BEC fraud or CEO fraud: How does it work?

The BEC (Business Email Compromise) fraud, also known as CEO fraud, is a scam in which an attacker impersonates a trusted figure within the company to convince someone—typically from management, finance, or executive leadership—to initiate a transfer, share sensitive information, or modify banking data.

Unlike other attacks, this one usually does not involve a virus, a suspicious file, or an odd link. The primary weapon is deception: an email that appears legitimate, a convincing tone, and an urgent situation that pushes the recipient to act without careful thought.

How Attackers Operate

A BEC attack generally follows this pattern:

They study the company and its key personnel --> They analyze roles, hierarchies, suppliers, and routines.

They impersonate an identity --> They may create a domain nearly identical to the real one or even gain access to a legitimate account by stealing credentials.

They craft a credible and urgent message --> The email typically requests a transfer, a change of bank account, or another sensitive action that “cannot wait.”

They aim to bypass internal procedures --> The goal is to have the victim act alone, without verifying the request with anyone else.

Once payment is made, the funds disappear --> Typically, the money is diverted to foreign accounts and moved several times to obscure its trail.

Common Warning Signs

An email that may be part of a BEC fraud often includes elements such as:

1. Urgent requests that bypass established processes and controls
2. Unexpected changes in bank account details
3. Messages that invoke confidentiality or authority
4. Subtle errors in the sender's address or domain
5. Instructions that are not typically communicated via email

If something seems off, it probably is.

How to Protect Your Company from BEC Fraud

To avoid falling victim to such scams, it is essential to combine advanced technology, robust training, and solid internal procedures:

1. Utilize advanced email security solutions (Microsoft Defender for Office 365, Google Workspace ATP, Proofpoint, Mimecast, or Barracuda).
2. Ensure proper configuration of SPF, DKIM, and DMARC.
3. Train employees and regularly conduct phishing simulations.
4. Monitor and investigate suspicious activities using SIEM and SOAR tools.
5. Verify any payment orders or financial changes through an alternative channel.
6. Implement dual control for payments to prevent a single person from authorizing a complete transaction.

NEVERHACK: your cyber performance partner

BEC fraud does not rely on breaching systems, but rather on exploiting individuals. This is what makes it both effective and extremely dangerous. The good news is that with the right tools, clear procedures, and a culture of healthy skepticism toward emails, it is possible to drastically reduce this risk.

If you would like more information on how to implement similar solutions in your organization, please do not hesitate to contact us!

Author: Adrián Jimeno Romano, Cybersecurity Consultant at NEVERHACK