BEC

$50 billion. That’s what business email compromise (BEC) attacks have stolen since the FBI started tracking them. The average hit is $125,000, though some organizations lose millions in a single attack.

Here’s what makes BEC particularly frustrating to defend against: there’s no malware to scan, no suspicious attachment to sandbox, no sketchy link for your email gateway to flag. These attacks work by impersonating someone the target trusts, asking for something that sounds reasonable, and relying on normal business processes to deliver the money.

Your technical controls won’t catch them. Your employees have to.

BEC attackers study organizations before striking. They learn:

• Who authorizes payments
• Who processes wire transfers
• Vendor relationships and payment patterns
• Executive communication styles
• Organizational hierarchies

Armed with this intelligence, they craft emails that appear completely legitimate.

1. CEO Fraud

Attacker impersonates the CEO or another executive to request urgent wire transfers.

“Hi Sarah, I’m closing a confidential acquisition and need you to wire $47,000 to this account today. Time-sensitive, so don’t mention this to anyone until the deal is announced.”

The request comes from what appears to be the CEO’s email (either spoofed or from a compromised account). It creates urgency, invokes authority, and discourages verification through the confidentiality request.

2. Invoice Manipulation

Attacker compromises or impersonates a vendor to change payment details.

“Please update our banking information for future invoices. Our previous account is being migrated.”

The email arrives when a legitimate payment is expected. Everything looks correct except the routing numbers.

3. Account Compromise

Attacker compromises an employee’s email account and uses it to request payments from contacts.

Because emails come from the actual compromised account with full conversation history, recipients have no reason to suspect fraud.

4. Attorney Impersonation

Attacker poses as legal counsel during sensitive transactions: M&A deals, litigation settlements, real estate closings.

The legal context creates urgency and confidentiality that discourage normal verification.

5. Data Theft

Attacker requests W-2s, employee records, or other sensitive data rather than direct payment.

“HR, I need all employee W-2s for a tax compliance audit. Please send by end of day.”

This variant enables identity theft and tax fraud against employees.

BEC attacks are engineered to bypass security tools:

Email security catches obvious fraud. BEC attacks aren’t obvious. They’re crafted to appear completely normal.

Employees can’t stop what they don’t recognize. Training must cover:

Request characteristics:

• Unusual urgency (“must be done today”)
• Confidentiality demands (“keep this between us”)
• Authority pressure (“the CEO needs this”)
• Process bypass requests (“skip normal approval this once”)
• Changed payment details (“use this new account”)

Context indicators:

• First-time requests from executives
• Requests outside normal business hours
• Unusual vendors or payment amounts
• Timing aligned with executive travel or unavailability
• Email threads that don’t match previous conversation history

Training must include clear verification requirements:

For wire transfers:

• Verbal confirmation through known phone numbers (not numbers in the email)
• Dual authorization for transfers above threshold
• Cooling-off period for unexpected requests
• Standard process that cannot be bypassed by claimed urgency

For payment detail changes:

• Independent verification with vendor through established contacts
• Comparison against historical payment records
• Review of any recent correspondence for signs of compromise

For sensitive data requests:

• Verification of requestor identity through separate channel
• Manager approval regardless of apparent sender
• Confirmation that request matches legitimate business need

BEC training requires simulation exercises that test whether procedures are actually followed.

Effective simulations:

• Mimic real attack patterns employees might face
• Create time pressure without being unfair
• Test whether employees verify before acting
• Provide immediate education when procedures aren’t followed

What to measure:

• Percentage who attempt verification before acting
• Time between request and verification attempt
• Proper use of established verification procedures
• Willingness to question requests from apparent authority

Highest-risk group for direct financial loss.

Training focus:

• Wire transfer verification procedures (no exceptions)
• Vendor payment change protocols
• Recognition of urgency manipulation
• Authority to delay suspicious requests

Often targeted as gatekeepers with broad access and trust.

Training focus:

• Verifying executive identity on unusual requests
• Recognizing when executive accounts may be compromised
• Procedures when executives are traveling or unavailable
• Protection of executive schedules and travel information

Targets for W-2 fraud and payroll diversion.

Training focus:

• Verification requirements for bulk data requests
• Recognition of tax-season attack patterns
• Direct deposit change verification
• Sensitivity to “urgent compliance” pretexts

High-value transaction targets.

Training focus:

• Wire instruction verification for closings
• Recognition of last-minute change requests
• Independent confirmation of attorney identity
• Awareness of public transaction information attackers exploit

Training works best alongside process controls that create natural verification checkpoints.

