Threats and vulnerabilitiesIntermediate27 min read

What Is Business email compromise? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Business email compromise is a type of phishing attack focused on businesses and their employees. The attacker sends an email that looks like it comes from a boss, a vendor, or a partner. The goal is to trick someone into sending money or sharing private data. These attacks often use careful research to make the fake email believable.

Commonly Confused With

Business email compromisevsPhishing

Phishing is a broad category of social engineering attacks that use fraudulent emails to trick recipients into clicking malicious links or opening attachments. Business email compromise is a specific subtype of phishing that focuses on impersonating a trusted party to directly request money or data, often without any malicious links or attachments.

A phishing email might ask you to click a link to reset your password. A BEC email might ask you to wire money to a fake vendor account.

Business email compromisevsWhaling

Whaling is a type of spear phishing that specifically targets senior executives like the CEO or CFO. While BEC often targets executives as well, whaling is defined by the target’s role, whereas BEC is defined by the attack’s goal, which is financial fraud through impersonation. A whaling attack could be designed to steal login credentials, while a BEC attack is almost always about money.

An attacker sends a fake HR email about benefits to the CEO to steal their password, that is whaling. An attacker sends an email pretending to be the CEO to the finance team asking for a wire transfer, that is BEC.

Business email compromisevsSpear phishing

Spear phishing is a targeted phishing attack that uses personalized information to deceive a specific individual or organization. BEC is a type of spear phishing that is focused on impersonating a trusted entity for financial gain. All BEC attacks are spear phishing because they are highly targeted, but not all spear phishing attacks are BEC because they could have different objectives like installing malware.

An attacker sends an email that mentions a recent conference you attended to trick you into opening a malicious attachment, that is spear phishing. An attacker sends an email that appears to be from your boss asking you to pay a fake invoice, that is BEC.

Business email compromisevsPretexting

Pretexting involves creating a fabricated scenario or pretext to trick someone into divulging information. BEC often uses pretexting as part of the attack, such as claiming a supplier changed its bank account. However, pretexting can be used in many contexts beyond email, such as phone calls or in-person visits, while BEC specifically uses email as the attack vector.

An attacker calls pretending to be from IT and says they need your password for a system update, that is pretexting. An attacker sends an email pretending to be from a vendor saying they changed their bank details, that is BEC using pretexting.

Must Know for Exams

Business email compromise is a significant topic for the CompTIA Security+ exam, as it falls under threats and vulnerabilities, specifically social engineering and email-based attacks. The Security+ exam objectives explicitly include phishing and related variants, and BEC is a high-profile example that frequently appears in multiple-choice questions and scenario-based problems. The exam tests candidates on their ability to identify different types of social engineering attacks, understand the techniques used, and recommend appropriate mitigation strategies.

For Security+, candidates should know that BEC is distinct from standard phishing because it targets specific individuals within an organization, often using impersonation of a high-level executive or trusted partner. The attack does not rely on malicious links or attachments, but instead on deception. Exam questions might present a scenario where an employee receives an urgent email from the CEO requesting a wire transfer to a new vendor account.

The candidate must recognize this as a potential BEC attack and recommend the best response, which is to verify the request through an alternate communication channel. The exam also tests knowledge of email security controls that can help prevent BEC, such as SPF, DKIM, and DMARC. A question might ask which of these authentication methods helps prevent domain spoofing, or what to check if an email passes SPF but fails DKIM.

Another important exam concept is the principle of least privilege and separation of duties as a defense against BEC. A candidate may be asked to identify why a policy that requires two people to approve wire transfers is effective. The exam also covers account takeover as a method for BEC, so understanding multi-factor authentication and strong password policies is relevant.

For the Security+ exam, BEC is typically classified under social engineering, and candidates should be prepared to differentiate it from spear phishing, whaling, and vishing. Whaling is a type of phishing targeting senior executives, and BEC can be considered a form of whaling, but BEC has a broader scope that includes impersonating vendors or partners. Exam questions may list several attack types and ask the candidate to select the one that matches the description of an attacker impersonating a CEO requesting an urgent fund transfer.

The correct answer would be business email compromise. Candidates should also be familiar with the concept of pretexting, which is the creation of a fabricated scenario to steal information, and how it relates to BEC. The attacker creates a pretext, such as a new banking relationship, to justify the fraudulent request.

Staying current with BEC trends is beneficial, as exam developers often incorporate real-world threats. Overall, mastering BEC for Security+ requires a solid understanding of social engineering principles, email security technologies, and organizational policies that reduce risk.

