Please fill in the form below to subscribe to our blog

What Tools and Techniques Are Used in BEC Attacks?

October 20, 2022

See What to Look for to Spot BEC & Learn the Tricks Bad Actors Use

National Cybersecurity Awareness Month is a great time to learn more about the potentially devastating cyberattacks that business face every day. By far, the most financially damaging cyberattack that a business can suffer is Business Email Compromise (BEC). The U.S. Federal Bureau of Investigation (FBI) declared BEC 64x worse for a business than ransomware. It’s also very challenging for employees to spot. BEC is a chameleon that can take many forms and lacks the hallmarks that raise red flags in come other cyberattacks. This list of the most common tools and techniques that cybercriminals use in a BEC operation can help shed some insight on what a BEC attack might look like and how to avoid falling into cybercriminal traps. 

Excerpted in part from The Comprehensive Guide to Avoiding Business Email Compromise DOWNLOAD IT>>  

Why is BEC the worst cyberattack threat that businesses face?

Business email compromise is a cyberattack that cybercriminals use to utilize seemingly legitimate (or freshly stolen) email accounts from one organization to trick employees of another business into giving them credentials, money, personal information, financial details, payments, credit card numbers or other sensitive data. More than 70% of companies experienced a BEC attack in 2021. This year, BEC has been gaining ground as law enforcement scrutiny drives cybercriminals who may typically pursue ransomware attacks toward BEC operations – BEC incidence more than doubled in Q2 2022, surging to 34% from 17% in Q1 2022

BEC does massive financial damage to businesses. It can even drive a company out of business. The growth in the loss amounts that victimized businesses incur in the wake of a BEC disaster tells the tale of just how punishingly expensive a BEC incident can be. In the U.S., BEC schemes were the costliest cybercrimes reported to the FBI’s Internet Crime Complaint Center (IC3) in 2020 and 2021, and that’s not expected to change in 2022. Complainants to IC3 in 2021 suffered $2,395,953,296 in losses, 28% more than 2020’s record total of $1,866,642,107. Severe reputational harm is another potentially damaging consequence of BEC, impacting a company’s current and future relationships.   

How good is your identity and access management? Use this checklist to see if it’s really getting the job done. GET IT>>

Social engineering powers BEC 

Social engineering is a tactic used to compel people to do something even though it may appear to be against their best interests. It’s also the most likely fraud technique that an employee will encounter during a BEC attack. Why? Because it works. Socially engineered cyberattacks are just under 80% effective. One reason for that is that social engineering is a commonly used technique in phishing, the origin point of most BEC attacks and the cyberattack that employees are exposed to most frequently. Bad actors often rely on a few social engineering techniques to sell their con and prop up their schemes.  

Here are some examples of social engineering techniques that may be used in a BEC attack:  

  • Presenting the bad actor as a trusted contact or representative of a legitimate organization by providing context cues that make their communications seem authentic. Spoofing and conversation hijacking are commonly used in this scenario.  
  • Scaring the victim by claiming that they or their company will experience a negative consequence if they don’t act on the demand made in the message immediately. A message from a utility threatening to cut off service is an example of this tactic.  
  • Convincing the victim that the bad actor is an executive or some other powerful person in the victim’s company to create a sense of urgency for the request, like claiming to be an executive who is out of town and needs the employee to send them money in an emergency situation.  
  • Masquerading as representatives of a charity or nonprofit that the target has a relationship with to obtain sensitive information or money. Criminals often harvest data like the target’s alma mater or political affiliation from social media to craft these lures.  
  • Imitating a government agency or legal body to scare victims into sending them money or financial data. A bad actor might pretend to be a representative of the Internal Revenue Service, promising legal repercussions if the target doesn’t pay a fake overdue tax bill immediately. 

Learn how a new integration between BullPhish ID & Graphus saves time & money. SEE THE DETAILS>>

3 Frequently Used BEC tools 

While cybercriminals have a wide array of tools at their disposal when planning cyberattacks, the following tools and techniques are generally their go-to moves in a BEC attack: 

Spear phishing  

Spear phishing is a form of phishing attack that uses very specific information to send sophisticated, malicious emails to individuals or organizations. It is a deliberate attempt by threat actors to steal sensitive information, such as account passwords or financial information, from a specific victim. Actors use social engineering techniques and often leverage social media activity to obtain personal information about the victim, such as their friends, birthplace, employer, frequently visited places and recent internet purchases, to foster authenticity in their lures by pretending to be somebody the target knows and trusts. This is a very common attack scenario that just under 70% of businesses endured in 2021.  


Spoofing is a technique attackers use to imitate people, companies and computers with the intent to trick people into giving up personal information to gain access to something valuable. This technique is a go-to for the bad guys. One-quarter of all branded emails companies receive are spoofed. Spoofing can apply to emails, phone calls and websites, or it can be more technical, such as IP, Address Resolution Protocol (ARP) or Domain Name System (DNS) spoofing. Often, spoofing is used during a cyberattack to disguise the source of attack traffic. Nearly 50% of BEC attacks spawn from the spoofing of someone’s identity in the display name of a bogus email message.  

Conversation hijacking  

Conversation hijacking is a type of phishing attack where threat actors insert themselves into a pre-existing email conversation. Typically, conversation hijacking is preceded by the bad actor gaining access to the victim’s email account. Sometimes, this technique is used by attackers who have gained access to an email account of someone the victim regularly converses with, like a colleague or a representative of another organization. Conversation hijacking relies on the victim’s false sense of security with emails that appear trustworthy because they draw upon a victim’s previous or ongoing correspondence. This type of BEC attack soared by an eye-popping 270% in 2021.

Insider risk is up by 40%. Help your clients stay out of trouble with The Guide to Reducing Insider Risk GET IT>>

Our Security Solutions Help Businesses Stay Safe from BEC

Reduce the chance of a BEC scam doing major damage and mitigate other cyberattack risks affordably with two battle-tested security solutions that you can rely on. 

Security Awareness Training     

 CISA recently recommended that companies step up their security awareness training programs to combat the current flood of ransomware threats.  It’s the right move to make – Venture Beat reports that 84% of businesses in a recent survey said that security awareness training has reduced their phishing failure rates, making their employees better at spotting and stopping phishing, the gateway to most of today’s nastiest cyber threats.       

BullPhish ID is the perfect solution to use to make that happen!      

  • A huge library of security and compliance training videos in 7 languages
  • New lessons and phishing simulation kits are added every month
  • Choose from plug-and-play or customizable phishing training campaign kits     
  • Automation makes training painless for everyone 

Watch Out for Dark Web Danger     

Cybercriminals can do a lot with a compromised credential, like steal data and deploy ransomware. Compromised credentials are easy to obtain on the dark web and they open so many doors. An estimated 60% of data breaches involved the improper use of credentials in 2021.  

Dark Web ID is the answer.    

  • 24/7/365 monitoring using real-time, analyst-validated data     
  • Monitoring of business and personal credentials, including domains, IP addresses and email addresses     
  • Gain priceless peace of mind about dark web dangers 

dark web threats

Read case studies of MSPs and businesses that have conquered challenges using Kaseya’s Security Suite. SEE CASE STUDIES>>

let us help secure you against passwords reuse with contact information and the ID Agent logo on grey.

Our Partners typically realize ROI in 30 days or less. Contact us today to learn why 3,850 MSPs in 30+ countries choose to Partner with ID Agent!


Check out an on-demand video demo of BullPhish ID or Dark Web ID WATCH NOW>>

See Graphus in action in an on-demand video demo WATCH NOW>>

Book your demo of Dark Web ID, BullPhish ID, RocketCyber or Graphus now!