a fake invoice, or divulging sensitive data. While simple on the surface, these attacks often involve sophisticated levels of planning and preparation by ‌criminal actors.

There are numerous different BEC "scenarios" or lures attackers may attempt. Some of the most common include:

Attack Type

Example Scenario

Executive Impersonation

An employee receives an urgent email appearing to be from the CEO requesting they purchase $5,000 in gift cards for client gifts and send the card numbers and PINs back discreetly.

Vendor Email Compromise

Finance staff receive an email from a company vendor they regularly pay, with instructions to wire a $25,000 payment for services to a fraudulent bank account provided.

Attorney Impersonation

A homebuyer receives instructions appearing to be from the title company to wire closing costs of $80,000 to an account controlled by the attacker.

Data Entry Request

An HR employee receives a request appearing to be from a manager asking for the employee’s latest PII data, which is then used for identity theft by the attacker.

Payroll Diversion

An employee receives an email pretending to be from the payroll department requesting they update their direct deposit information to redirect their paycheck to the attacker's account.

While the lures vary, a common thread across BEC campaigns is attackers' heavy use of corporate data and business intelligence to make their phishing attempts as convincing and targeted as possible.

There are multiple online data broker services like ZoomInfo, Apollo, and others that sell comprehensive dossiers on companies, employees, organizational charts, relevant contact details, and other vital business information. These vendors market their products as sales intelligence and lead generation tools for legitimate businesses—which is indeed how most clients use the data.

However, a shady sub-economy exists where cybercriminals purchase credentials providing access to these same troves of corporate data. Rather than sign up for paid subscription plans that could expose their real identities, attackers instead buy stolen account logins or data credits on cybercrime forums and marketplaces from paid subscription accounts.


A cybercriminal looking to purchase a ZoomInfo account for $300+


A cybercriminal looking to sell a ZoomInfo account for $2000+


A cybercriminal looking to purchase B2B lead generation platform accounts

With access to a data broker platform, BEC attackers can pinpoint prime targets by filtering datasets based on criteria like:

  • Industry and Company Size

  • Specific Roles/Job Titles

  • Geographic Location

  • Revenue and Financial Metrics

  • Organizational Charts and Reporting Structure

They can then cross-reference this valuable corporate data against open sources like company websites, LinkedIn, press releases, and more.


A cybercriminal recommending B2B lead generation platforms for BEC attacks

It’s important to note that cybercriminals primarily utilize business-to-business (B2B) lead generation platforms in two main ways for BEC attacks:

1. Mass Business Email Compromise

One approach is to use the filtered contact data from these broker platforms to build lists of potential victims matching certain criteria like roles, industries, locations, etc. The attackers then launch widespread email blasts spoofing real executives or vendors. These bulk emails sometimes use mail-merge tactics to insert personal details like first names pulled from the data broker's intelligence.

While reaching a large number of inboxes, these mass campaigns tend to lack the tailored, contextual elements that make individualized lures seem highly credible. However, they allow attackers to maximize their potential victim pool and the small amount of personalization can still be enough to make the target react accordingly.

2. Personalized Business Email Compromise

The other common tactic is for cybercriminals to carefully research and profile specific high-value targets in order to construct extremely personalized social engineering lures. They mine the data broker platforms for insights into an organization's hierarchies, reporting structures, key personnel details, and any other available context.

With this level of organizational knowledge, BEC actors can then impersonate a company's real executives with a high degree of accuracy. They can spoof an executive's genuine email address with a request that references precise details like job titles, working relationships, and more—making the lure seem legitimately urgent.

As an example, an attacker may identify a promising target company, use data broker intelligence to map out the executive team and reporting lines, then spoof the CEO's email with an urgent wire transfer request referring to the victim's role, manager, and other particulars that make it convincing. The added personalization here makes it much more likely that the target will respond as the attacker intends, ultimately wiring the requested money to a bank account owned by the threat actor.

Shut Down Personalized BEC Threats With Abnormal Security

BEC attacks have drained more than $43 billion from organizations in the last decade, partially fueled by cybercriminals gaining illicit access to corporate data broker platforms. Abnormal Security stops these attacks, detecting BEC lures no matter how personalized they are—even if they use comprehensive company intelligence from brokers like ZoomInfo and Apollo.

By understanding known behavior across all identities in an organization, Abnormal can detect subtle anomalies in email content and tone associated with invoice fraud, executive impersonation, and other BEC tactics. The AI-native platform utilizes behavioral data to understand known behavior, communications, and processes for every identity and then uses computer vision and natural language processing to identify anomalous activity—before it reaches employee inboxes.

Take action against BEC attacks enabled by data brokers by scheduling a demo with Abnormal today.

Schedule a Demo
Cybercriminals Exploit B2B Lead Generation Tools for Business Email Compromise Attacks

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B travelscams
Cybercriminals exploit stolen financial data to offer consumers heavily discounted travel deals. Learn how these email scams work and tips to avoid falling victim to them this summer travel season.
Read More
B Earn Your CPE Credits with Abnormal
Earn your continuing education credits with ISC2 by viewing cybersecurity content from Abnormal Security.
Read More
B Seg Lessons
Discover key insights gleaned from replacing 100+ SEGs for Abnormal customers.
Read More
B Europe Attack Data Blog
Discover what our research uncovered about the European threat landscape and attack trends for organizations in the region.
Read More
Abnormal aims to provide superior detection of email attacks while also directly and indirectly influencing the security awareness of your employees.
Read More
B 6 3 24 BEC Attacks
Discover how cybercriminals obtain corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks.
Read More