What to Do After Receiving a Business Email Compromise Attack

Knowing what to do after receiving a business email compromise attack is essential for preventing costly consequences. Learn how to respond to BEC attacks.
March 24, 2023

Year after year, business email compromise (BEC) remains one of the most financially devastating cybercrimes. According to the latest FBI Internet Crime Report, BEC attacks were responsible for $2.7 billion in total losses in 2022. And the average amount lost per incident was just over $125,600—a 300% increase since 2015.

In these targeted and personalized attacks, threat actors impersonate an executive, colleague, or vendor, gain the target’s trust, and then convince them to pay fake invoices, send a wire transfer, or provide access to sensitive data.

Knowing what to do after receiving a business email compromise attack is essential for preventing costly consequences. Read on to discover why these attacks are successful and learn steps employees should take if a BEC attack lands in their inbox.

Why Business Email Compromise Works

The average employee receives upwards of 120 work emails every day. And while it’s been shown to support increased productivity, the shift to remote work over the past three years has also blurred the line between an employee’s personal and professional life. Add in the fact that multitasking is the expectation in most organizations, and the result is employees constantly shifting between not just different work assignments but between work and personal tasks as well as work and personal devices.

All of these factors combined create abundant opportunities for threat actors to slip into inboxes undetected.

Additionally, BEC attacks are not launched haphazardly. Unlike spam and basic phishing campaigns in which attackers send out millions of emails without much consideration for individualization, business email compromise is successful because it relies on the exact opposite approach.

Threat actors are deliberate with their target selection and they do their research, leveraging information on social media networks, press releases, and industry publications to determine the best angle of attack. They also utilize legitimate sales and marketing tools to personalize communications and apply social engineering tactics to exploit our natural tendency to be helpful and assume positive intent.

Finally, attackers generally impersonate individuals with whom the target either has an established partnership or is someone in a position of authority, allowing them to capitalize on the implicit trust of the relationship.

Real-World Example of a Convincing BEC Attack

In addition to utilizing impersonation and social engineering, two other hallmarks of business email compromise attacks are a conversational tone and limited use of attachments or links. These attributes enable threat actors to bypass legacy email security solutions and convince employees to engage.

For example, in the attack below, the actor impersonated an organization's CEO and emailed an employee a request to process a wire transfer.

Business Email Compromise Response Example Attack 1

The initial email was short, got straight to the point, and included the text “Sent from my iPhone” to make it appear as if the CEO was writing from his mobile device. The attacker also spoofed the CEO’s email address and used a reply-to address that was hosted on a different domain but had a username that matched the CEO’s in their real email address.

Had the recipient responded to this initial message, the attacker would have sent a follow-up email that included the details of the payment request.

Business Email Compromise Response Example Attack 2

As with the first email, the second message was short and direct and contained the same “Sent from my iPhone” signature. The attacker also included the wiring instructions within the body of the email as opposed to sending it as an attachment to improve deliverability.

Because the sender’s email address had been spoofed to impersonate the company’s CEO, there’s a high likelihood that the recipient would instinctively comply since the message appears to come from a person of authority. In addition, because the username of the reply-to email address matches the expected username of the impersonated CEO’s actual email address, an employee may not recognize the difference and trust that the message was sent from an authentic source.

Had the targeted employee fulfilled the attacker’s request, the company would have seen a direct financial loss of more than $34,000.

An Effective Business Email Compromise Response

Every organization, regardless of size or industry, can (and statistically will) be targeted by BEC attacks. This is why it’s essential for each of your employees to know what to do after receiving a business email compromise attack.

Below are the three steps employees should be taught to take if they receive a suspicious email that they’re worried might be a BEC attack.

1. Stop

Do not process the request that you received. Even if everything appears legitimate at first, remember that modern threat actors have become extremely adept at crafting convincing emails. Additionally, even if a message has the expected sender address (i.e., it contains no misspellings or character substitutions), you should still verify the request via an alternate method as the account may have been compromised.

2. Call and Confirm

Consider the email a crime scene—i.e., don’t engage with it further. This means don’t click on any links in the body, reply to the message, or call any phone number listed in the email. Instead, reach out to the “sender” using known-good contact information. Verify that the real vendor, colleague, or executive did, in fact, send you the message and confirm the details of the request.

3. Report

If the request is fraudulent, immediately report the message in accordance with your company’s security policy. Do not just delete the email. Opting to simply delete the email without reporting it can be almost as damaging as engaging since it eliminates the opportunity for the security team to warn other employees about the attack and allows the attacker to move on to another target in the organization.

Detecting and Blocking BEC Attacks

Educating employees on signs of a possible business email compromise attack and having robust verification processes in place can certainly help reduce your organization’s risk.

However, when you consider that the median open rate for business email compromise attacks is nearly 28%, one thing becomes clear: the most effective way to prevent business email compromise is to invest in a behavioral AI-based email security solution that blocks BEC attacks before they can even reach employee inboxes.

For more insight into BEC attacks, download our white paper, CISO Guide to Business Email Compromise.

Download the White Paper

Or, to see for yourself how Abnormal’s fundamentally different approach to email security protects your organization from business email compromise, schedule a demo today.

Schedule a Demo
What to Do After Receiving a Business Email Compromise Attack

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B Earn Your CPE Credits with Abnormal
Earn your continuing education credits with ISC2 by viewing cybersecurity content from Abnormal Security.
Read More
B Seg Lessons
Discover key insights gleaned from replacing 100+ SEGs for Abnormal customers.
Read More
B Europe Attack Data Blog
Discover what our research uncovered about the European threat landscape and attack trends for organizations in the region.
Read More
Abnormal aims to provide superior detection of email attacks while also directly and indirectly influencing the security awareness of your employees.
Read More
B 6 3 24 BEC Attacks
Discover how cybercriminals obtain corporate data from brokers like ZoomInfo and Apollo to enable targeted business email compromise (BEC) attacks.
Read More
B Addressing Account Takeovers Blog
Discover how security leaders are protecting their organizations against account takeover with insights from our survey of 300 cybersecurity stakeholders.
Read More