The State of Business Email Compromise Q1 2020: Attacks Shift From the C-Suite to Finance

June 17, 2020

Abnormal Security

Ken Liao

Every day, we track and prevent email security threats for our users, which gives us enormous insight into where and how attackers attempt to infiltrate a business through email.

Our main interest is in, of course, business email compromise (BEC) because it’s the costliest and most sophisticated type of email attack that bypasses traditional security email gateways. These insights are powerful. They help us better understand when, where and how attacks happen and allow us to track trends in attack campaigns that we can link to external events – such was the case in Q1 2020 and the COVID-19 pandemic.

Each quarter, we plan to share these insights through the Abnormal Security Quarterly BEC Reports. Today, we launched this initiative with our Q1 2020 report. In it, we identify some of the BEC trends we’ve seen, including size of campaigns, changing targets, new approaches to fraud and more. In reporting on email attack trends in Q1 2020, we’d be remiss if we didn’t include data on COVID-19-themed attacks. By far, the threat vectors associated with the pandemic are among the most sinister in intent compared to any other external events we’ve tracked: attackers attempted to take advantage of unprecedented fear and uncertainty. This can provide lessons for future attack triggers that will help security organizations improve their defenses.

The Q1 2020 report key findings:

1. A Shift from Individual to Group BEC Attacks

On the surface, this might seem like a less sophisticated approach; however, by targeting a group within an organization, the attacker increases the likelihood of a response from one individual, creating legitimacy across the other targets.

2. C-Suite Attacks Decline; Finance Employees are the New #1 Target

We typically see BEC attacks that target the C-Suite; however, our research found that these attack targets decreased between Q1 2020 and Q4 2019, while attacks on finance employees increased in the same period.

3. From Paycheck to Payment Fraud

Paycheck fraud occurs when an attacker attempts to change direct deposit account information for an existing employee. Payment fraud is when an attacker poses as an employee and attempts to redirect a payment to an unknown vendor. We’ve seen the latter increase considerably in the past year.

4. COVID-19 Threat Impact

From offers of vaccines, equipment and treatments to stimulus payment spoofs, attackers worked diligently to expose every collective weakness during the global pandemic upheaval, with COVID attack campaigns increasing 436% between the second and third weeks of March, and a 173% increase through the course of Q1.


At Abnormal Security, we continue to track trends in BEC in order to thwart attacks before they cause damage to an organization. We hope our insights will help inform your BEC security measures. Should you wish to learn more about how Abnormal can help prevent the attacks we outline in our report, please reach out for a demo. The full Abnormal Security Quarterly BEC Report for Q12020 is available today for free download. Click here to get your copy.

Subscribe to receive twice-monthly updates of the latest attacks we've detected in the wild:

Related content

Like our article? Share our content