Require two people to approve significant transactions. This creates a natural verification step. The second approver has no reason to feel urgency pressure from the original request.

Before processing wire transfers or payment changes, require phone verification using independently obtained contact information. Never use numbers provided in the request.

Establish minimum processing times for large or unusual transactions. A 24-hour hold on unexpected wire requests gives time for verification and reduces attacker leverage from manufactured urgency.

Any change to vendor payment information triggers independent verification through established contacts, not contacts provided in the change request.

• Reduction in successful social engineering attempts
• Increase in suspicious request reports
• Decrease in process bypass attempts
• Employee confidence in verification procedures

Run quarterly BEC simulations targeting different attack scenarios:

• CEO fraud wire requests
• Vendor payment change requests
• Sensitive data requests
• Last-minute transaction modifications

Track whether employees follow verification procedures, not just whether they “pass” or “fail.”

When BEC attacks occur, rapid response can sometimes recover funds.

1. Contact bank immediately - Request wire recall or hold
2. Preserve evidence - Don’t delete emails or modify anything
3. Identify scope - Determine what else may be compromised
4. Report to FBI IC3 - File complaint for law enforcement coordination

• Analyze attack vector (spoofed domain, compromised account, etc.)
• Review what information attackers had access to
• Identify other potential targets in the organization
• Assess whether accounts may still be compromised

• Implement additional controls to prevent similar attacks
• Update training based on lessons learned
• Communicate (sanitized) incident to organization for awareness
• Review and strengthen verification procedures

A CFO received an urgent email from what appeared to be the CEO during an overseas business trip:

“Need you to process a $180,000 wire transfer for equipment purchase. Confidential until we announce the expansion. Account details attached.”

The CFO prepared the transfer but called the CEO to confirm before submitting, using the CEO’s personal cell number, not a number from the email. The CEO knew nothing about it.

Investigation revealed:

• Attackers had compromised a vendor’s email account
• They had access to information about the CEO’s travel
• The email came from a lookalike domain (ceo@company-corp.com instead of ceo@companycorp.com)
• Request amount was deliberately below the CFO’s authorization threshold

What worked: Established callback verification procedure saved $180,000.

What needed improvement: Domain monitoring could have detected the lookalike registration. Travel information access needed review.

I’ve talked to dozens of CFOs and finance managers who stopped BEC attacks. Every single one of them describes the same thing: they almost didn’t make the verification call. The email looked right. The amount was reasonable. They were busy. Making a phone call to confirm felt like overkill.

They made the call anyway.

That’s what separates organizations that lose $125,000 from organizations that don’t. Not better email filters. Not smarter employees. Just a simple habit: when something involves money changing hands, you verify through a separate channel. Every time. No exceptions.

The attackers know you’re busy. They know that calling feels awkward. They’re counting on it.

Build verification reflexes that stop BEC attacks. Try our free security awareness exercises featuring realistic business email compromise scenarios.

Email remains the primary attack vector. Despite decades of security investment, 91% of cyber attacks still begin with an email. Your employees receive these attacks daily, and a single click can compromise your entire organization.

Email security training transforms employees from potential victims into active defenders. When your workforce recognizes phishing attempts, verifies suspicious requests, and reports threats quickly, email-based attacks fail regardless of their sophistication.

Technical email security has improved. Spam filters catch obvious threats. Secure email gateways block known malicious domains. AI-powered solutions detect anomalies. Yet attacks keep succeeding.

The reason is simple: attackers adapt faster than technology. When filters block one tactic, attackers develop another. When detection catches patterns, attackers change patterns. The arms race between attackers and technology never ends.

Trained employees provide a different kind of defense. They apply judgment, recognize context, and identify threats that evade technical controls. A well-crafted spear phishing email might bypass every filter, but an employee who knows to verify unexpected requests stops the attack anyway.

These costs don’t include reputation damage, customer loss, or regulatory penalties. A single successful email attack often causes cascading harm far beyond the initial compromise.

Mass phishing casts a wide net, hoping some percentage of recipients click. These attacks mimic:

• Account alerts (“Your password expires today”)
• Shipping notifications (“Your package couldn’t be delivered”)
• Financial warnings (“Unusual activity detected”)
• IT requests (“Verify your credentials”)

While less sophisticated than targeted attacks, volume ensures success. If 1% of employees click and you have 1,000 employees, that’s 10 compromised accounts from a single campaign.

Targeted phishing uses research to create convincing messages for specific individuals. Attackers study LinkedIn profiles, company announcements, and social media to craft relevant lures.

