GF 02 720x478 2x

Stop Business Email Compromise

Keep costly and convincing BEC attacks from landing in user inboxes.



reported lost to business email compromise

Source: FBI Internet Crime Report, 2021


of all socially-engineered attacks impersonate individuals

Source: Abnormal Security, 2021


increase in impersonated internal automated systems

Source: Abnormal Security, 2021

Recognizing Business Email Compromise

In this type of socially engineered scam, an attacker sends an email that impersonates a trusted source — a vendor or company CEO, for example — to trick employees into sharing sensitive information, sending money, or installing malware. In these attacks, the threat actor:


Conducts research on the target, their responsibilities, and the overall organization.


Sends a targeted email, often impersonating a known and trusted individual.


Engages with the victim with an increasing sense of urgency.


Convinces victim to send funds, provide access to information, or submit credentials.

suspicious email with urgent request from unusual sender

Detecting a BEC Attack

This email passed traditional threat intel and reputation checks, but is suspicious. Upon closer examination, we see that:

  • It appears to be sent by a known executive within the organization, but the email address is spoofed

  • It includes a request and the tone suggests urgency

  • The victim is asked to respond back via text message for further instructions, a common tactic in phishing scams

Despite having no traditional indicators of compromise, Abnormal can determine that this email is malicious.


Stop BEC Scams That Bypass Secure Email Gateways

detecting a sample email with suspicious language

Detect Suspicious Language and Tone

This message from Michael Scott asks Pam if she is at her desk, with no added context.

Typical of phishing attacks, this message attempts to start a conversation with the victim, encouraging them to engage with their attacker for further instructions.

This message has no links or attachments to scan, but Abnormal recognizes that the language is typical of phishing attacks.

inspecting email headers to spot impersonation

Inspect Email Headers to Expose Impersonators

Inspection of the email shows that it doesn’t come from the real domain name, but rather from a similar one that uses the number 1 in place of the l:

By analyzing header information, Abnormal can determine that this email domain has been spoofed. It is attempting to trick users into believing that the email is legitimate, using a well-known trick of replacing letters in the original domain.

analyzing sample email communication pattern for suspicious behavior

Understand Communication Patterns to Detect Suspicious Behavior

Michael does not typically email Pam at 8:03 am. And because he can see her desk from his own office, he’s never asked her if she’s at her desk.

Unlike secure email gateways, Abnormal uses natural language processing to understand people, their behavior, their communication patterns, and typical tone and content shared.

This understanding of known good behavior helps Abnormal flag suspicious behavior with a high degree of confidence.

automatic remediation of suspicious email

Eliminate the Threat Before Unsuspecting Employees Are Scammed

Pam never sees the email, making it impossible for her to be scammed by the attackers impersonating Michael.

Because Abnormal understood that this email was not actually coming from Michael, the email was removed in milliseconds.

Pam never had the chance to open or respond to it, and was never aware of the threat.

With Abnormal, you can see who else was targeted by the same or a similar email as part of a broader attack campaign, and how those emails were remediated.


Business Email Compromise FAQ



Trusted by Global Enterprises


Prevent the Attacks That Matter Most


Related Resources

Webinar microsoft cover
The emergence and evolution of advanced socially-engineered cyber attacks, including business email compromise, supply chain fraud, and ransomware, has organizations rethinking their security strategies and tech stacks.
Watch Now
Resource 02 CISO
Business email compromise (BEC) is the most significant cybersecurity threat to enterprise organizations, with $2.4 billion lost in 2021 alone. This type of email attack occurs when a cybercriminal uses social engineering to impersonate a trusted contact—typically an executive, coworker, vendor, or partner.
Download Now
Blog purple calendar
Abnormal Security recently detected two new types of attacks where scammers are targeting victims by redirecting their own Microsoft 365 out-of-office replies as well as read receipts back to them. These tactics indicate attackers are using every available tool and loophole...
Read More
Threat report 1
Cybercriminals upped their game over the last quarter—increasing the number of credential phishing attacks and account takeover attempts. In our quarterly threat report, Abnormal Security discovered significant increases in the number of brute force attacks and impersonation attempts.
Download Now
Webinar beyond spam cover
Adversaries are increasingly targeting the enterprise email inbox, and security teams need to look further than just spam and phishing attacks.
Watch Now