Business Email Compromise (BEC) is a sophisticated kind of a spear-phishing attack, which has been recently gaining in popularity. Spear-phishing in itself is a targeted and quite effective phishing method, using trusted senders or well-known companies (for example Apple, Microsoft, PayPal, Netflix).
BEC scams are even more personalized and in most cases used against companies - to steal more money, for example by extracting a wire transfer. According to recent research into this attack method, BEC make up a relatively small amount of all spear-phishing mails (less than 10%), but they are very effective - three times more likely to be opened than their spear-phishing counterparts. Additionally, according to the FBI, in the last four years, BEC scams have been responsible for $26 billion losses.
BEC attacks occur on weekdays (91%), mostly Monday and Tuesday mornings, impart a sense of urgency and pretend to be from co-workers or executives (using real names in a given company). Each attack targets on average six employees and most of the messages are marked as urgent, request help or inquire about availability. Effective BEC attacks are quite simple and mimic typical, everyday requests from an employee’s executive or supervisor. Popular kinds of BEC scams are wire transfer or payroll attack, which usually targets up to two employees (from finance or HR) and gift card scams (attacker poses as a supervisor requesting a purchase of a gift card) - the second kind targeting more employees.