A spear phishing email might reference:

• Recent company news or projects
• Specific colleagues by name
• Actual vendors or partners
• Real business processes

This personalization dramatically increases success rates compared to mass phishing.

BEC attacks impersonate trusted parties to manipulate employees into taking harmful actions, typically involving money or data.

Common BEC scenarios:

• CEO fraud: Attacker poses as executive requesting urgent wire transfer
• Vendor impersonation: Fake invoice with changed payment details
• Attorney impersonation: Pressure for immediate action on “confidential” matter
• Data theft: Request for employee records or financial information

BEC attacks cost organizations billions annually and often bypass technical controls entirely because they contain no malware or malicious links.

These attacks aim to steal login credentials through:

• Fake login pages mimicking real services
• “Password reset” requests that capture current credentials
• “Account verification” forms requesting sensitive data

Stolen credentials enable further attacks, from email account takeover to network compromise.

Email delivers malware through:

• Malicious attachments (documents, archives, executables)
• Links to drive-by download sites
• Embedded content that exploits vulnerabilities

Once malware executes, attackers gain foothold for ransomware deployment, data theft, or persistent access.

Train employees to examine emails critically:

Sender verification

• Check actual email address, not just display name
• Verify domain spelling (paypa1.com vs paypal.com)
• Question unexpected emails from known contacts

Content red flags

• Urgency demanding immediate action
• Threats of negative consequences
• Requests for credentials or sensitive data
• Generic greetings instead of personal address
• Grammar and spelling errors (though sophisticated attacks avoid these)

Link safety

• Hover to preview destination before clicking
• Verify URLs match expected destinations
• Watch for misleading link text
• Never enter credentials after clicking email links

Attachment caution

• Question unexpected attachments
• Be wary of uncommon file types
• Enable protected view for Office documents
• Report suspicious attachments before opening

Help employees understand (at a basic level) how email authentication works:

• SPF, DKIM, DMARC: Technical standards that verify sender legitimacy
• Why spoofing still works: Attackers use lookalike domains that pass authentication
• What employees should do: Verify through independent channels, not email alone

Establish clear guidelines:

Never:

• Send passwords or credentials via email
• Click links in unexpected security alerts
• Open attachments from unknown senders
• Trust caller ID or sender names alone
• Bypass verification procedures due to urgency

Always:

• Verify unexpected requests through separate channels
• Report suspicious emails even if uncertain
• Use bookmarks or type URLs directly for sensitive sites
• Confirm wire transfer or payment changes by phone
• Check with IT security about questionable emails

Establish specific verification procedures:

Wire transfer requests:

1. Call requester using known number (not from email)
2. Verify authorization through documented approval chain
3. Confirm account details independently
4. Document verification steps

Vendor payment changes:

1. Contact vendor using existing relationship contact
2. Verify through multiple methods before implementing
3. Implement waiting period for payment changes
4. Flag and review all payment detail modifications

Credential requests:

1. Never provide passwords via email regardless of sender
2. Report all credential requests to IT security
3. Navigate to sites directly rather than through email links
4. Contact IT through known channels to verify legitimacy

Regular phishing simulations test employee recognition in realistic scenarios. Effective simulation programs:

• Use varied attack types (different lures, tactics, sophistication levels)
• Test all employees, including executives
• Provide immediate feedback when employees click
• Track progress over time
• Focus on education, not punishment

Simulations build practical recognition skills that passive training cannot develop.

Hands-on exercises where employees practice:

• Identifying phishing versus legitimate emails
• Analyzing headers and sender information
• Making decisions under realistic conditions
• Reporting suspicious messages

Interactive training creates stronger learning than videos or documents alone.

Examine actual attacks to understand:

• How sophisticated attacks unfold
• Why victims fell for schemes
• What warning signs existed
• How similar attacks can be prevented

Real examples make abstract threats concrete and memorable.

Deliver training at relevant moments:

• Education immediately after clicking simulation
• Reminders during high-risk periods
• Updates when new threats emerge
• Reinforcement tied to actual email activity

Timely training maximizes relevance and retention.

Establish baseline through:

• Initial phishing simulation to measure click rates
• Survey to assess current knowledge
• Review of past email security incidents
• Identification of highest-risk roles

Deploy core email security education:

• Email threat landscape overview
• Recognition skills for common attacks
• Reporting procedures and resources
• Verification process training

All employees complete baseline training before advanced modules.

Launch regular phishing simulations:

• Monthly simulations for all employees
• Varied difficulty and attack types
• Immediate feedback and education
• Progress tracking and reporting

Simulations should feel like real attacks, not obvious tests.

