Best 9 Business Email Compromise Protection Solutions For Business (2026)

We reviewed the leading BEC protection solutions on the accuracy of sender impersonation detection, how well each identifies payment redirect fraud, and the speed at which suspicious communications are flagged for human review.

Last updated on Jun 30, 2026
Craig MacAlpine Technical Review by Craig MacAlpine
Best Business Email Compromise (BEC) Solutions

Business email compromise looks deceptively simple: an attacker impersonates a trusted sender and requests money or sensitive data. In reality, BEC attacks exploit every weakness in your email security, identity controls, and human judgment all at once. The right BEC solution detects what traditional email gateways miss: subtle changes in communication patterns, unauthorized OAuth apps, credential phishing, and supply chain fraud.

We evaluated multiple BEC and email security platforms across detection accuracy, integration depth, alert quality, user experience, and support responsiveness. We assessed how well each handles identity-layer threats, behavioral anomalies, and the specific attacks that bypass signature-based filtering. This guide gives you the decision criteria and vendor comparisons to match BEC protection to your team size, existing infrastructure, and security maturity.

What is Email Security?

Business email compromise (BEC) protection solutions defend organizations against email attacks where attackers impersonate executives, vendors, or trusted contacts to fraudulently request payments, sensitive data, or account access. Unlike traditional phishing that relies on malicious links or attachments, BEC attacks use social engineering and look like normal business communication, making them invisible to standard email filters. BEC protection platforms use behavioral AI, communication pattern analysis, and identity-layer monitoring to detect these attacks before employees act on them.

BEC protection operates across three detection layers. Behavioral analysis baselines normal communication patterns per user, including sender relationships, writing style, request types, and timing, then flags deviations that indicate impersonation or compromised accounts. Identity-layer monitoring watches for early compromise indicators like suspicious mailbox rule changes, MFA fatigue attempts, unauthorized OAuth applications, and anomalous login patterns. Supply chain detection analyzes vendor communication patterns to identify when a trusted supplier's account has been compromised and is being used for invoice fraud or payment redirection. The most effective platforms combine all three layers, catching both the initial compromise attempt and the downstream fraud that follows. Post-delivery remediation and automated account containment are critical because BEC attacks that reach inboxes create damage in minutes.

Business Email Compromise Protection Solutions Compared

These 9 platforms cover the full range of BEC protection approaches, from managed SOC services and behavioral AI to phishing simulation and enterprise-scale threat intelligence.

Product Best For Type Behavioral AI Identity Monitoring Managed SOC
Huntress
MSPs and lean IT teams needing managed BEC detection
Managed
Yes
Yes
Yes
Bitdefender Extended Email Security
MSPs needing cross-tenant BEC remediation
SEG + API
No
Yes
No
Material Security
Multi-stage BEC defense across the full workspace
ICES
Yes
Yes
No
Abnormal AI
Behavioral detection with minimal tuning
ICES
Yes
No
No
Check Point Email Security
BEC detection across email and collaboration apps
ICES
Yes
Yes
No
Cofense
Employee reporting integrated with threat response
Training + Response
No
No
No
Darktrace
AI-driven anomaly detection across email and SaaS
ICES
Yes
No
No
IRONSCALES
Unified BEC detection and awareness training
ICES
Yes
No
No
Proofpoint Email Security
Enterprise-scale BEC detection with Supernova engine
SEG + API
Yes
No
No

How We Tested

We evaluated each platform across detection accuracy against BEC, phishing, and account takeover, alongside integration depth, alert quality, and real-world customer feedback. We assessed how each handles display-name impersonation, payment redirect fraud, and supply chain compromise. This guide was written by Alex Zawalnyski and technically reviewed by Craig MacAlpine. Read our full methodology

Huntress Logo
Huntress

Best for MSPs and lean IT teams needing managed identity-layer BEC detection

Huntress is a fully managed security platform built for MSPs and lean IT teams who need serious threat detection without building out a SOC. The 24/7 human-backed response team focuses heavily on credential theft and application abuse, making it particularly effective against business email compromise. We think it hits a strong price-to-value ratio for organizations that want managed detection without enterprise complexity.

