How BEC attacks work
A BEC attack unfolds in stages:
- Research. The attacker studies the organization — who approves payments, who reports to whom, how invoices flow — using public info, social media, and leaked data.
- Access or impersonation. They either compromise a real mailbox (via phishing or a leaked password) or spoof a look-alike domain that reads correctly at a glance.
- The request. Posing as an executive or vendor, they send a plausible, urgent request — wire a payment, change a supplier’s bank account, or send employee tax forms.
- The pressure. They add secrecy and time pressure (“I’m in a meeting, handle this quietly and quickly”) to short-circuit normal checks.
- The payout. Funds are wired to a mule account and moved quickly, often overseas, making recovery difficult.
Common BEC variants
- CEO fraud. Impersonating a senior executive to order an urgent wire transfer.
- Vendor / invoice fraud. Impersonating a supplier to redirect a legitimate payment to a new (attacker-controlled) bank account.
- Payroll diversion. Posing as an employee to change direct-deposit details.
- Attorney or acquisition fraud. Impersonating legal counsel around a confidential, time-sensitive deal to justify secrecy.
Why BEC is so effective
BEC succeeds because it looks completely normal. There’s no suspicious attachment to flag — just a well-written email invoking authority and urgency, often from a real, compromised account. Attackers frequently start with a leaked executive password or a phishing foothold, then watch email threads for weeks to time their request perfectly. The personal details that make the impersonation believable often come from data brokers and past breaches.