Common BEC Attack Vectors: How Criminals Infiltrate Business Communications

⏱️ 2 min read 📚 Chapter 12 of 40
101010 110011 001100

CEO fraud represents the most financially devastating type of BEC attack, exploiting organizational hierarchies and authority relationships that are fundamental to business operations. In these attacks, criminals impersonate senior executives—typically CEOs, CFOs, or other C-level officers—to request urgent wire transfers, confidential information, or other sensitive actions. The psychological impact of receiving requests from apparent senior leadership creates compliance pressure that bypasses normal verification procedures, especially among employees who rarely interact directly with executives and may not be familiar with their communication patterns.

The technical execution of CEO fraud has evolved significantly as security measures have improved. Simple email spoofing—where criminals forge the "From" field to make emails appear to come from executives—is easily detected by modern email security systems. More sophisticated attacks involve compromising actual executive email accounts through credential theft, malware installation, or social engineering against IT support teams. Account compromise attacks are particularly effective because they use legitimate email addresses and can access actual email threads, making fraudulent messages appear as natural continuations of real business discussions.

Domain spoofing represents another common technical approach where criminals register domains that closely resemble legitimate company domains. They might register company-name.net when the real company uses company-name.com, or use character substitution techniques like replacing 'o' with '0' or 'm' with 'rn' to create visually similar domains. These spoofed domains are used to send emails that appear legitimate in quick glances but reveal their deceptive nature under careful examination. Advanced domain spoofing involves registering internationalized domain names using characters from non-Latin alphabets that appear identical but are technically different, allowing registration of seemingly duplicate domains.

Invoice fraud targets accounts payable processes by impersonating suppliers, vendors, or service providers requesting payment redirections or urgent invoice payments. These attacks often begin with criminals compromising supplier email accounts to access actual invoice templates, communication histories, and business relationship information. Armed with this intelligence, they craft convincing fake invoices or payment redirection requests that appear to come from legitimate business partners. The success rate is particularly high because accounts payable departments process numerous invoices daily and may not have direct relationships with all vendors, making verification procedures inconsistent.

Attorney impersonation scams exploit the confidentiality and urgency often associated with legal matters. Criminals pose as lawyers representing the target company or opposing counsel in litigation, requesting immediate wire transfers for settlements, legal fees, or court-ordered payments. These attacks leverage most people's limited familiarity with legal procedures and their natural desire to avoid legal complications. The urgency created by claims of pending court deadlines or settlement negotiations often bypasses normal financial controls, especially when the claimed attorney emphasizes confidentiality requirements that prevent verification through normal channels.

Real estate fraud has become increasingly common as property transactions have moved partially online while still involving large cash transfers between parties who often haven't met in person. Criminals monitor real estate transactions through public records, real estate websites, or compromised email accounts of realtors, mortgage brokers, or title companies. They then send fake wire transfer instructions to home buyers, claiming that closing procedures have changed or that funds should be sent to different accounts for processing. The time pressure inherent in real estate transactions and the large sums involved make these attacks particularly lucrative when successful.

Vendor email account compromise represents a supply chain attack vector where criminals compromise email accounts belonging to legitimate business partners, suppliers, or service providers. Once they control these accounts, they can send convincing requests for payment redirections, emergency payments, or changes to payment terms that appear to come from trusted business relationships. These attacks are particularly effective because they use legitimate email accounts and can reference actual business relationships, ongoing projects, or pending transactions that make the requests seem reasonable and urgent.

Key Topics