Book A Demo
  • Microsoft 365 monitoring catches suspicious mailbox rule changes, MFA fatigue attempts, and unauthorized OAuth apps as early BEC warning signs.
  • Managed ITDR analyzes user activity and assigns risk levels to identify compromised identities, covering rogue apps to session hijacking.
  • Managed EDR ties endpoint telemetry back to identity events, flagging accounts that need lockdown when devices look compromised.
  • Incident summaries provide clear remediation steps without alert noise.
  • 24/7 SOC team with fast response and clear communication.

Users consistently praise the lightweight deployment and RMM/PSA integrations. Install is quick, and admin overhead stays low. The SOC team gets high marks for response speed and clear communication. Something to be aware of is that Microsoft Defender XDR management is still maturing, and some users note RMM integrations could be deeper for certain workflows.

We think Huntress is a strong fit if your team lacks dedicated security analysts but needs identity-layer visibility across Microsoft 365 and endpoints. The platform has expanded significantly, adding Managed ISPM and ESPM alongside the core ITDR and EDR capabilities. If you need advanced XDR customization or already run a mature SOC, this probably isn’t your tool. But for MSPs and IT teams who want someone watching around the clock, it delivers.

Strengths
24/7 SOC catches early BEC indicators like mailbox tampering and OAuth abuse
Lightweight agent deploys fast with minimal ongoing admin work
Clear incident summaries with actionable remediation steps
Strong Microsoft 365 identity monitoring tied to endpoint telemetry
Pricing scales reasonably for MSPs managing multiple clients
Cautions
Reviews mention Microsoft Defender XDR management is still maturing
Users note RMM integrations could be deeper for some workflows
Bitdefender Extended Email Security Logo
Bitdefender

Best for MSPs needing cross-tenant BEC remediation with single-SKU pricing

Bitdefender Extended Email Security, built on the Mesh Security platform which was acquired by Bitdefender in July 2025, is an email security platform built for MSPs. It enables granular policy controls across all tenants from one dashboard, and offers multiple deployment options for M365.

Book A Demo
  • BEC detection engine examines DMARC, impersonation signals, and suspicious email content with specific routing rules for display-name impersonation and lookalike-domain spoofing.
  • Internal mail flow scanning catches compromised accounts sending malicious emails, with cross-tenant remediation from a single console.
  • MSP admin console searches across all inboxes and instantly pulls affected email content, fully audit-logged.
  • Single SKU with consumption-based billing on active user inboxes.

We recommend Bitdefender to teams looking for BEC protection as part of a wider email security platform built for MSPs. It will catch display-name impersonation and DMARC-failing spoofs without adding cost or complexity on top of the core email security deployment. Bitdefender is sold as a single SKU, with consumption-based billing on active user inboxes.

Strengths
Impersonation treated as a separate verdict with its own policy routing
API-mode deployment scans internal mail flow
Cross-tenant search and remediation
Audit logging documents every administrator action
Cost effective MSP pricing
Cautions
No native email archiving; built-in encryption is on the roadmap but not yet available
Material Security Logo
Material Security

Best for multi-stage BEC defense across the full cloud workspace

Material Security is a cloud workspace security platform for Google Workspace and Microsoft 365 that goes beyond the email perimeter. It addresses the full scope of the BEC problem: detecting and blocking inbound attacks, locking down the sensitive data attackers are trying to reach, and containing compromised accounts before they can be weaponized.

See Pricing
  • Custom rules engine with agentic automation and LLM analysis stops inbound BEC threats including VIP impersonation and credential phishing.
  • Locks down email content within the inbox so compromised accounts cannot access sensitive attachments, OTPs, or password reset links.
  • File security and identity controls restrict what a compromised account can do across Google Workspace and Microsoft 365.
  • OAuth app remediation identifies and revokes suspicious third-party tokens, a common vector in account takeover scenarios that enable BEC.
  • Deploys in under 30 minutes via API with no MX record changes.

