Back to Hub

Anatomy of a BEC Hack

A deep dive into invoice redirection mechanisms, domain spoofing headers, and protection strategies against targeted email scams.

Anatomy of a BEC Hack

Business Email Compromise (BEC) remains one of the most financially devastating attack vectors in the modern threat landscape. Unlike ransomware, which relies on technical exploitation and encryption, BEC attacks are largely psychological. They manipulate human trust, leveraging hijacked communication channels to redirect millions of dollars into threat actor-controlled accounts.

"The sophistication of BEC attacks has evolved from simple spoofing to complex, multi-stage supply chain compromises where the attacker embeds themselves directly into existing email threads."

Phase 1: Reconnaissance and Target Selection

Modern BEC actors do not cast a wide net. They operate like apex predators, patiently studying their targets. Using OSINT (Open Source Intelligence) from LinkedIn, corporate directories, and dark web credential dumps, attackers map out the organizational hierarchy of a company.

They specifically target C-Level executives, Accounts Payable departments, and Real Estate intermediaries. The goal is to understand payment schedules, vendor relationships, and internal reporting chains.

Phase 2: The Infiltration (Lookalike Domains vs. Compromise)

There are two primary methods attackers use to execute the infiltration phase:

  • Account Compromise: Using stolen session cookies or brute-forced credentials (often bypassing MFA via Evilginx2 reverse proxies), the attacker logs directly into the victim's Office 365 or Google Workspace account.
  • Homograph Attacks (Lookalike Domains): The attacker registers a domain that looks visually identical to a trusted vendor.

Consider this subtle domain spoofing example:

Genuine Domain: accounting@trusted-vendor.com Spoofed Domain: accounting@trusted-vend0r.com Unicode Spoof: accounting@trusted-vendоr.com (Cyrillic 'о')

Phase 3: The Man-in-the-Email Attack (Invoice Manipulation)

Once inside a legitimate inbox, the attacker does not immediately send a fraudulent request. Instead, they set up silent inbox rules. They configure filters to forward any email containing words like "invoice," "wire transfer," or "payment" directly to a hidden folder (e.g., RSS Feeds or an archive).

When a legitimate vendor sends an actual invoice, the attacker intercepts it. They modify the PDF invoice, changing the bank routing and account numbers to a money mule account, and then reply to the thread posing as the vendor:

From: Vendor (accounting@trusted-vendor.com) To: Victim (ap@target-company.com) Subject: RE: Invoice #4092 - URGENT UPDATE Hi Team, Please note that we have recently updated our banking institution. Kindly remit payment for Invoice #4092 to our new routing number attached in the revised PDF below. Thank you.

Defensive Telemetry and Mitigation

Defending against BEC requires a defense-in-depth approach, combining strict email authentication protocols with behavioral analytics and financial verification policies.

1. Enforcing DMARC, SPF, and DKIM

Domain-based Message Authentication, Reporting, and Conformance (DMARC) is non-negotiable. Organizations must configure their DMARC records to a `p=reject` policy to ensure that any email failing SPF or DKIM alignment is hard-bounced by the receiving server.

2. Out-of-Band Verification

The most effective defense against BEC is a human one. Establish a mandatory corporate policy requiring out-of-band verification for any change in payment details. If a vendor emails a new bank account number, the accounts payable team must call the vendor on a known, trusted phone number (not the one in the email signature) to verify the change.

3. Behavioral Analytics (AI)

Modern Email Security Gateways use AI to analyze the telemetry of inbound emails. They build profiles based on typical communication patterns, flagging anomalies such as unusual geolocations, unexpected reply-to headers, or sudden urgency in tone.

As the cyber landscape evolves, so too must our defenses. By understanding the anatomy of a BEC attack, organizations can shift from reactive panic to proactive resilience.