Simple Meaning

Imagine you work at a company that pays its suppliers regularly. You receive an email that looks exactly like the one your boss, the CFO, usually sends. The email address looks right, the company logo is there, and the signature line matches.

The message says a supplier changed their bank account and you need to wire the next payment to this new account immediately. Because the email seems so real, you follow the instruction and send the money. Later, you find out your boss never sent that email and the real supplier did not change their bank account.

The money is gone. This is business email compromise, or BEC. It is a type of scam where criminals pretend to be someone you trust inside or outside your company. They spend time studying your company and the people in it.

They learn how your boss talks, what projects are happening, and the names of your vendors. Then they create a fake email that looks genuine. The attacker is not trying to break into your computer system with a virus or a technical hack.

Instead, they exploit human trust and urgency. They create a situation where you feel you must act quickly without stopping to double-check. The email might say the payment is overdue, or that the CEO needs your help immediately with a confidential deal.

Because the request seems to come from an authority figure, employees often bypass normal verification procedures. BEC attacks do not rely on malicious links or attachments. They rely on social engineering, which is the art of manipulating people into doing what the attacker wants.

This makes BEC especially dangerous because traditional security tools like spam filters might not catch the email. The email looks legitimate, uses real names, and does not contain any malware. The attacker simply waits for you to hit reply and follow their instructions, or they might compromise a real email account to send the message from a trusted source.

Understanding BEC helps you protect your company’s money and data by teaching you to question urgent requests and always verify changes through a separate communication channel like a phone call.

Full Technical Definition

Business email compromise (BEC) is a targeted social engineering attack that exploits email communication to fraudulently obtain funds or sensitive data. Unlike generic phishing, BEC attacks are highly personalized. The attacker first conducts reconnaissance on the target organization using open-source intelligence (OSINT).

They gather information about company structure, key personnel, ongoing projects, vendor relationships, and even travel schedules. This research allows the attacker to craft a convincing impersonation. The technical vector varies, but common methods include display name spoofing, domain spoofing, lookalike domains, and account takeover.

In display name spoofing, the attacker sets the email display name to that of a senior executive, while the actual email address is a free service like Gmail or an unrelated domain. Domain spoofing involves forging the email headers to make the message appear to come from a valid internal domain. This is sometimes possible when the organization lacks proper email authentication protocols such as Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

SPF allows the domain owner to specify which servers are authorized to send email for that domain. DKIM adds a digital signature to emails that can be verified by the recipient’s mail server. DMARC tells the receiving server how to handle messages that fail SPF or DKIM checks.

If these protocols are misconfigured or absent, attackers can easily forge the “From” address. Lookalike domains are similar to the real domain but with subtle changes, such as replacing a letter with a similar-looking character, adding an extra word, or using a different top-level domain. For example, “company.

com” might become “company.co” or “company-secure.com”. Attackers register these domains and create email accounts that closely mimic legitimate employees. Account takeover is the most dangerous variant.

The attacker gains access to a real email account, often through credential theft via phishing or credential stuffing. Once inside, they monitor email traffic to understand workflows and identify opportunities. They then send requests directly from the compromised account, making detection extremely difficult.

BEC attacks often involve urgency and secrecy. The attacker may ask the target to process a payment immediately or to handle a confidential transaction without informing other staff. Common attack patterns include the fake invoice scam, where a vendor’s account is impersonated to redirect payments; the CEO fraud, where a high-level executive requests an urgent wire transfer; and the attorney impersonation, where a fake lawyer demands payment for a time-sensitive legal matter.

From a technical defensive standpoint, implementing strict email authentication policies, enforcing multi-factor authentication (MFA) for all email accounts, and using advanced email filtering solutions that analyze behavioral patterns are critical. Employee training on verifying financial requests through out-of-band communication is equally important. BEC is a multi-billion-dollar cybercrime vector, and its success relies on human psychology rather than technical vulnerabilities, making it a persistent threat in enterprise environments.

Real-Life Example

Think about the last time you received a voicemail from someone you thought you knew. Maybe a friend called and left a message asking you to send them a quick favor. Now imagine that voicemail was actually recorded by a stranger using a voice that sounds exactly like your friend.

They ask you to lend them money because of a sudden emergency. You want to help your friend, so you send the money. Later, you realize it was a voice impersonator. BEC works in a similar way, but with email.

Consider a small business owner named Priya who runs a marketing agency. She frequently receives invoices from a printing vendor she has used for years. One day, she gets an email that looks exactly like the vendor’s usual invoices.