Material’s account compromise containment is very effective at slowing attacks and limiting the amount of data that can be accessed during a breach, according to user reviews. Users also highlight that Material makes incident analysis a lot faster.

Reporting is straightforward, and users praise the pace of new feature releases and the responsiveness of the support team. Some customers do say that rules configuration can be challenging without in-house email security experience, but note that the Material support team is responsive.

BEC is particularly hard to stop because it doesn’t always look like an attack; it looks like a legitimate email from a trusted source. Material addresses this at multiple levels: catching the impersonation attempts and credential phishing that typically precede account takeover, locking down the sensitive content that makes a compromised account dangerous, and applying identity controls that limit what an attacker can do even if they get in. It’s a more complete answer to BEC than tools that focus on blocking inbound messages alone.

If your team is looking for a platform that treats BEC as the multi-stage problem it actually is, this is a strong solution to consider.

Strengths
Protects the full cloud workspace across email, identity, files, and accounts
Context-driven MFA contains compromised accounts before attackers can access sensitive data
Detects and remediates BEC, impersonation, and credential phishing attacks
AI-powered triage accelerates investigation of user-reported phishing
Automatically identifies and remediates excessive cloud permissions
Cautions
Cloud-native platform with no support for on-premises email environments
Some users report that advanced rules and configuration options require time to set up
4.

Abnormal AI

Abnormal AI Logo
Abnormal AI

Best for behavioral BEC detection with minimal tuning in M365 environments

Abnormal AI is an API-based email security platform that skips the traditional secure email gateway model entirely. It connects directly to Microsoft 365 via API, learns normal communication patterns, and catches the social engineering attacks that rule-based filters miss. We found the behavioral approach works well for stopping BEC, supply chain fraud, and credential phishing without constant tuning.

  • Baselines how your people communicate and flags anomalies with no signatures or constant tuning required.
  • Ingests signals from Slack, Active Directory, and other M365 services for richer user profiles and account takeover detection.
  • API deployment in minutes with no MX record changes.
  • Machine learning accuracy improves continuously from user feedback on false positives and negatives.

Customers praise the set-and-forget model and the speed of deployment. Detection accuracy stays high without the policy tweaking that legacy gateways demand. Something to be aware of is that the post-delivery model has a timing limitation: Outlook sometimes processes malicious calendar invites before Abnormal can delete them. Some users also want better tooling for reviewing and releasing held messages.

We think Abnormal fits organizations tired of tuning gateway rules who want behavioral detection that just runs. The cross-platform data ingestion from Slack and Active Directory adds context that email-only tools miss, which is good to see. The API-first deployment means no mail flow changes, making it a strong supplementary layer alongside native Microsoft or Google protections.

Strengths
API integration deploys in minutes with no mail flow changes required
Behavioral detection catches BEC and social engineering without constant tuning
Cross-platform data ingestion from Slack, AD, and M365 improves threat context
Machine learning accuracy improves continuously from user feedback
Cautions
Post-delivery model means some threats land before remediation
Customers note calendar invite processing in Outlook can outpace email deletion
5.

Check Point Email Security

Check Point Email Security Logo
Check Point Software

Best for BEC detection across email and collaboration apps with behavioral profiling

Check Point Email Security (formerly Avanan, rebranded March 2026) is an API-based email security layer that sits behind your existing defenses to catch what Microsoft Defender and Google’s native tools miss. It focuses on BEC, phishing, and account compromise across Microsoft 365, Google Workspace, Slack, and Dropbox. We found the layered approach makes sense for organizations already running native protections but still seeing phishing slip through.

  • Behavioral profiles built from communication patterns, employee relationships, and historical email data.
  • Anti-phishing engine uses context to spot impersonation attempts that signature-based tools overlook.
  • Monitors for suspicious cloud app activity including unrecognized logins, repeated password resets, and anomalous behavior.
  • Automatic lockout policies contain compromised accounts before damage spreads.
  • Real-time reporting gives visibility into threat details and attack patterns.

