Skip to content
cyber-security.eu
DEEN

Business email compromise

Business email compromise targets money or data flows through manipulated business mail - often via compromised mailboxes or convincing correspondence. This page outlines scenarios and controls.

Who this page is for

Executives, finance, procurement, IT and security leaders - everywhere payments are triggered or partners coordinated by email.

What is BEC?

Business email compromise is a targeted mail-based attack. Unlike classic phishing it aims at concrete business processes - payments, deliveries, contracts or HR.

Typical scenarios

Payment redirection: known suppliers seem to share new bank details.

CEO fraud: a fake executive demands an urgent transfer.

Supplier mail thread: a compromised supplier mailbox takes over running correspondence.

Compromised internal mailboxes: attackers observe real workflows and inject at the right moment.

Controls

Phishing-resistant [MFA](/en/mfa) removes many precursors.

Four-eyes principle and out-of-band verification for bank changes.

Clear payment approval with limits.

Regular awareness for finance and procurement, see security awareness.

Mailbox rules and anomalies monitored, see Microsoft 365 security.

Reporting paths known and low-friction.

Scenario

Accounts payable receives a plausible mail from a known supplier with a new bank account. A mandatory out-of-band call exposes the attack and the payment is stopped.

Checklist

  • Phishing-resistant MFA everywhere
  • Four-eyes principle on payments
  • Out-of-band verification of new bank data
  • Mailbox rules reviewed for anomalies
  • Awareness modules for finance and procurement
  • Clear reporting paths for suspicious mails

Frequently asked questions

+Difference from phishing?

Phishing is broader and often generic. BEC is targeted and tied to specific business processes.

+Is a spam filter enough?

No. Many BEC mails are technically clean and abuse trust and processes.

Related topics

Phishing

Phishing remains one of the most common entry points. Modern attacks look professional, use trusted brands and adapt quickly. Technical filters, awareness and a simple report button belong together.

Account compromise

A compromised account is one of the most common incident types today. This page outlines causes, early signs and reasonable first actions.

Microsoft 365 security

Microsoft 365 is the central workspace and identity ecosystem for many organisations. This page outlines the key security building blocks without admin step-by-step instructions.

Multi-factor authentication

MFA significantly reduces the risk of compromised accounts. This page explains which methods actually work, where the weak points are and how to prioritise rollout in practice.

Security awareness

Awareness works when it is continuous, relevant and fairly measurable. A yearly mandatory training is not enough. This page shows what good organisational awareness looks like.

Incident response

A security incident requires a clear process, rehearsed roles and prepared communication. Improvising during an incident wastes time and creates mistakes. This page covers the phases, responsibilities and common pitfalls.