Provide deeper training for specific needs:

• Role-specific threat training (finance, executive, IT)
• Emerging threat updates
• Scenario-based exercises
• Refresher training for struggling employees

Embed email security into organizational culture:

• Recognition for reporting
• Regular security communications
• Leadership participation and messaging
• Continuous improvement based on metrics

• Training completion rates
• Assessment scores
• Employee confidence levels
• Incident reduction
• Near-miss reports

Track improvement over time:

• Click rate changes across simulations
• Reporting rate growth
• Response time improvements
• Risk reduction across the organization

Finance teams face the highest-value email attacks:

Focus areas:

• BEC and CEO fraud recognition
• Invoice fraud detection
• Payment change verification
• Wire transfer security procedures

Simulations should include:

• Fake executive requests
• Vendor impersonation attempts
• Urgency-based payment demands
• Account detail change requests

Executives are prime targets for whaling attacks:

Focus areas:

• High-value target awareness
• Sophisticated attack recognition
• Verification importance (even for “urgent” requests)
• Leading by example

Simulations should include:

• Board member impersonation
• Legal urgency scenarios
• Confidential matter requests
• Time-sensitive authorization demands

IT employees face targeted attacks seeking system access:

Focus areas:

• Credential theft recognition
• System access request verification
• Vendor and support impersonation
• Insider threat awareness

Simulations should include:

• Fake support requests
• Credential reset attempts
• System access demands
• Technical support impersonation

Universal email security skills everyone needs:

• Basic phishing recognition
• Link and attachment safety
• Reporting procedures
• Password protection

Training works best alongside technical controls:

• Email authentication (SPF, DKIM, DMARC)
• Advanced threat protection
• Link scanning and sandboxing
• Attachment filtering
• Impersonation detection

• Multi-person approval for significant transactions
• Out-of-band verification requirements
• Payment change waiting periods
• Documented authorization procedures

• Easy reporting mechanisms (button in email client)
• Clear escalation procedures
• Feedback loops for reporters
• Integration with security operations

Problem: Simulations designed to trick employees rather than train them. Impossible-to-detect tests create resentment without building skills.

Solution: Design simulations that challenge but are detectable with proper attention. The goal is education, not embarrassment.

Problem: Employees who click face public shaming, job consequences, or repeated remediation. This drives behavior underground rather than improving it.

Solution: Treat clicks as learning opportunities. Focus on improvement, provide support, and celebrate progress rather than punishing failure.

Problem: Annual training creates brief awareness that fades within weeks. Employees forget lessons before they encounter real attacks.

Solution: Maintain continuous touchpoints through monthly simulations, regular tips, and ongoing reinforcement.

Problem: Training uses examples irrelevant to employees’ actual work. Accountants need different scenarios than engineers.

Solution: Customize simulations and training to reflect real threats facing specific roles and your industry.

Problem: Training emphasizes recognition but neglects reporting. Employees identify threats but don’t escalate them appropriately.

Solution: Make reporting easy, celebrate reporters, and track reporting metrics alongside click rates.

Email remains the primary path attackers use to reach your employees. Technical controls block many threats but cannot stop sophisticated attacks that exploit human judgment. Email security training fills this gap.

Effective programs combine knowledge (understanding threats), practice (realistic simulations), and culture (encouraging reporting). They treat employees as partners in security rather than problems to be managed.

The investment pays returns beyond security metrics. Organizations with strong email security training experience fewer incidents, faster detection when attacks occur, reduced breach impact, and employees who feel empowered rather than victimized.

Your employees will receive malicious emails. With proper training, they’ll recognize and report them instead of clicking.

Build practical email security skills through hands-on practice. Try our free phishing simulation exercises and experience interactive training that develops real threat recognition abilities.

When attackers want maximum impact, they don’t send mass emails hoping someone clicks. They research a CEO, CFO, or board member for weeks. They craft a perfect message. They wait for the right moment to strike.

This is whaling: spear phishing that targets executives. It accounts for some of the largest individual fraud losses in cybersecurity history.

Executives present unique value to attackers:

Decision-making authority: They can approve wire transfers, access strategic information, and override processes without additional approval.

Public visibility: LinkedIn profiles, press releases, conference appearances, and SEC filings provide detailed information for crafting convincing attacks.

Time pressure: Busy schedules mean executives often process requests quickly without thorough verification.

Communication patterns: Executives regularly send brief, action-oriented emails. “Handle this” from the CEO doesn’t raise suspicion.

Assistants and delegates: Attackers can impersonate executives to their staff, or impersonate vendors to executives.