Users report significant drops in phishing reaching inboxes after deployment. The API install is quick, typically same-day activation with immediate visibility. Something to be aware of is that there is no mobile app for remote incident management and triage, and the platform works best as a supplementary layer rather than standalone protection.

We think Check Point Email Security works best as a second layer when native Microsoft or Google protections aren’t cutting it. The behavioral profiling catches impersonation that rule-based filters miss, and the account compromise detection extends visibility beyond email to cloud apps. If you’re building a new stack from scratch, a full-featured gateway might make more sense.

Strengths
API deployment requires no MX changes and activates within hours
Behavioral profiling catches impersonation that rule-based filters miss
Works alongside existing gateways rather than replacing them
Account compromise detection extends visibility beyond email to cloud apps
Cautions
No mobile app for remote incident management and triage
Works best as a supplementary layer rather than standalone protection
6.

Cofense

Cofense Logo
Cofense

Best for employee reporting integrated with automated BEC threat response

Cofense combines phishing simulation, security awareness training, and automated threat response into one platform. It turns your employees into active sensors while giving your SOC the tools to triage and quarantine reported threats fast. We think the closed loop between training, testing, and reporting creates real accountability.

  • Training teaches employees to spot phishing and BEC through interactive courses, then tests retention with simulated attacks including smishing, vishing, and QR-code phishing.
  • One-click reporting plugin feeds employee reports directly into security workflows.
  • Phishing Defense Center analyzes reported emails and returns verdicts within an hour.
  • Custom rules based on threats specific to your environment.
  • Integrates with M365 and Google Workspace without disrupting mail flow.

Feedback skews positive on reliability and flexibility. The platform scales across organization sizes without major configuration headaches. Customers praise the customizable reporting and board-ready analytics. Something to be aware of is that email pull and quarantine require the Vision add-on, which competitors often include as a baseline feature. Factor that into licensing discussions.

We think Cofense fits organizations that want to invest in their human layer alongside technical controls. If your strategy depends on employees reporting threats accurately, the training-to-triage pipeline delivers. The one-hour turnaround on reported email analysis is good to see. If you want detection technology without the awareness training component, a dedicated email security platform is a better fit.

Strengths
Closed loop from training to simulation to reporting reinforces secure behavior
Phishing Defense Center returns threat analysis within an hour
Custom rule creation lets you target threats specific to your environment
Supports multi-vector simulations including smishing, vishing, and QR-code phishing
Cautions
Email pull and quarantine features require Vision add-on purchase
Less suited if you want detection tech without the awareness training component
7.

Darktrace

Darktrace Logo
Darktrace

Best for AI-driven BEC anomaly detection across email and SaaS environments

Darktrace/Email uses self-learning AI to build behavioral baselines for every user in your organization. It detects anomalies in both inbound and outbound communications, catching threats that signature-based tools miss while reducing noise from spam and unwanted mail. We found the approach particularly effective for novel threats that haven’t hit threat intelligence feeds yet.

  • Self-learning AI builds per-user baselines and flags deviations, catching BEC, phishing, and supply chain attacks based on context.
  • Extends beyond email to SaaS applications and network devices, correlating email activity with other behavioral signals.
  • Communicates directly with end users to explain threat actions, incorporating employee feedback to improve detection.
  • Filters cold outreach, newsletters, and spam to reduce inbox noise.

Regular customer success engagement keeps deployments optimized. Users report the self-learning model reduces tuning overhead once deployed. Something to be aware of is that pricing sits in the upper tier of the market, though users report you can negotiate, especially when bundling multiple modules. Setup complexity also comes up in feedback; initial configuration requires significant effort.

We think Darktrace fits organizations that want AI-driven detection across email and their broader environment, not just a point solution. The self-learning model reduces tuning overhead, and the cross-platform visibility correlating email threats with network and SaaS activity is a meaningful advantage. The premium pricing means it’s a harder sell for smaller teams with simpler environments.

