Understanding the Evolution of Modern Business Email Compromise Attacks

Business email compromise (BEC) exploits the main common denominator found across every technology, tool, and process – the humans that interact with it. Taking advantage of human decision making habits and emotions, BEC has remained one of the most lucrative attack methods seen in today’s cyber threat landscape.

This May, the FBI issued a public warning against BEC schemes, which they described as being one of the most financially damaging online crimes, capitalizing on the fact that email communication remains a steadfast tool for modern businesses. In fact, recent reports show that the market for BEC is expected to grow from a value of $1.1 billion in 2022 to an estimated $2.8 billion by 2027.

Like with all methods of cyberattack, threat actors continue to develop the tools of their trade and iterate on their processes to become more cost effective, efficient, and profitable. BEC attacks have also evolved in the last few years to exploit new vulnerabilities and bypass traditional security measures. In this post, learn how these email-based attacks have evolved over the past two decades to adapt to changing security solutions, the latest tactics and techniques threat actors are using in current BEC scams, and ways to protect against them in the long run.

Emails From Nigerian Princes to High-Profile Attacks | How Business Email Compromise Has Evolved

In the early 2000s, the world saw some of the earliest phases of BEC scams take form. While the term “BEC” might not have been coined then, the fundamental elements in these attacks were already in motion. Early examples of social engineering tactics used in emails include:

The Nigerian Prince Scam – One of the earliest and most notorious forms of BEC attacks is the “Nigerian Prince” or “419 scam”. It began as early as the 1980s through postal mail but transitioned to email in the early 2000s. Scammers claimed to be Nigerian princes or government officials seeking assistance to transfer a large sum of money out of their country. They promised to share the fortune with the recipient in return for a small fee to cover legal or administrative costs. This classic scam capitalized on people’s greed and willingness to believe in unlikely windfalls.
Lottery and Inheritance Scams – Similar to the Nigerian Prince scam, these earlier forms of BEC attacks involved emails informing recipients that they had won a lottery or inherited a large sum of money from a distant relative. To claim the prize or inheritance, victims were asked to provide personal information or pay a fee upfront, leading to identity theft and financial loss.
Overpayment Scams – In these attacks, scammers posed as potential customers or clients and contacted businesses regarding purchasing their products or services. They would then send a check or make a payment for an amount higher than the agreed-upon price and request the excess to be refunded. The initial payment would later bounce or be canceled, leaving the business out of pocket.
Executive Impersonation – Early instances of executive impersonation involved scammers pretending to be high-ranking executives or business partners within an organization. They would instruct employees to perform certain tasks, such as transferring funds or sharing sensitive information, under the guise of confidentiality or urgency.

Early BEC scams were relatively simple and didn’t require sophisticated techniques from cyber criminals to launch successful attacks. Seeing how profitable these scams were and how easily they could be tailored to targeted higher profile targets, BEC attacks soon expanded to affect every industry vertical. According to the IC3, BEC fraud now costs global businesses just over $50 billion dollars with reports of scams reported in all 50 states and in 177 countries. The IC3 has also classified the threat of BEC as one of the leading categories of cybercrime by financial losses.

Macro socio-economic trends have also fostered an environment where modern BEC scams thrive. Since the COVID-19 pandemic, more workplaces and individuals conduct their business virtually, creating additional avenues of attack for BEC scammers. Rising use of cryptocurrency now also plays a role in the BEC, specifically in investment scams.

Right now, experts say that the number of emails sent per day is projected to increase to over 370 billion by 2025. Whether used for personal and business communication or to support massive e-commerce and e-marketing industries, emails are clear targets in modern malware campaigns, advanced persistent threats (APTs), phishing attacks, identity theft, and more.

Current Top Trends In Business Email Compromise Attacks

Today’s world is saturated by connection with billions of internet-connected devices linking everyone and everything together at all hours of the day. Considering global collaboration, smart mobile devices, and the accessibility provided by cloud technologies, emails are still the one, simple way to reach many at once making BEC attacks as relevant as ever.

As technology has advanced, BEC scammers have also furthered their craft. Many BEC scams are now much more sophisticated, involving multi-stage attacks and misuse of artificial intelligence (AI) and machine learning (ML) along with targeting more attractive groups such as vendors, big banks, and government entities. This section explores some of the top trends found in recent BEC attacks that enterprises need to stay alert for.

Multi-Stage AiTM & BEC Attacks

Security professionals are seeing multi-stage, adversary-in-the-middle (AiTM) phishing and business email compromise (BEC) attacks against financial institutions and large banks. In these types of campaigns, threat actors seek to exploit trusted relationships between partnered organizations to bypass multi-factor authentication (MFA) measures.

Attacks like these feature a complex combination of both AiTM and BEC tactics to abuse the relationship between vendors, suppliers, and enterprise partners in order to commit financial fraud. After using AiTM phishing to bypass MFA mechanisms, threat actors connect to and take over their victim’s account, resetting authentication methods to devices under their control and creating new email rules to send out malicious emails to the next layer of victims in the attack chain.

