Dark Web Monitoring for Healthcare: Protect Patient Data
Dark Web Monitoring Healthcare Security
Why Is Healthcare a Top Dark Web Target? Healthcare has been the costliest industry for data breaches 14 years in a row. …
Learn how BEC attacks steal money and data, plus what you can do to stop them.
• BEC attacks caused $2.8 billion in US losses in 2024. Since 2013, the global total has topped $55 billion. Wire fraud gets the headlines, but data theft from BEC attacks feeds future breaches
• Attackers don’t hack their way in. They impersonate executives or vendors, then pressure employees into wiring money or handing over data. The emails look real because they often come from real compromised accounts
• The biggest BEC losses came from invoice fraud and CEO impersonation. Facebook and Google lost $121 million to a single attacker who sent fake invoices for five years before anyone noticed
• Stolen credentials are the starting point for most BEC attacks. When employee passwords show up in stealer logs or third-party breaches, attackers use them to take over email accounts. Catching those credentials early cuts off BEC at the source
The FBI logged 21,442 BEC complaints in 2024, making it the second costliest cybercrime category behind investment fraud (IC3 report).
What makes BEC dangerous isn’t the technology. It’s that attackers impersonate people you trust, and their emails look completely legitimate.
The data theft angle gets less attention than the wire fraud, but it’s just as damaging. Attackers use BEC to steal employee records and login credentials that fuel future attacks.
This post covers how BEC attacks work, what data they target, and real examples that show the damage.
Contents
What Is Business Email Compromise?
BEC is one of the most expensive cyber threats, and it doesn’t involve any malware or technical exploits. Someone impersonates your CEO or a vendor, then tricks an employee into wiring money or sharing data.
It’s harder to catch than most attacks because the emails aren’t malicious. There’s no malware attached, no suspicious link. It’s just a convincing request from what looks like a real person.
You’ll see the terms BEC and EAC throughout this post. Here’s the first one.
Business Email Compromise (BEC) is a targeted email attack where criminals impersonate executives or other trusted contacts. The goal is to trick employees into transferring money or handing over data. Unlike mass phishing, BEC emails are personalized and often come from real compromised accounts.
The FBI’s IC3 2024 report logged 21,442 BEC complaints with $2.8 billion in losses. That makes BEC the second costliest cybercrime category, behind only investment fraud. Since 2013, cumulative global BEC losses have topped $55 billion.
Those numbers only count reported incidents. Many companies never file a complaint, especially when the amount is small or they recover the funds. The real total is higher.
What Are the Main Types of BEC Attacks?
BEC attacks follow a few common patterns. The approach depends on who the attacker is impersonating and what they want.
CEO and Executive Impersonation
Someone pretends to be a C-level executive and emails finance with an urgent payment request. The email usually stresses secrecy. “Don’t mention this to anyone, it’s a confidential acquisition.”
In 2015, attackers impersonating Ubiquiti Networks executives tricked staff into wiring $46.7 million to overseas accounts. The company recovered $8.1 million. The rest was gone.
Invoice and Vendor Fraud
Someone poses as a vendor and sends a fake invoice or requests updated payment details. Because the email looks like it comes from a known supplier, the finance team processes it without questioning.
Between 2013 and 2015, a Lithuanian national named Evaldas Rimasauskas sent fake invoices to Facebook and Google impersonating Quanta Computer, a real hardware manufacturer. He stole $121 million before anyone caught on. He was sentenced to five years in prison in 2019.
Payroll Diversion
An attacker impersonates an employee and emails HR to change direct deposit information. The next paycheck goes to the attacker’s account. These attacks are smaller per incident but happen frequently and often go undetected for months.
Attorney Impersonation
Someone poses as outside legal counsel handling a time-sensitive matter. They request payments or confidential documents, using the urgency of legal proceedings as cover.
In 2016, Austrian aerospace manufacturer FACC lost $54 million when an attacker impersonated the CEO in an email about a confidential acquisition. The finance team wired the money before verifying.
Data Theft
This variant targets HR and finance employees who have access to employee records. Instead of requesting a payment, the attacker asks for W-2 tax forms or customer data. The stolen information feeds identity fraud or gets sold on dark web markets.
How Do BEC Attacks Lead to Data Theft?
Wire fraud gets the most attention, but BEC attacks also steal data that causes long-term damage.
When attackers compromise a real email account, they don’t always cash out immediately. They sit inside the mailbox quietly, reading conversations and collecting information. They grab contact lists and internal documents. They look for credentials to other systems.
There’s a related threat that often works alongside BEC.
Email Account Compromise (EAC) is when an attacker breaks into a real email account, usually through stolen credentials or phishing. While BEC can involve impersonation from an external address, EAC gives the attacker access to the actual inbox. They can read past emails and send messages that genuinely come from the victim’s account.