Strengths
Self-learning AI adapts to each user without manual rule configuration
Cross-platform visibility correlates email threats with network and SaaS activity
Direct user communication explains actions and incorporates feedback
Filters spam and unwanted mail to reduce inbox noise
Cautions
Reviews mention initial setup requires significant configuration effort
Customers note support response on complex issues can be slower than expected
8.

IRONSCALES

IRONSCALES Logo
IRONSCALES

Best for unified BEC detection and awareness training with crowdsourced intelligence

IRONSCALES is an API-based email security platform that sits at the mailbox level inside Microsoft 365 or Google Workspace. It’s designed to catch phishing, BEC, and impersonation attacks missed by traditional email gateways. It uses adaptive AI systems alongside end-user based threat intelligence to learn what malicious emails look like, and block them everywhere, all at once. We think it hits a sweet spot for organizations that want BEC detection and awareness training unified without juggling multiple vendors.

  • Behavioral baselines analyze employee communication patterns, relationships, and habits to catch impersonation, invoice fraud, and supply chain attacks.
  • One-click employee reporting feeds into detection across 17,000+ customer organizations with dynamic warning banners on suspected content.
  • Themis virtual SOC conducts autonomous investigation and remediation with admin context on threats.
  • Predictive red team agent generates likely BEC scenarios from your organization’s public footprint.
  • Deepfake meeting protection covers video calls on Microsoft Teams, addressing a growing BEC vector.
  • AV engines, URL scanning, spam and gray-mail filtering for standalone gateway replacement.

We are impressed by IRONSCALES. The platform is constantly adding new features, like email spam filtering, encryption, and deepfake protection. The core of the product is the crowdsourced threat intelligence built on end-user email reporting, which is an effective way of blocking phishing, alongside powerful threat protection engines. If you are looking for effective protection against business email compromise and account takeover with built-in phishing awareness training, IRONSCALES delivers. The free Starter tier offers phishing simulation and testing for up to 500 mailboxes, though full email protection requires a paid plan.

Strengths
Behavioral analysis catches impersonation and BEC based on communication patterns
Adaptive AI plus crowdsourced intelligence blocks BEC campaigns across all customer environments
Deepfake meeting protection addresses a growing BEC vector beyond email
Themis virtual SOC reduces phishing remediation time from hours to seconds
API deployment goes live in minutes without MX changes or mail flow disruption
Cautions
IRONSCALES has added new features across the management console, so admins will need time to find their way around
9.

Proofpoint Email Security And Protection

Proofpoint Email Security And Protection Logo
Proofpoint

Best for enterprise-scale BEC detection with the Supernova engine and supplier risk analysis

Proofpoint is the enterprise incumbent in email security, protecting over 8,000 organizations globally. Their Threat Protection Platform uses the Supernova detection engine to analyze billions of emails, URLs, and attachments daily, with Advanced BEC Defense as a core component. We think the threat intelligence depth is hard to replicate at this scale.

  • Machine learning and AI identify, block, and authenticate threats across the email chain with strong detection against targeted attacks, supply chain compromise, and credential phishing.
  • BEC-specific features include impersonation detection, supplier risk analysis via Nexus Supplier Risk Explorer, and user-specific threat data.
  • Granular reporting provides insight into who is being targeted and how.
  • Daily digest emails with single-click actions save significant triage time.

The widespread adoption has practical benefits; when email issues arise between organizations, both sides often run Proofpoint, which simplifies troubleshooting. The community and documentation are strong. Users praise how intuitive the core workflows are. Something to be aware of is that Proofpoint has grown through acquisition, and it shows; multiple admin consoles can make management feel fragmented. Post-sale support gets mixed reviews, with some customers reporting the sales team disengages after implementation.

We think Proofpoint makes sense for mid-size to enterprise organizations that want proven detection at scale and can absorb the admin complexity. The threat intelligence network analyzing billions of data points daily provides visibility that smaller vendors can’t match. If you run a lean team, the fragmented admin experience is worth factoring into your evaluation.

