A form of social engineering where an attacker impersonates a trusted person or domain to manipulate payment, change banking details, or extract sensitive information. It often succeeds without malware because the attacker targets process trust and human judgement instead of technical controls.
Expanded Definition
Business email compromise, or BEC, is a trust abuse tactic that sits at the intersection of phishing, fraud, and identity impersonation. It does not require malware in many cases because the attacker only needs to look like the right executive, supplier, payroll contact, or bank representative long enough to change a payment path or obtain sensitive records. In NHI and IAM discussions, BEC matters because the attacker often exploits weak verification of message origin, domain lookalike handling, and process shortcuts rather than technical control failure alone.
Definitions vary across vendors on whether BEC should include invoice fraud, executive impersonation, or broader email account takeover, so NHI Management Group treats it as a process-driven social engineering class with financial impact. For standards context, guidance on email authentication in IETF RFC 7489 helps reduce spoofing, but it does not solve human approval risk by itself. The most common misapplication is treating BEC as a spam problem, which occurs when teams focus on filtering messages instead of verifying payment and account-change workflows.
Examples and Use Cases
Implementing BEC defenses rigorously often introduces friction in finance and operations, requiring organisations to weigh faster payments and less inbox clutter against stronger verification and approval steps.
- A supplier sends a message requesting a new bank account for future invoices, but the sender domain differs by one character and the payment team fails to call a known contact.
- A payroll coordinator receives a spoofed executive request to change direct-deposit details, and the attacker uses urgency to bypass normal callback verification.
- An accounts payable workflow accepts email-only approvals, allowing a fraudster to redirect a wire transfer without touching the corporate network.
- A compromised mailbox is used to reply inside an existing vendor thread, making the request appear legitimate even when the domain is not spoofed.
- Attackers combine BEC with AI-generated language to mimic tone and timing, a pattern increasingly discussed in LLMjacking: How Attackers Hijack AI Using Compromised NHIs and in Anthropic — first AI-orchestrated cyber espionage campaign report.
For identity hygiene around these scenarios, organisations should also study Ultimate Guide to NHIs — Why NHI Security Matters Now and compare their workflow controls to the fraud patterns in The 52 NHI Breaches Report.
Why It Matters in NHI Security
BEC is not only a human-targeted fraud issue. It often becomes an NHI problem when attackers pivot from an inbox to service accounts, API keys, or delegated automation that can approve, route, or execute financial changes. Once a message is trusted, downstream systems may act with the authority of an enterprise identity that never intended to authorize the transaction. That is why email trust, delegated access, and approval automation must be reviewed together.
NHI Management Group research shows that organisations maintain an average of 6 distinct secrets manager instances, creating fragmentation that undermines centralised control, while the average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities. Those conditions matter because BEC campaigns increasingly look for the weakest operational path, not just the weakest password. When email impersonation reaches automated payment or ticketing systems, the attack becomes a control-plane problem as much as a fraud problem. The most damaging failures are often exposed only after a transfer has been reversed, at which point BEC becomes an incident-response and identity-governance priority.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST SP 800-63 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-06 | BEC often exploits weak approval and identity verification around NHI-driven workflows. |
| NIST CSF 2.0 | PR.AA-1 | Identity proofing and authentication support controls that reduce impersonation success. |
| NIST SP 800-63 | Digital identity assurance principles inform how trusted requests should be validated. |
Apply higher assurance checks before accepting requests that change payments or credentials.