The Use of Black Hat AI Tools In BEC Attacks

After a dramatic entrance in late 2022, ChatGPT and other generative AI tools are now being misused by cyber criminals to create improved spoof content for malicious emails and sites. Most recently, a black hat generative AI tool called WormGPT has caught the attention of cyber attackers who are using it to make their fake emails sound more convincing, personalized to the intended victim, and error-free; all to reduce the likelihood of being flagged as suspicious.

Though companies like OpenAI have strict disclaimers against the use of their software for illegal actions, researchers and hackers are now jailbreaking the language models to get around safety rules. In the case of WormGPT, this tool is designed specifically for malicious activities and first seen circulating in darknet forums. Such spin off AI tools are making BEC attacks more accessible by lowering the entry threshold to a wider spectrum of cybercriminals.

“Second Hop” Crypto-Based BEC Attacks

There are two variations of BEC scams involving cryptocurrency: direct transfers to a crypto exchange (CE) that is similar to traditional BEC models, and ‘second hop’ transfers. In the latter, victims are hit with social engineering tactics to give up personal identifiable information (PII). Threat actors then use the stolen information to open new cryptocurrency wallets in the victim’s name and then proceed to reroute the money and cash out. In both variations, victims are unaware that the funds being sent are converted to cryptocurrency.

Avoiding “Impossible Travel” Flags With Local IP Addresses

To increase the chances of a successful email-based intrusion, threat actors are attempting to bypass “impossible travel” flags by purchasing IP addresses that correspond to the locations of their victims. Impossible travel flags are security mechanisms that detect and alert when a user’s account is accessed from two different geographical locations within a short period, which is seen as a key indicator of unauthorized access. Using this tactic, threat actors are able to avoid detection and more easily create backdoors in the compromised system.

Timing BEC Campaigns With Summer Vacations

New research has shed light on the quick rise of BEC attacks across Europe, illustrating that European organizations were seeing a greater volume and frequency of such attacks compared to their U.S. counterparts. Between June 2022 and May 2023, researchers found that European organizations were attacked an average of 10 times per 1000 mailboxes, and especially in the month of August, when most Europeans tend to schedule their annual holiday.

Exploiting this cultural difference in vacation preferences, threat actors were found to be focusing their efforts on European businesses that would be operating with less-than-usual staff. Given the high concentration of employees being away on vacation, attackers could increase their chances of success by taking advantage of people being away from their computers as well as those who were likely more distracted during the ‘slower’ month.

BEC Is Extending Past Traditional Platforms

The FBI have warned about BEC scammers expanding their tactics beyond conventional platforms by taking advantage of the shift to remote work during and post-pandemic. Traditionally, social engineering relied on phone and email exchanges, but now, virtual meeting platforms have become the new grounds for attack.

First, the attacker gains access to a senior leader’s email account, typically a C-suite or member of the Board, and uses it to arrange virtual meetings with employees. During the meeting, the scammer displays a static image of the senior leader or uses deep fake audio to claim technical difficulties. Finally, the scammer instructs employees to transfer funds to fraudulent bank accounts.

How XDR Tackles The Challenge of Email Security Risks

Businesses often deploy individualized security solutions for their email defenses, causing visibility gaps and incomplete risk understanding. In such cases, manual intervention to address suspicious emails becomes not just time-consuming but also advantageous for cybercriminals.

That’s where Extended Detection and Response (XDR) comes in. Unlike isolated solutions, XDR, when coupled with email security, offers comprehensive threat detection and response. It doesn’t merely focus on endpoint activity but delves into the context of malware delivery.

XDR solutions, like vigilant cyber detectives, spot suspicious activities across attack surfaces and provide detailed incident reports. Integration with email security enables better understanding of attack vectors and potential threat actors, and allows for faster, automated responses to compromised user accounts.

SentinelOne has invested to fulfil the potential of XDR solutions, investing in comprehensive platforms like Singularity. The fusion of XDR into our cybersecurity strategies is indeed becoming the new norm for tackling evolving digital threats.


The steady rise of BEC attacks in recent years highlights the evolving sophistication of cybercriminals and the need for businesses to stay vigilant in safeguarding their assets and sensitive information. As these attacks continue to surge, it’s essential for organizations to understand the evolving tactics used by threat actors as well as the potential vulnerabilities within their email platforms.

Given the ever-changing threat landscape, businesses are looking farther ahead than just implementing defensive measures like multi-factor authentication, email authentication protocols, secure email gateways, and strong password policies. This is where XDR capabilities emerge as a critical part of a stronger cyber strategy.

As businesses navigate evolving threat tactics and techniques, adopting a multi-dimensional security strategy that combines robust preventive measures with XDR capabilities becomes a vital one. To learn more about how Singularity XDR is able to provide businesses with an effective strategy against increasingly sophisticated BEC risks, book a demo or contact us today.

SentinelOne Singularity XDR
Supercharge. Fortify. Automate. Extend protection with unfettered visibility, proven protection, and unparalleled response. Discover the power of autonomous with Singularity XDR.

Leave a Comment

Your email address will not be published. Required fields are marked *