Strengths
Massive threat intelligence network analyzes billions of data points daily
Single-click digest actions streamline daily email triage
Deep BEC reporting includes user-specific targeting data and supplier risk
Widespread adoption simplifies cross-organization email troubleshooting
Cautions
Customers note multiple admin consoles create a fragmented management experience
Reviews mention post-sale engagement from sales teams can drop off after implementation

Other Business Email Compromise Protection Services

Beyond our top 9, these platforms are worth considering for BEC protection.

10
Barracuda

Offers a Total Email Protection portfolio providing all-inclusive protection against 13 email threat types including spear phishing and BEC.

11
Mimecast

A well-respected email security provider offering a comprehensive, cloud-based security platform through a single subscription service.

Business Email Compromise Protection Pricing

BEC protection pricing varies by platform, deployment model, and whether managed SOC services are included. Several enterprise vendors require a sales conversation. The prices below reflect publicly available starting rates where published.

Product Starting Price Billing Link
Huntress
Contact for quote
Bitdefender Extended Email Security
Contact for quote
Consumption-based
Material Security
From $3.00/user/month
Annual
Abnormal AI
Contact for quote
Check Point Email Security
Contact for quote
Cofense
Contact for quote
Darktrace
Contact for quote
IRONSCALES
From $3.89/user/month
Annual
Proofpoint Email Security
Contact for quote

Business Email Compromise Protection Checklist

These are the criteria we recommend evaluating when selecting BEC protection for your organization.

BEC attacks mimic trusted communication; behavioral AI catches deviations in tone, writing style, and request patterns that rule-based filters miss.

Suspicious mailbox rule changes, MFA fatigue attempts, and unauthorized OAuth apps are early warning signs that precede most BEC attacks.

BEC attacks create damage in minutes; automated logout, credential reset, and access restriction reduce the window between detection and containment.

Compromised accounts send legitimate-looking emails from inside your organization; inbound-only protection misses this attack vector entirely.

Supply chain BEC exploits trusted vendor relationships for invoice fraud and payment redirection; detection should cover vendor communication patterns.

Visual cues prompt employees to verify requests through a separate channel before acting, reducing the success rate of impersonation-based fraud.

Employee reports improve detection accuracy and feed human intelligence back into AI models across your entire environment.

The most sophisticated BEC attacks contain only persuasive language requesting action; your platform must detect threats without relying on payload analysis.

The Bottom Line

No single BEC solution fits every organization. For MSPs managing multiple client environments, Bitdefender Extended Email Security provides cross-tenant BEC remediation with display-name impersonation detection and simple single-SKU pricing. For lean IT teams needing managed SOC capabilities, Huntress provides 24/7 identity-layer monitoring. For behavioral AI detection with minimal tuning, Abnormal AI deploys in minutes via API. For unified email security and awareness training, IRONSCALES combines detection, simulation, and training at an accessible price point. For enterprise-scale detection, Proofpoint provides unmatched threat intelligence. Review the individual evaluations above to dig into deployment specifics and the trade-offs that matter for your email security strategy.

Everything You Need To Know About Business Email Compromise (FAQs)

BEC attacks use an authentic and trusted brand to trick victims into sharing sensitive details and information. They rely on accurate and authentic impersonation to make their requests seem more valid. For example, a user will be more likely to share financial details with a brand they already know and trust, than with someone unknown to them.

To make the attacks seem more legitimate, attackers will often try to gain access to an authentic inbox. This means that they are able to send email from a real email address, with the correct header, footer, and DKIM details. This reduces the amount of work they have to do in order to appear legitimate. It is for this reason that it is important for organizations to monitor the emails that are being sent from their inboxes as well as inbound messages.

Malicious actors are able to gain access to inboxes in a variety of ways. This includes using stolen credentials purchased on the dark web, previous phishing or social engineering attacks, and brute force attacks. So, the first thing you should do to prevent BEC attacks is keep your credentials safe. Some of the platforms features on this list are designed for this purpose.

Once they have gained access, an attacker will reach out from the compromised account to existing employees or to other companies. As they are writing from a valid email address, there is very little to raise the victims’ suspicions. The attacker may send a fake invoice, request access to data, or even attempt to hijack another account.