The logo is correct, the email format matches, and even the invoice number looks like part of their standard sequence. The only difference is that the email says the vendor has changed its bank and provides new payment details. Priya is busy with client work, so she quickly approves the payment to the new account.

The payment is for several thousand dollars. A week later, the real vendor calls asking why the invoice is unpaid. Priya realizes she was scammed. The attacker had hacked the vendor’s email system or created a lookalike domain to send that fake invoice.

In this analogy, the attacker is like the stranger who did deep research on Priya’s friendship with the vendor. They knew the vendor’s name, the typical invoice amount, and when payments were usually made. They used that knowledge to create a convincing fake message.

Just like you would normally verify a friend’s emergency request by calling them on their known phone number, Priya should have verified the bank account change by calling the vendor using a phone number she already had on file. BEC exploits the trust that exists in business relationships. The attacker does not need to break any sophisticated encryption or install malware.

They simply use their knowledge of the target’s relationships and workflows to craft a believable story that triggers an urgent action.

Why This Term Matters

Business email compromise matters to IT professionals because it is one of the most financially damaging cyber threats facing organizations today. According to the FBI’s Internet Crime Complaint Center (IC3), BEC attacks have resulted in billions of dollars in losses globally. Unlike ransomware or data breaches that may require complex technical defenses, BEC preys on human trust and operational gaps.

This means that even organizations with excellent firewalls, endpoint protection, and intrusion detection systems can be vulnerable. The attack does not have to bypass technical controls because it goes directly to the user through a channel that is considered trusted. IT professionals must understand that security is not just about technology but also about processes and people.

A robust security strategy includes implementing email authentication standards like SPF, DKIM, and DMARC to prevent domain spoofing. It also involves deploying multi-factor authentication to reduce the risk of account takeover. But more importantly, it requires establishing clear verification procedures for any financial or sensitive requests sent via email.

This might include a policy that any request to change bank account details must be confirmed via a phone call to a known number, not the number provided in the email. IT teams must also monitor for anomalies in email traffic, such as unusual sender behavior or requests that bypass normal approval workflows. BEC attacks are becoming more sophisticated with the use of artificial intelligence to craft more convincing messages and even deepfake voice calls to follow up on email requests.

For IT professionals, the stakes are high. If a BEC attack succeeds, the financial loss can be catastrophic for a small or medium business. The organization may also suffer reputational damage, regulatory penalties if customer data is exposed, and a loss of trust among employees.

Understanding BEC helps IT professionals design layered defenses that combine technology, policy, and training to reduce the attack surface. It also highlights the importance of incident response planning so that if an attack does succeed, the organization can act quickly to freeze funds and mitigate damage. Ultimately, BEC reminds us that security is a shared responsibility, and even the most advanced technical controls cannot replace a well-trained, vigilant workforce.

How It Appears in Exam Questions

In the Security+ exam, business email compromise appears in scenario-based multiple-choice questions that test the candidate’s ability to recognize the attack and choose the correct mitigation. A typical question might read: “A company’s finance manager receives an email from someone claiming to be the CEO. The email urges the manager to process an urgent payment to a new vendor.

The email address appears to be the CEO’s correct address. What type of attack is this?” The answer choices include phishing, spear phishing, whaling, and business email compromise.

The correct answer is business email compromise, as it specifically involves impersonation for financial fraud. Another question format involves selecting the best defense. For example: “An organization wants to reduce the risk of business email compromise attacks.

Which of the following should be implemented first?” Options might include advanced endpoint protection, email filtering, multi-factor authentication, and user training. While all contribute to security, the best first step is often user training combined with a verification policy because BEC exploits human behavior.

Questions may also test technical controls. For instance: “An organization is experiencing spoofed emails from its own domain. Which of the following protocols would allow the receiving server to verify the authenticity of the sender?

” The candidate would need to select SPF, DKIM, or DMARC. Some questions describe a scenario where an attacker has compromised a legitimate email account and is sending wire transfer requests from that account. The candidate might be asked: “Which security control would have most effectively prevented this attack?

” The correct answer is multi-factor authentication, as it would prevent the initial account compromise even if the password was stolen. There are also troubleshooting-style questions. For example: “A user reports receiving an email that looks like it came from a colleague, but the reply-to address is different.

What should the security team verify first?” The candidate should suggest checking email headers for spoofing signs and reviewing SPF/DKIM records. Some questions combine BEC with other concepts, such as the principle of least privilege or separation of duties.

