3,932 Australian domains analysed. Most fail basic email authentication. [2026 Report]

Business Email Compromise (BEC)

A targeted email fraud attack that impersonates a trusted internal or external party — typically an executive, vendor, or supplier — to trick the recipient into sending money or data.

Definition

Business Email Compromise (BEC) is a category of targeted email fraud where the attacker impersonates a trusted internal or external party — typically a company executive, a vendor, a supplier, or a known external partner — to trick the recipient into transferring money, redirecting payment, releasing sensitive data, or executing an unauthorised business action. Unlike opportunistic phishing, BEC is research-driven: the attacker studies the target organisation, identifies who has authority to approve payments or data releases, and constructs a believable message specifically tailored to that person and that workflow.

How it works

BEC attacks fall into a small number of recurring patterns. CEO fraud (sometimes called whaling) impersonates a senior executive — often the CEO or CFO — and sends an urgent payment request to a finance team member, exploiting authority and time pressure. Vendor email compromise impersonates a known supplier, often after the attacker has compromised the supplier's actual email account, and sends invoices with redirected bank details. Account compromise takes over a legitimate internal mailbox and sends fraudulent messages from inside the organisation, bypassing perimeter defences entirely. Attorney impersonation exploits trust in legal counsel during M&A or legal disputes.

Two technical defences materially reduce BEC risk: enforcing DMARC on your own outbound mail (so external attackers cannot spoof your executives to your customers and partners), and applying inbound authentication policies that reject unaligned mail claiming to be from your own domain. But BEC also has a substantial human element — most successful attacks succeed not because authentication failed, but because the recipient believed the message and acted on it. Process controls (out-of-band verification of payment changes, dual approval for unusual transfers) are as important as the email layer.

Example

A common CEO-fraud BEC pattern:

From: "Sarah Chen, CEO" <sarah.chen@target-corp.example>
To: amanda.lee@target-corp.example
Subject: Quick favour — urgent

Amanda — I'm heading into back-to-back board meetings. I need you to wire $48,500 to a vendor today for a confidential project. Account details below. Please do not discuss with anyone — I'll explain in person tomorrow.

Bank: Wells Fargo
Routing: 121000248
Account: ...

The attacker has researched the CEO's name, the recipient's name and role (likely from LinkedIn), the relationship (Amanda reports to Sarah), and the company's typical communication style. The visible From header is spoofed; with DMARC at p=reject on target-corp.example, this message would never reach Amanda's inbox.

Related Terms

Email Spoofing Sending an email message with a forged From header that makes it appear to come from a dom... DMARC An email authentication policy framework that uses SPF and DKIM to detect and prevent doma... SPF A DNS-published list of IP addresses and hostnames authorised to send email on behalf of a...

Automate your DMARC

DMARC Busta puts SPF, DKIM, and DMARC management on autopilot — across one domain or 10,000.

Start free trial