Attackers gather intelligence from:

• LinkedIn (reporting relationships, recent role changes)
• Company website (executive bios, recent announcements)
• SEC filings (names of lawyers, auditors, M&A activity)
• Press releases (partnerships, transactions in progress)
• Social media (travel schedules, personal interests)
• Conference agendas (speaking engagements, travel timing)

Armed with research, attackers create plausible scenarios:

Vendor impersonation: “We’re updating our banking information ahead of the next quarterly payment…”

Legal urgency: “Regarding the confidential matter we discussed, I need this wire completed today…”

Board communication: “The audit committee has requested immediate access to…”

Executive impersonation: “I’m traveling and can’t call. Process this wire for the acquisition quietly.”

Attacks often coincide with:

• Executive travel (can’t easily verify in person)
• Earnings seasons (financial staff under pressure)
• Major transactions (M&A, fundraising)
• Holidays and weekends (reduced oversight)

The attack appears legitimate because it:

• Uses information that seems to require insider knowledge
• Matches executive communication patterns
• Creates urgency that discourages verification
• Exploits authority relationships

Attackers impersonating executives and lawyers instructed finance staff to wire funds to overseas accounts for a “confidential acquisition.” The company recovered only $8.1 million.

The Austrian aerospace company lost €50 million when attackers convinced finance staff that the CEO had authorized emergency transfers. Both the CEO and CFO were fired.

Attackers impersonating the CEO convinced a finance executive to wire $3 million to a Chinese bank. Recovery succeeded only because the attack occurred on a Chinese banking holiday, creating a window to reverse the transfer.

Limit public information exposure: Executives should understand that every public detail enables more convincing attacks.

Verify unexpected requests: Even requests that seem to come from peers should be verified through separate channels for unusual actions.

Use secure communication: Establish out-of-band verification methods for sensitive transactions.

Maintain healthy skepticism: Authority doesn’t exempt executives from verification. They should expect to be questioned.

Dual authorization: Require two-person approval for transfers above threshold, regardless of who requests.

Callback verification: Before acting on wire instructions, call a known number (not one from the email) to confirm.

Executive communication protocols: Establish that legitimate requests for sensitive actions will never ask to bypass verification.

Travel awareness: Heightened verification when executives are traveling or unavailable.

Email authentication: Implement DMARC, DKIM, and SPF to make domain spoofing harder.

External email warnings: Banner alerts for emails from outside the organization.

Domain monitoring: Alert when lookalike domains are registered.

Multi-factor authentication: Even if credentials are compromised, MFA provides a second barrier.

Executives often exempt themselves from security training. This is exactly backwards: they face the most sophisticated attacks.

Attack patterns: Real examples of whaling attacks, especially against similar organizations.

Personal information exposure: Demonstrating what attackers can learn from public sources.

Verification procedures: Clear processes for confirming unusual requests.

Reporting without shame: Creating culture where reporting suspicious contacts is expected, not embarrassing.

Make it personal: Show what attackers can learn about them specifically, not generic threats.

Use relevant examples: Industry-specific case studies with financial impact.

Keep it brief: 30-minute sessions focused on actionable guidance.

Include their teams: Train assistants and direct reports on verification procedures.

Whaling can work both ways. Attackers may compromise executive accounts and use them to attack the organization.

• Unusual requests to staff for wire transfers or sensitive data
• Communication patterns that don’t match the executive’s normal style
• Requests explicitly telling staff not to verify or discuss with others
• Emails sent at unusual times or from unexpected locations

• Aggressive monitoring of executive account activity
• Alerts for suspicious login locations or times
• Enhanced authentication requirements
• Regular review of authorized access

1. Document the attempt thoroughly
2. Report to security team for analysis
3. Alert peer organizations who may face similar attacks
4. Use the example for internal training

1. Contact bank immediately to attempt recall
2. Preserve all evidence (emails, logs, communications)
3. Report to FBI IC3 for potential recovery assistance
4. Engage incident response team
5. Conduct thorough investigation of compromise scope

Whaling attacks succeed because they exploit what makes executives effective: authority, quick decision-making, and access to organizational resources. The characteristics that enable leadership become vulnerabilities when attackers target them.

Protection requires executives to accept that they are targets, participate in training rather than exempting themselves, and follow verification procedures even when requests appear to come from trusted sources.

The CEO who insists on callback verification for wire transfers isn’t paranoid. They’re protecting the organization from the attacks specifically designed to exploit their position.

Prepare your leadership team for sophisticated attacks. Try our free security awareness exercises featuring executive-targeted scenarios based on real whaling attacks.