IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

New Business Email Compromise Schemes Add Vendor Deception

Like other forms of cyber crime, business email compromise is growing and evolving. Here’s what you need to know.

Hand selecting good email amid many spam messages.
Shutterstock/Production Perig
A recent FBI alert described business email compromise (BEC) as a $43 billion scam.

Meanwhile, Microsoft released a detailed security blog on the same topic earlier this month with the headline “From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud.”

Here’s an excerpt: “A large-scale phishing campaign that used adversary-in-the-middle (AiTM) phishing sites stole passwords, hijacked a user’s sign-in session, and skipped the authentication process even if the user had enabled multifactor authentication (MFA). The attackers then used the stolen credentials and session cookies to access affected users’ mailboxes and perform follow-on business email compromise (BEC) campaigns against other targets. Based on our threat data, the AiTM phishing campaign attempted to target more than 10,000 organizations since September 2021.”

The Microsoft blog goes on to offer process diagrams and more details on how the cyber attacks are executed.

My UK-based blogging colleague Graham Cluely wrote an excellent piece for Tripwire recently, which focused on the importance of this trend. His headline was “10,000 organisations targeted by phishing attack that bypasses multi-factor authentication.”

Here’s an excerpt from Graham: “The global pandemic, and the resulting increase in staff working from home, has helped fuel a rise in the adoption of multi-factor authentication.

“Cybercriminals, however, haven’t thrown in the towel when faced with MFA-protected accounts. Accounts with MFA are certainly less trivial to break into than accounts which haven’t hardened their security, but that doesn’t mean that it’s impossible.

“Reverse-proxy phishing kits like Modlishka, for instance, impersonate a login page, and ask unsuspecting users to enter their login credentials and MFA code. That collected data is then passed to the genuine website — granting the cybercriminal access to the site.

“As more and more people recognise the benefits of MFA, we can expect a rise in the number of cybercriminals investing efforts into bypassing MFA.”


Business email compromise is a topic that I have covered several times in this blog going back to 2016 when I wrote about “whaling,” or going after big targets like CEOs with phishing. BEC has also been called “CEO fraud” as well as other terms.

For more background on what BEC is, and how it works, consider these three blogs:

This quick video can also help:


And while I was doing some background research for this blog, I came across a new term that is becoming more widely used: “vendor email compromise (VEC).” I like the description of these vendor impersonation cyber attacks offered by Make Use Of: “VEC attacks are a type of BEC attack. Unlike traditional BEC attacks, they specifically target vendors. Vendors typically work with a large number of different businesses. The idea is that if an attacker can successfully impersonate a vendor, they can then steal from all of those firms.

“VEC attacks require more work and take longer to implement. But depending on the size of the vendor, the profits can also be significantly higher.”

For example, Mondaq offers this story of fraud where construction companies are imitated. It is a compelling example to review, and can happen in all industries. Here are a few of their tips to help overcome the challenge:
  • Verify all payment changes and transactions in person or via a known, established telephone number. Continue to ensure contact information is current and updated.
  • Carefully check email addresses for slight changes that can make fraudulent addresses appear legitimate and resemble actual companies’ names.
  • Implement robust approval procedures for vetting account change requests to prevent monetary losses.
  • Enable security features that block malicious emails, such as anti-phishing and anti-spoofing policies.
  • Educate employees on BEC scams, including preventive strategies such as how to identify phishing emails and how to respond to suspected compromises.
  • Notify customers about BEC threats and mitigation methods your company is taking, such as notifying customers of internal processes for changing or updating ACH banking information.


This email and social engineering challenge is not going away and needs to be a top priority for security awareness campaigns and overall cybersecurity efforts.

In the link to the FBI alert that started this blog, these recommendations are offered to help defeat BEC (and new twists like VEC):

  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business/individual it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match who it is coming from.
  • Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
  • Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.
Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.