Business email compromise (BEC)

How it works

BEC relies on a convincing identity, not malware. Attackers use a spoofed or lookalike domain, or a compromised mailbox, to send a payment-change request, a fake invoice, or an urgent transfer order that appears to come from someone trusted.

How it relates to brand impersonation

BEC is among the costliest forms of brand and executive impersonation. The lookalike sender domains it depends on are detectable, and removable, before they are used.

How nebty helps

Our BEC guide covers detection and prevention, and nebty monitors for the lookalike domains used in these attacks so you can take them down before the first fraudulent email goes out.

The controls that stop BEC

BEC succeeds by exploiting process, not technology, so the defences are mostly procedural. The strongest is a verification step for any change to payment details or any unusual transfer: a callback to a number you already have on file, never one supplied in the request itself. Separate the person who can approve a payment from the person who can change a vendor bank account, so one compromised mailbox cannot do both. Flag external email clearly so a spoofed internal sender stands out. Train finance and HR specifically, since they are the usual targets. On the technical side, enforce DMARC so your exact domain cannot be spoofed, which pushes attackers onto lookalike domains instead, and those are what monitoring catches. Our BEC guide details the full checklist.

Recovering funds after a successful BEC is rare, so the money is best protected before it moves; the verification habit costs seconds and saves the transfer.