Blog
By: Embed Security |
October 1, 2025

Business Email Compromise (BEC): The Signals That Still Matter

An Old Threat That Still Works

BEC isn’t new. It’s been frustrating security teams for more than a decade, yet it still works. Why? Because it doesn’t rely on malware or flashy exploits. It relies on trust. 

The FBI defines BEC as a sophisticated scam where criminals use social engineering and computer intrusion to compromise legitimate email accounts or impersonate trusted entities to trick victims into authorizing fraudulent wire transfers, stealing sensitive personal information, or redirecting funds.

And the consequences of a successful BEC attack can be severe. According to the FBI’s Internet Crime Complaint Center (IC3), BEC attacks have accounted for $8.5 billion over the last three years, with the average loss reported to be $135,000.

Attackers quietly compromise accounts, insert themselves into workflows, and manipulate people into moving money or sensitive data. Legacy defenses often miss it because there’s no obvious payload to catch. And the result isn’t just the billions lost in wire transfers each year, it’s also the analyst hours burned trying to connect subtle anomalies across noisy tools. For SecOps teams already stretched thin, BEC isn’t just expensive — it’s exhausting.

Let’s review the attack lifecycle and key signals analysts can’t ignore.

The BEC Attack Lifecycle

Most BEC incidents follow a predictable pattern as outlined below: 

  1. Identify targets – Attackers pick the people most likely to succeed: finance, HR, procurement, or executives who can authorize payments or approve vendor changes. This is reconnaissance and social engineering — not random spraying.
  1. Build a backstory – To make the impersonation believable, attackers prepare: create new accounts, register look-alike domains, compromise existing mailboxes, set up forwarding rules, or stage supporting artifacts (invoices, contracts, spoofed vendor profiles). The backstory is the credibility that makes the attack work.
  1. Execute the attack – Using the backstory, attackers send targeted BEC phishing emails that impersonate a trusted person or supplier. Tactics include display-name spoofing, typosquatted domains, urgent payment requests, or messages that hijack vendor/payment workflows.
  1. Cash out – The goal is financial gain or sensitive data: wire transfers, payroll diversion, vendor-payment changes, or exfiltration of PII and contracts. Sometimes the attacker moves quickly; other times they maintain persistence for follow-on fraud.

Key Signals Analysts Can’t Ignore

There are several indicators of a BEC attack to look for. These include:

1. Message-Transfer Indicators (Headers & Domain)

Signals tied to the technical properties of an email message:

  • Mismatched “Reply-To” vs. “From” domains
  • Display-name spoofing of executives (CEO, CFO, HR, etc.)
  • SPF/DKIM/DMARC authentication failures
  • Recently registered or typosquatted domains (look-alike spellings, homoglyphs)

2. Message-Content Indicators (Language & Style)

Subtler signals in the message body:

  • Urgency markers like “ASAP,” “Confidential,” or “Payment needed now”
  • Formatting errors, missing disclaimers, or unusual signatures
  • Uncharacteristic file types or attachments inconsistent with past behavior

3. Combined or Correlated Indicators

No single anomaly proves BEC. The real risk emerges when multiple weak signals stack together:

  • Financial request from a free webmail domain
  • Failed authentication headers paired with a legitimate-looking sender name
  • Vendor payment change request following a sudden new forwarding rule

4. Indicators of Emails Leveraging Account Takeover (ATO)

Not every BEC involves account compromise, but when it does, the fraud becomes harder to detect. Signals of underlying account takeover include:

  • Impossible travel logins (e.g., U.S. and Europe within minutes)
  • Logins from TOR nodes or low-reputation IP addresses
  • Sudden mailbox forwarding or redirect rules to external domains
  • New MFA enrollments or push-fatigue events
  • OAuth consents to unfamiliar third-party apps
  • Unexpected mailbox permission changes or delegated access

5. Financial Workflow Anomalies

Even when technical indicators slip through, business process anomalies can reveal fraud attempts:

  • Vendor payment change requests outside approved channels
  • Wire transfer requests that bypass normal workflows
  • Escalations to executives not usually involved in accounts payable
  • Payroll update requests that redirect deposits to new accounts

How Embed Brings Clarity to BEC Noise

Traditional SOC workflows struggle with BEC because the signals are subtle and often buried in noise. This is where Embed’s agentic security platform provides clarity with features like:

  • Alert Validation – Embed’s AI models baseline normal logins, communications, and transaction behaviors, surfacing alert deviations that humans or static rules might otherwise miss.
  • Natural language analysis – Embed’s email solution can analyze email tone, style, and structure, flagging urgent calls to action and changes in writing patterns consistent with impersonation.
  • Alert prioritization – Instead of bombarding analysts with low-value alerts, Embed surfaces the alerts that matter most, giving analysts back the time to focus on what truly requires their expertise.
  • Faster triage – Embed’s email solution enriches alerts in real time with context (IP reputation, domain age, user behavior history, etc.), enabling analysts to respond more quickly and decisively.
  • Continuous learning and transparent decisions – As attackers’ tactics, techniques, and procedures evolve, so too does Embed. Each step taken is transparent to the analyst, giving you confidence and control in knowing and managing how conclusions are reached.

Conclusion: BEC Isn’t Going Away, But Your Burnout Can

BEC may be old, but attackers keep evolving, blending MFA fatigue, ATO, gift-cards vs wire transfers, and AI-driven social engineering to bypass traditional defenses. The burden shouldn’t fall on analysts to catch every subtle signal buried in overwhelming alert noise.

This is where Embed comes in. Our agentic investigations filter out false positives, correlate the anomalies that matter, and surface only the alerts worth acting upon. Instead of spending hours chasing every shadow, analysts can focus on the incidents that truly require their expertise. 

BEC is still here, and it isn’t going away. With Embed, your team doesn’t have to fight it alone.

© 2025 embed security All rights reserved.