What to Do After Receiving a Business Email Compromise Attack

Knowing what to do after receiving a business email compromise attack is essential for preventing costly consequences. Learn how to respond to BEC attacks.
March 24, 2023

Year after year, business email compromise (BEC) remains one of the most financially devastating cybercrimes. According to the latest FBI Internet Crime Report, BEC attacks were responsible for $2.7 billion in total losses in 2022. And the average amount lost per incident was just over $125,600—a 300% increase since 2015.

In these targeted and personalized attacks, threat actors impersonate an executive, colleague, or vendor, gain the target’s trust, and then convince them to pay fake invoices, send a wire transfer, or provide access to sensitive data.

Knowing what to do after receiving a business email compromise attack is essential for preventing costly consequences. Read on to discover why these attacks are successful and learn steps employees should take if a BEC attack lands in their inbox.

Why Business Email Compromise Works

The average employee receives upwards of 120 work emails every day. And while it’s been shown to support increased productivity, the shift to remote work over the past three years has also blurred the line between an employee’s personal and professional life. Add in the fact that multitasking is the expectation in most organizations, and the result is employees constantly shifting between not just different work assignments but between work and personal tasks as well as work and personal devices.

All of these factors combined create abundant opportunities for threat actors to slip into inboxes undetected.

Additionally, BEC attacks are not launched haphazardly. Unlike spam and basic phishing campaigns in which attackers send out millions of emails without much consideration for individualization, business email compromise is successful because it relies on the exact opposite approach.

Threat actors are deliberate with their target selection and they do their research, leveraging information on social media networks, press releases, and industry publications to determine the best angle of attack. They also utilize legitimate sales and marketing tools to personalize communications and apply social engineering tactics to exploit our natural tendency to be helpful and assume positive intent.

Finally, attackers generally impersonate individuals with whom the target either has an established partnership or is someone in a position of authority, allowing them to capitalize on the implicit trust of the relationship.

Real-World Example of a Convincing BEC Attack

In addition to utilizing impersonation and social engineering, two other hallmarks of business email compromise attacks are a conversational tone and limited use of attachments or links. These attributes enable threat actors to bypass legacy email security solutions and convince employees to engage.

For example, in the attack below, the actor impersonated an organization's CEO and emailed an employee a request to process a wire transfer.

Business Email Compromise Response Example Attack 1

The initial email was short, got straight to the point, and included the text “Sent from my iPhone” to make it appear as if the CEO was writing from his mobile device. The attacker also spoofed the CEO’s email address and used a reply-to address that was hosted on a different domain but had a username that matched the CEO’s in their real email address.

Had the recipient responded to this initial message, the attacker would have sent a follow-up email that included the details of the payment request.

Business Email Compromise Response Example Attack 2

As with the first email, the second message was short and direct and contained the same “Sent from my iPhone” signature. The attacker also included the wiring instructions within the body of the email as opposed to sending it as an attachment to improve deliverability.

Because the sender’s email address had been spoofed to impersonate the company’s CEO, there’s a high likelihood that the recipient would instinctively comply since the message appears to come from a person of authority. In addition, because the username of the reply-to email address matches the expected username of the impersonated CEO’s actual email address, an employee may not recognize the difference and trust that the message was sent from an authentic source.

Had the targeted employee fulfilled the attacker’s request, the company would have seen a direct financial loss of more than $34,000.

An Effective Business Email Compromise Response

Every organization, regardless of size or industry, can (and statistically will) be targeted by BEC attacks. This is why it’s essential for each of your employees to know what to do after receiving a business email compromise attack.

Below are the three steps employees should be taught to take if they receive a suspicious email that they’re worried might be a BEC attack.

1. Stop

Do not process the request that you received. Even if everything appears legitimate at first, remember that modern threat actors have become extremely adept at crafting convincing emails. Additionally, even if a message has the expected sender address (i.e., it contains no misspellings or character substitutions), you should still verify the request via an alternate method as the account may have been compromised.

2. Call and Confirm

Consider the email a crime scene—i.e., don’t engage with it further. This means don’t click on any links in the body, reply to the message, or call any phone number listed in the email. Instead, reach out to the “sender” using known-good contact information. Verify that the real vendor, colleague, or executive did, in fact, send you the message and confirm the details of the request.

3. Report

If the request is fraudulent, immediately report the message in accordance with your company’s security policy. Do not just delete the email. Opting to simply delete the email without reporting it can be almost as damaging as engaging since it eliminates the opportunity for the security team to warn other employees about the attack and allows the attacker to move on to another target in the organization.

Detecting and Blocking BEC Attacks

Educating employees on signs of a possible business email compromise attack and having robust verification processes in place can certainly help reduce your organization’s risk.

However, when you consider that the median open rate for business email compromise attacks is nearly 28%, one thing becomes clear: the most effective way to prevent business email compromise is to invest in a behavioral AI-based email security solution that blocks BEC attacks before they can even reach employee inboxes.

For more insight into BEC attacks, download our white paper, CISO Guide to Business Email Compromise.

Download the White Paper

Or, to see for yourself how Abnormal’s fundamentally different approach to email security protects your organization from business email compromise, schedule a demo today.

Schedule a Demo
What to Do After Receiving a Business Email Compromise Attack

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Mr Wonderful Talks AI
Explore the future of AI and cybersecurity and learn why prioritizing security investments is crucial with Kevin O’Leary of Shark Tank fame.
Read More
B 1500x1500 MKT468a Open Graph Images for Phishing Subjects Blog
Discover the most engaging phishing email subjects, according to Abnormal data, and how to protect your organization from these scams.
Read More
B Threat Report BEC VEC Blog
Our H1 2024 Email Threat Report revealed significant year-over-year increases in both business email compromise and vendor email compromise. Learn more.
Read More
B 2 7 24 Product Update
Abnormal product enhancements improve detection efficacy, reporting on QR code attacks, productivity, and protection from account takeover.
Read More
B 1500x1500 Quishing Stats Blog 02 05 24
Today we released our H1 2024 Email Threat Report, which examines the threat landscape and dives into the latest evolution in phishing: QR code attacks.
Read More
B 1 30 23 Microsoft ATO
A recent nation-state actor attack by the Russian-backed threat group Midnight Blizzard infiltrated Microsoft. Discover how Abnormal can protect you from account takeovers in real time.
Read More