Business Email Compromise (BEC) is currently one of the fastest growing forms of digital fraud. In BEC, criminals pose as a person who is trusted within an organization—often a director or manager (CEO fraud). In this article, you can read more about how BEC attacks typically unfold, how you can recognize them, and how you can protect your organization against them.
Cyclotronparticipants are seeing an increase in the number of Business Email Compromise (BEC) incidents. Based on their observations, BEC has become one of the fastest growing forms of digital fraud. The impact is also significant internationally. In itsIC3(Internet Crime Report) for 2024, the US FBI reported a total loss of $2.77 billion as a result of BEC fraud. BEC focuses on exploiting existing relationships and bonds of trust within and between organizations. This is precisely what makes BEC such a persistent threat: the attacker pretends to be a trusted sender, making fraudulent requests almost indistinguishable from legitimate communications.
“We regularly see organizations only coming to us after significant damage has already been done. In some cases, the losses ranged from €750,000 to more than €4 million.”
— Bas van Wingerden, Fox-IT
This product was developed within the Cyclotron program. The core ofCyclotronis the public-private collection, interpretation, and sharing of threat information between public and private organizations, so that patterns become visible more quickly and organizations can act more effectively against current cyber threats.
This publication was produced in collaboration with various partners, who contributed their expertise and practical experience to paint a picture of Business Email Compromise cases in the Netherlands.
In Business Email Compromise, criminals pose as a person who is trusted within an organization—often a director or manager (CEO fraud), but also a colleague, supplier (invoice fraud), or customer. The method is often the same: trying to obtain confidential information through deception. The criminals' goals can vary, such as changing account numbers, obtaining login details, stealing sensitive information, or using hacked accounts for new phishing campaigns.
The power of BEC lies not in technical complexity, but in the abuse of social influence principles. BEC fraudsters make clever use of (subtle) social pressure, for example by capitalizing on scarcity to create a sense of urgency ("this must be done today"), exploiting reciprocity by first building trust or asking for small favors, or leaning on an authority figure (the director or manager). The success of the attack goes hand in hand with how well the attacker understands the victim's internal processes and habits.
An employee of a medium-sized company received a seemingly normal email from the director requesting a payment of €45,000. Everything in the message was correct: the tone, the timing, the references to ongoing projects. It was only days later that it became apparent that the director had never sent the message. Attackers had previously gained access to an employee's mailbox and were able to read internal communications. The money had been siphoned off abroad and was irretrievably lost.
“If the past 10 years of incident response have taught us anything, it is that BEC incidents are not going away. Attackers evolve, and organizations must continuously evolve to remain resilient against these ever-changing attack techniques.”
— Korstiaan Stam, Invictus Incident Response
In practice, we see that many BEC attacks do not start out as targeted attacks, but originate from large-scale phishing campaigns. Organizations receive masses of seemingly neutral messages, such as a notification that a document has been shared, which lead to a phishing page. Once an attacker gains access to one or more accounts in this way, the targeted phase of the attack begins. The attacker analyzes mailboxes, communication patterns, and roles within the organization to select the most interesting victims. This is followed by the classic BEC method, in which credible messages are sent using a fake domain or a compromised email account that seamlessly match existing communications, including copied signatures and logos. These messages often contain an urgent request that must be dealt with without consultation and closely resemble normal business communications. As soon as the victim acts, money is immediately siphoned off or data is misused for further fraud.
BEC affects organizations of all sizes, but SMEs appear to be particularly vulnerable. Short lines of communication, informal decision-making, and less strictly separated roles make it easier for criminals to abuse trust. Even when an attacker sees no opportunity for direct financial gain, abuse of a hacked mailbox can lead to considerable reputational damage.
Many BEC attempts display recognizable signs. Messages that emphasize urgency, requests that demand confidentiality, or unexpected changes in payment details are clear warning signs. Sharing documents via platforms such asSharePoint—often accompanied by a link to a fake login page—is also becoming increasingly common. During busy periods or when workloads are high, employees are more likely to miss these signs, which attackers exploit.
Many SMEs rely on their Managed (Security) Service Provider to manage their IT environment. This makes it important to have targeted discussions with these service providers about their measures against BEC. For example, ask your service provider about the implementation of impersonation protection, the monitoring of suspicious logins, the approach to OAuth apps, and the disabling of legacy authentication. The speed and quality of incident reporting and good protection against spoofing (good email configuration) can also be crucial for effective protection.
In addition to the necessary technical measures, in the case of BEC it is important to pay attention to your last line of defense: people. Promoting digitally safe behavior goes beyond traditional e-learning courses or generic awareness campaigns. As described in the NCSC publication Beyond e-learning,real behavioral change requiresa structural approach that measures risks, offers customized solutions, and is fully embedded in the organizational culture. For organizations that are not yet ready for broad behavioral programs, there are practical steps that can be taken. For example, the four-eyes principle for payments prevents a single employee from making harmful decisions under pressure. Verifying changes to bank account numbers by telephone is another simple but highly effective control. Clear guidelines on how to act in case of doubt help employees to work safely, and a reporting culture – in which suspicious emails are immediately shared with IT or security – also contributes significantly to the resilience of the entire organization.
If an organization falls victim to BEC fraud and mailboxes or personal data have been accessed,reporting the incidentto the Autoriteit Persoonsgegevens is Autoriteit Persoonsgegevens mandatory. Such reporting not only helps to comply with legal requirements, but also contributes to the broader picture of digital threats in the Netherlands. The sooner incidents are reported, the more effectively new attacks can be identified and stopped.