A question might ask: “A company’s policy requires two signatures for any wire transfer over $5,000. This policy primarily protects against which type of attack?” The answer would be business email compromise, because it limits the damage from a single compromised user.

Candidates should also expect questions that ask to identify the best next step after detecting a BEC attack. For example: “An employee realizes they have fallen for a BEC scam and wired funds to a fraudulent account. What should the employee do immediately?

” The correct actions include contacting the bank to reverse the transfer and reporting the incident to the security team. Practice with these question patterns helps candidates think critically about real-world scenarios and apply security principles effectively.

Practise Business email compromise Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Jane works as an accounts payable specialist at a medium-sized manufacturing company. She is responsible for processing payments to suppliers. One Tuesday morning, she receives an email that appears to be from her company’s CEO, Mark.

The email subject line reads “URGENT: Supplier Payment for Project Phoenix.” Jane knows that Project Phoenix is a real ongoing project, and the CEO often sends urgent requests. The email says that a key supplier needs payment immediately to avoid a production delay.

It provides new bank account details, claiming the supplier changed their banking information. The email asks Jane to wire $25,000 today and to keep the matter confidential because the CEO is in negotiations with the supplier. Jane feels a sense of urgency.

She wants to help the company and does not want to question the CEO. She opens her company’s accounting software and initiates the wire transfer to the new account. After completing the transaction, she sends a reply to the CEO confirming the payment.

Later that day, Jane sees the real CEO in the hallway and mentions she processed the payment. The CEO looks confused and says he never sent that email. Jane’s heart sinks. She immediately goes to her IT security team and reports the incident.

The IT team traces the email and discovers that the sender’s email address was not the CEO’s actual address. It was a lookalike domain that used “company.co” instead of “company.com.

” The display name was spoofed to say Mark’s full name. The attacker had done research on the company’s projects and organizational hierarchy to make the request believable. The company contacts the bank to try to reverse the wire transfer, but the funds have already been withdrawn.

They also report the incident to law enforcement. In the aftermath, the company implements a new policy: any request to change payment details must be verified through a phone call to the known contact, using a number from the company’s internal directory, not the number in the email. They also deploy DMARC to prevent domain spoofing and require multi-factor authentication for all email accounts.

Jane participates in mandatory security awareness training to learn how to spot BEC attacks in the future. This scenario illustrates how BEC attacks exploit trust, urgency, and lack of verification, and why a simple policy change can prevent significant financial loss.

Common Mistakes

Thinking BEC is just another type of phishing with a link to click

BEC does not typically contain malicious links or attachments. The attack is purely social engineering, tricking the recipient into taking an action like wiring money or sharing sensitive information. Treating it like standard phishing leads to underestimating its danger.

Recognize that BEC is distinct. The threat is the request itself, not a malicious payload. Always verify urgent financial requests through an independent channel.

Believing that if the email passes SPF and DKIM checks, it is safe

An email can pass SPF and DKIM checks and still be a BEC attack if the attacker has compromised a legitimate account or uses a lookalike domain with correct authentication. These protocols verify the server, not the intent of the message.

Do not rely solely on email authentication. Use additional checks like verifying the request via phone, especially for sensitive actions.

Assuming only large companies are targets of BEC

Attackers often target small and medium businesses because they may have weaker security controls and less rigorous verification procedures. Smaller companies are frequently hit because the payoff relative to effort can be high.

All organizations, regardless of size, should implement BEC defenses such as verification policies, employee training, and email authentication protocols.

Thinking that the email is safe because it comes from a known contact with a correct name

Attackers can spoof display names or use compromised accounts to send emails that look fully legitimate. Familiarity with the sender’s name does not guarantee authenticity.

Verify unexpected or urgent requests by contacting the person through a different method, such as calling them on their known phone number or speaking with them in person.

Ignoring the urgency and secrecy cues in an email as normal behavior

BEC attackers deliberately create a sense of urgency and request secrecy to prevent the victim from verifying the request with others. Ignoring these red flags leads to falling for the scam.

Treat any email that pressures you to act quickly and avoid consulting others as suspicious. Always follow your organization’s verification procedures regardless of the perceived urgency.

Exam Trap — Don't Get Fooled

{"trap":"An exam question presents a scenario where a user receives an email that appears to be from the CEO requesting a wire transfer. The email address looks real. The question asks what type of attack this is.

Some learners might confuse it with whaling because the target is the CEO, but the attack specifically involves impersonation for financial fraud.","why_learners_choose_it":"Learners see the word ‘CEO’ and associate it with whaling, which targets high-profile individuals. They may not remember that BEC is a separate category defined by the impersonation of trusted parties to initiate fraudulent financial transactions."