Once inside an email account, attackers commonly steal:
Employee records and tax data. W-2 requests are one of the most common BEC data theft plays. Someone emails HR posing as an executive and asks for employee tax forms. Those records contain Social Security numbers and salary details.
Client and vendor lists. An attacker with mailbox access can export contact lists and transaction histories. That data helps them launch more targeted BEC attacks against your vendors and clients.
Credentials for other systems. People email passwords and API keys more than they should. An attacker reading through months of email history will find credentials for VPNs and cloud services.
Financial records. Invoice histories and bank account details help attackers craft more convincing future attacks. They can reference real transaction amounts and real vendor names.
The data theft component of BEC often goes unnoticed because nothing visibly changes. Nobody locks files or demands ransom. They just copy everything quietly.
How Do BEC Attacks Start?
Most BEC attacks begin with one of two things: stolen credentials or carefully researched impersonation.
Stolen credentials are the most common entry point. The 2025 Verizon DBIR confirms that credentials remain the top initial access method. An attacker buys email login credentials from stealer logs or finds them in a third-party breach dump. If MFA isn’t enabled, they log right into the account.
Once inside, they study the victim’s email patterns. They learn who handles payments and how invoices look. Then they send emails that match those patterns perfectly.
Email spoofing is the other approach. They register a domain that looks almost identical to the target company’s domain. Maybe “cornpany.com” instead of “company.com.” They send emails from that lookalike domain, banking on the recipient not noticing the difference.
AI is making BEC harder to detect. Attackers now use AI tools to write more convincing emails. Some use deepfake audio to mimic executive voices on phone calls. BEC attacks rose 15% in 2025 according to LevelBlue, and AI-generated content is part of why.
The research phase is what separates BEC from regular phishing. Attackers spend days or weeks studying LinkedIn profiles and company websites. They know who reports to whom and which vendors the company uses. That level of detail is why BEC emails are so hard to spot.
How Can You Defend Against BEC?
The most effective defense combines credential monitoring with email security controls.
Monitor for leaked credentials. Most BEC starts with a compromised account. Credential monitoring alerts you when employee email passwords appear in stealer logs or breach dumps. Reset them before attackers can use them.
Enforce MFA on all email accounts. Even if an attacker has a valid password, MFA blocks the login. This single control stops most email account compromises.
Implement DMARC, SPF, and DKIM. These email authentication protocols make it harder for attackers to spoof your domain. DMARC in particular tells receiving servers to reject emails that fail authentication checks.
Require out-of-band verification for payment changes. Any request to change bank details or update direct deposit should require a phone call to a known number. Not a number from the email, but one you already have on file.
Train your team on BEC-specific red flags. Generic security awareness training isn’t enough. Your finance and HR teams need to know what CEO fraud and invoice fraud look like in practice. Run simulated BEC exercises, not just phishing simulations.
For a complete prevention playbook, see our guide on how to prevent business email compromise.
Conclusion
BEC attacks don’t need malware or technical exploits. They rely on impersonation and stolen credentials to trick employees into wiring money or handing over data.
The data theft side of BEC deserves more attention. Attackers who hijack email accounts don’t just redirect payments. They harvest employee records and credentials that fuel more attacks down the line.
Catching stolen credentials early is the best way to cut off BEC before it starts. Start with a free dark web scan to check if your team’s email credentials are already exposed, or book a demo to see how Breachsense monitors for compromised credentials in real time.
Business Email Compromise FAQ
BEC attacks caused $2.8 billion in reported US losses in 2024 according to the FBI’s IC3. Since 2013, global losses have topped $55 billion across 305,000 reported incidents. The actual number is higher because many victims don’t report.
BEC targets specific people with personalized emails that impersonate someone they trust. Regular phishing casts a wider net with generic messages. BEC usually aims for wire transfers or data theft, while phishing typically tries to steal login credentials or install malware.
Finance teams and executives are the most common targets because they can authorize payments. HR staff get targeted for employee data like tax forms and direct deposit details. Attackers also target procurement teams who handle vendor payments.
Most start with stolen credentials from infostealer malware or third-party breaches. If your email password leaked in another breach and you reused it, an attacker can log right in. Phishing is the other common method.
Employee W-2 tax forms and payroll records are common targets. Attackers also go after client lists and login credentials. This data either gets sold on dark web markets or gets used to launch more attacks.
Yes. Most BEC starts with a compromised email account. Dark web monitoring catches stolen employee credentials in stealer logs and breach dumps. You can reset passwords before attackers use them to take over accounts.
Contact your bank immediately to reverse the transfer. Report to the FBI’s IC3 at ic3.gov. Secure the compromised email account and check for forwarding rules the attacker may have set up. See our data breach response guide for a full checklist.
