detecting-business-email-compromise

# Detecting Business Email Compromise ## Overview Business Email Compromise (BEC) is a sophisticated fraud scheme where attackers impersonate executives, vendors, or trusted partners to trick employees into transferring funds, sharing sensitive data, or changing payment details. Unlike traditional phishing, BEC often contains no malicious links or attachments, relying purely on social engineering. This skill covers detection techniques using email gateway rules, behavioral analytics, and financial process controls. ## When to Use - When investigating security incidents that require detecting business email compromise - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Email security gateway with BEC detection capabilities - Understanding of organizational financial processes and approval chains - Access to email logs and SIEM platform - Knowledge of social engineering tactics ## Key Concepts ### BEC Attack Types (FBI IC3 Classification) 1. **CEO Fraud**: Attacker impersonates CEO, requests urgent wire transfer 2. **Account Compromise**: Employee email compromised, used to request payments from vendors 3. **False Invoice Scheme**: Fake invoices from "vendor" with changed bank details 4. **Attorney Impersonation**: Impersonates legal counsel for urgent confidential transfers 5. **Data T...