With the amount of information readily available online – think of all the information you share on LinkedIn – coupled with the valid account and ability to look back at previous conversations and imitate style, BEC can be a very effective and dangerous attack type.

To prevent BEC attacks, it is worth keeping an open mind about what to look for. With attackers constantly searching for new ways to trick you, is no checklist (or limit) to how they might try to fool you. Another area that could be worth investing in is Security Awareness Training (SAT) – this educates your users on suspicious behavior and explains best practice responses.

BEC attacks exploit the weakness of emails to target top-level people within an organization. Often BEC starts with a phishing attack which allows cyber-criminals to gain access to an important email account within an organization. For example, someone in the finance department, or the company CFO or CEO. Once attackers have access to this account, they can then send out emails that appear to be legitimate, asking for wire payments to be made from others in the organization, or across their supply chain. These emails won’t be flagged as malicious by any anti-virus or basic email filtering technologies, and most users probably won’t expect their boss or a trusted contact to be compromised, making this a particularly harmful kind of attack.

Another method cyber-criminals can use is simply spoofing the domains of high-level business email accounts. For example, the attacker will see the email address [email protected] and use [email protected] instead. This is known as Lookalike Domain Spoofing. The similarity of the email addresses may be enough to fool suspecting users into believing it’s the real contact that has emailed them, which could convince them to make a payment.

This type of BEC attack is less sophisticated than full account compromise, but it is much more common. It’s also much more likely to be stopped by email security technologies, as they can detect when a domain has been spoofed. However, it can still very successful in convincing unsuspecting users.

Lookalike domain spoofing is commonly used to impersonate brands, such as Microsoft or Apple. Attackers copy these brand domains to try and in convince users to enter passwords, or make payments.

We’ve broadly covered two methods in which attackers can carry out Business Email Compromise attacks, but the FBI has identified 5 unique variants of BEC. Here’s a brief rundown of what each involve:

CEO Fraud: Attackers impersonate a CEO, or a high-level executive, and target employees with requests for payments.

Account Compromise: An employee’s email account is compromised, and attackers use their contacts to request payments to their own accounts.

Bogus Invoice Schemes: Attackers will impersonate suppliers of foreign companies, in order to request fraudulent fund transfers and payments.

Data Theft: Employees in HR and admin departments are compromised so that attackers can gain access to sensitive company and customer information.

Attorney Impersonation: Attackers impersonate lawyers or solicitors to find out confidential business events. This is a sophisticated type of account compromise attack, and much less common.

Most industry analysts agree that BEC attacks are becoming more common because they are low risk for attackers, can be relatively low cost to pull off, and they are often very successful.

Rather than needing to spend time developing malware, or trying to gain access to systems, Business Email Compromise allows cyber criminals to very quickly get access to accounts and send out emails asking for payments. With just one compromised account, cyber criminals can send out hundreds of fraudulent emails, with a pretty good chance that at least one will be opened or replied to.

For high profile targets, cyber criminals may not even need to collect information for account compromise attacks themselves. High level employee email credentials are commonly bought and sold on the dark web. Research from LastLine tells us that CEO, CFO and executive account details fetch a high price, but attackers can make a profit of thousands by successfully mounting a business email compromise scam.

Traditional approaches to email security rely on detecting threats. This could be a malicious domain that’s been known to send out spam emails. Or, it could be an attachment that contains malware, or a URL that leads to a harmful website. Email security technologies can identify threats based on patterns or signatures and stop those emails from being delivered to your users.

However, BEC attacks don’t involve any malware or harmful content being sent. These emails come from legitimate domains and will appear to most email security technologies to be completely innocuous. This means that the email has a high chance of being delivered to your users’ inboxes.

Because they target the human factor within the organization to succeed, once in the email inbox BEC attacks have a good chance at tricking employees into believing they are real. As we’ve covered, BEC attacks often target company executives, like CEOs or CFOs, or employees that work within company finances. When an invoice arrives from an employee like this, people usually trust that it is legitimate, and may go ahead and make the payment without caching the legitimacy of the email.

