Business email compromise, or BEC, is a category of insidious email attacks that can fool security systems and end users. BEC attacks rely on social engineering and impersonation tactics and are often text-based, making them difficult to detect by legacy security systems. A seemingly normal request from a trusted contact for an invoice payment or file transfer can lead to a seven-figure financial loss for an enterprise.

Simply put, BEC is a problem because it works. It’s been the most expensive cyberattack for seven years in a row, according to the FBI Internet Crime Report. The findings show that BEC attacks cost organizations nearly $2.4 billion last year alone, making up 35% of all cybercrime losses.

Enterprises should mitigate BEC attacks with two joint approaches: training users and implementing a modern security stack. On the user side, enterprises must provide security awareness training so employees can better recognize BEC attacks and understand how to respond to them.

But while security awareness training is incredibly useful, the best way to prevent users from falling victim to these attacks is to stop them before they reach inboxes. Modern email security solutions use thousands of signals and behavioral analysis to understand the content and context of an email, rather than simply scanning for known red flags like malicious attachments and suspicious URLs.

The Abnormal cloud email security platform prevents BEC by:

• Baselining known employee email behavior to flag anomalous activity.

• Mapping relationships with employees and partners to spot compromised accounts.

• Inspecting email headers to expose impersonated domains and user names.

• Understanding an email’s content and context to identify unusual requests.

• Detecting at-risk and compromised vendors to prevent attacks across the supply chain.

The result? Abnormal blocks an average of 36 BEC attacks for each customer every single month. With an average cost of $59,000 per successful incident, this provides enormous value to our customers.

How does it work? Abnormal connects to Microsoft 365 and Google Workspace via an API, monitoring 45,000 signals to create a baseline of typical email patterns. This deep, personalized understanding of email behavior reveals subtle anomalies present in BEC attempts. When an email contains anomalies, such as an unusual invoice request or instructions to buy gift cards, Abnormal blocks it before it reaches end users.

Since BEC attacks regularly come from trusted external accounts, Abnormal closely monitors all partners through VendorBase™, a federated database that tracks vendors in an organization’s supply chain. VendorBase automatically scores the risk level of vendors by checking for signs of compromise, spoofed or impersonated domains, or any suspicious activity.

This insight shines a spotlight on the social engineering requests and impersonation tactics common in BEC attacks, flagging and remediating them before they land in user inboxes.

Most email security solutions claim they stop BEC, but it continues to cost organizations billions of dollars a year. Comparing platforms and integrating with each to effectively evaluate options is vital.

When considering a business email compromise prevention software, you should answer the following:

• How does the platform detect BEC? Many email security tools rely on known indicators of compromise and common red flags to identify a malicious email. BEC attacks don’t contain those red flags, since they often contain only text and are sent from known domains. An effective BEC solution must look beyond common red flags to understand both the content and context of an email within a larger organization to detect suspicious requests.

• Can it monitor internal communication? BEC attempts often come from internal accounts, both compromised or spoofed. Legacy email security solutions like gateways don’t monitor east-west traffic, which means they can’t detect costly internal attacks.

• What does implementation look like? Understanding how a solution integrates within your security architecture is crucial. API-based, journaling-based, or traditional secure email gateways. API integration is quick to implement, and it can seamlessly connect with built-in security from Microsoft 365 and Google Workspace. Journaling is a legacy feature within Microsoft exchange designed for compliance purposes, not email security. And gateways require updating MX records and redirecting mail flow, and it doesn’t integrate with existing email-provider security.

• How much upkeep does it require? Some BEC solutions require fine-tuning, if-then rules, updated blocklists, manual remediation, and more. That’s a heavy workload for busy security teams. Sophisticated BEC software should automatically remediate threats without manual oversight to simplify security operations.

The most important thing you can do is test any potential solution in your live email environment. See how it works, how easy it is to use, and how many BEC attacks it actually detects.

Abnormal’s email security risk assessment does just that. We connect our inbound email security product to your email infrastructure to let you test-drive it. Within a week, you’ll get a custom report outlining your organization’s email threats, including the real BEC attacks that are bypassing your existing solutions.

In recent risk assessments, we caught an astonishing 112,000 BEC attacks at a major university, and we prevented an electronics manufacturer from paying a $500,000 fake invoice. Don’t take our word for it—try it out for yourself.