Definition
Business Email Compromise (BEC) is a type of cybercrime where an attacker compromises legitimate business email accounts or uses spoofing to conduct unauthorized transfers of funds. Unlike ransomware, BEC relies heavily on Social Engineering and deception rather than sophisticated technical exploits.
Purpose and Core Idea
The goal is financial theft. Attackers study the target organization's hierarchy, vendor relationships, and payment schedules. They then impersonate a CEO or a trusted vendor to request an urgent wire transfer to a fraudulent bank account.
Common Types of BEC
- CEO Fraud: Impersonating an executive to pressure a finance employee ("I need this transfer for a secret acquisition immediately").
- Invoice Manipulation: Compromising a vendor's email and intercepting a legitimate invoice. The attacker changes the bank account number (IBAN) on the PDF and sends it to the customer.
- Account Compromise: Gaining access to an employee's email to request changes to direct deposit information (Payroll Diversion).
Mini Case Study: The Toyota Boshoku Incident
- The Attack: Attackers impersonated a business partner of a European subsidiary of Toyota Boshoku.
- The TTP: They compromised an email account and studied the communication style. They waited for a legitimate transaction discussion and inserted themselves into the thread.
- The Result: The finance department, believing they were talking to their partner, wired $37 million to the attacker's account.
- The Lesson: Technical controls (Firewalls, EDR) cannot stop BEC. Defense requires DMARC enforcement and rigorous verification processes (e.g., calling the vendor to confirm account changes).
Usage in Real CTI Workflows CTI analysts track BEC groups (like the Nigerian "SilverTerrier" actors) by monitoring the mule bank accounts and domains they use for typo-squatting.
Relation to Other CTI Frameworks BEC relies on Phishing for Initial Access but pivots to human manipulation, often bypassing the technical steps of MITRE ATT&CK.