In addition, attackers are spending more time to develop BEC, spending more time investigating which individuals within an organization are likely to have authority in asking for invoices to be paid.

Considering these factors, it’s no surprise that Business Email Compromise is growing more common and becoming more harmful to organizations. There have been numerous examples of high profile BEC attacks, against organizations of all sizes.

The US Treasury found that the number of business email compromise attacks reported nearly doubled from 2016 to 2018, with nearly 1100 attacks reported every single month. The costs associated also continue to grow, now costing US companies an average of $301 million every single month, according to a Treasury Department Analysis.

When choosing a BEC solution, it’s important to make the right choice for your organization. As no two organizations are identical, it’s important that you take the time to find a solution that matches your needs and addresses your vulnerabilities.

Selecting a solution that doesn’t fit your organization’s profile could leave you with a false sense of security. For instance, your business may release a large quantity of emails and other communications; this could make your brand susceptible to spoofing. Alternatively, you may have a large, disparate work force, the sheer number of employees makes you susceptible to phishing attempts. When selecting a BEC solution, you should consider for the following areas with regard to your own organization:

What Are Your Vulnerabilities? 

If you are looking for a solution that can respond to email based threats, it may not be suited to cover SMS or Vishing attacks.

Before deciding what solution is best, look at where you are weakest.

Automation And Configuration

The ability to automate and configure your solution can affect how useful it is to your organization. It may be that you want a solution that you can let run in the background, without any need for input. Equally, you may want a more hands on solution that puts you in control of configuration and management. This decision will be based on your weaknesses, as well as your organizational resource.

What Are Its Features?

When choosing a BEC solution it’s critical to compare the features of each solution to ensure it will work in your environment. URL rewriting, always on connectivity, and database cross-checking gives you the best chance of remediating threats.

As indicated in the previous section, ensuring that your platform has the right features to address the issues that you face is imperative. This can be an overwhelming and confusing area to navigate. Nevertheless, it is one of the most important decisions you face in securing your organization from cyber threats.

  1. Customization – To ensure that your platform can protect your organization from the unique threats that it faces, your platform should deliver a good deal of customization. This ensures that you can reduce and eliminate any vulnerabilities.
  2. Domain Authentication – To corroborate if your email messaging is legitimate, you should ensure that your platform delivers DKIM/SPF features.
  3. Phishing Detection – By identifying and removing phishing mail, you are able to reduce the number of emails that may trick users.
  4. Employee Training – Good platforms will offer employees training and education to help them identify risk factors and signs of danger.
  5. Policy Management – Your solution should allow you to create policies and deploy them across all accounts easily.
  6. User Friendly Interface – Every tool that you use should be straightforward to use and easy to manage, allowing you to make the changes that you need to.

Email Security Resources

Further reading on email security from Expert Insights — buyers' guides, comparison articles, and platform-specific shortlists.

Written By Written By
Alex Zawalnyski
Alex Zawalnyski Journalist & Content Editor

Alex is an experienced journalist and content editor. He researches, writes, factchecks and edits articles relating to B2B cyber security and technology solutions, working alongside software experts.

Alex was awarded a First Class MA (Hons) in English and Scottish Literature by the University of Edinburgh.

Technical Review Technical Review
Craig MacAlpine CEO and Founder

Craig MacAlpine is CEO and Founder of Expert Insights. Before founding Expert Insights in August 2018, Craig spent 10 years as CEO of EPA Cloud, an email security provider that rebranded as VIPRE Email Security following its acquisition by Ziff Davis, formerly J2Global (NASDAQ: ZD) in 2013.

Craig is a passionate security innovator with over 20 years of experience helping organizations to stay secure with cutting-edge information security and cybersecurity solutions.

Using his extensive experience in the email security industry, he founded Expert Insights with the singular goal of helping IT professionals and CISOs to cut through the noise and find the right cybersecurity solutions they need to protect their organizations.