,"how_to_avoid_it":"Memorize the definition of each attack type. Whaling focuses on targeting executives for any malicious purpose, while BEC specifically uses impersonation of a trusted figure (like the CEO) to steal money. If the scenario involves a fake executive requesting fund transfers, it is almost certainly BEC."

Step-by-Step Breakdown

1

Reconnaissance

The attacker researches the target organization to gather intel on key employees, financial workflows, vendors, and ongoing projects. They look at public sources like LinkedIn, company websites, financial reports, and even social media. This step helps the attacker choose the right person to impersonate and the right victim to target.

2

Impersonation Setup

The attacker creates a fake identity that looks legitimate. This could involve registering a lookalike domain (e.g., company-support.com instead of company.com), spoofing the display name in an email, or compromising a real email account through phishing or credential theft. The goal is to make the message appear to come from a trusted source.

3

Crafting the Email

Using the gathered intel, the attacker writes a convincing email. The message often includes specific references to real projects, names, or recent events to build trust. It creates a sense of urgency, such as an overdue payment or a time-sensitive deal, and sometimes requests secrecy to prevent the victim from verifying the request with others.

4

Sending the Email

The attacker sends the email to the target, usually someone in finance, accounts payable, or human resources who has the authority to process payments or share sensitive data. The email may bypass spam filters because it contains no malicious links or attachments, making it harder to detect automatically.

5

Victim Action

The recipient, believing the request is legitimate and urgent, takes the requested action. This could be wiring money to a fraudulent account, purchasing gift cards, or forwarding sensitive data like tax forms or employee records. The attacker relies on the victim’s trust, desire to help, and fear of consequences if they do not act quickly.

6

Monetization and Cover-Up

Once the attacker receives the funds or data, they quickly move the money through multiple accounts to obscure its trail, often using money mules or cryptocurrency. They may also delete sent emails or compromise additional accounts to cover their tracks. The victim may not realize the fraud until the real person or vendor follows up about the payment.

Practical Mini-Lesson

Business email compromise is one of the most insidious threats because it targets the human element rather than technical vulnerabilities. For IT professionals, understanding how to defend against BEC requires a blend of technical controls, policy enforcement, and ongoing user awareness. Let’s explore what this looks like in practice.

First, technical controls. The most effective technical defense against domain spoofing is implementing email authentication protocols. You need to configure SPF to list all servers authorized to send email for your domain.

Then, set up DKIM to sign outgoing emails with a digital signature. Finally, create a DMARC policy that tells receiving servers to quarantine or reject messages that fail SPF or DKIM checks. A DMARC policy of “p=reject” is the strongest.

This prevents attackers from spoofing your domain. However, these protocols do not protect against lookalike domains or account takeover. For those, you need to monitor for similar domains being registered and use multi-factor authentication on all email accounts to prevent compromise.

Second, policy and process. Even with perfect technical controls, a user can still be tricked. So you must establish clear verification procedures. For example, any request to change payment instructions must be confirmed through a phone call to a known number from an internal directory.

Never use the number provided in the email. This simple step can stop most BEC attacks. Implement separation of duties. Require two people to approve wire transfers over a certain amount.

This makes it harder for a single compromised user to cause damage. Also, establish a process for reporting suspicious emails. Users should know how to forward a suspected BEC email to the security team for investigation without feeling embarrassed.

Third, user awareness training. Train employees to recognize red flags. Urgent requests that require bypassing normal procedures, requests for secrecy, unusual wording, or slight discrepancies in email addresses are all warning signs.

Use simulated phishing exercises that include BEC scenarios to test user response. Provide immediate feedback when someone fails the simulation. Finally, incident response. If a BEC attack succeeds, the organization must act fast.

The first step is to contact the financial institution to attempt to reverse the transfer. The faster this is done, the better the chance of recovery. Next, preserve the email as evidence.

Then, report the incident to law enforcement, such as the FBI’s IC3. Internally, the security team should investigate how the attacker gained information or access and close those gaps. After the incident, review and update policies.

Consider conducting a lessons-learned session with the affected department. BEC is a persistent threat that evolves with technology. Attackers now use artificial intelligence to write more convincing emails and even deepfake audio to impersonate executives over the phone as a follow-up.

Therefore, continuous improvement of defenses is necessary. As an IT professional, you must stay informed about new attack patterns and regularly test your organization’s resilience. Remember, technology alone cannot stop BEC.

It requires a culture of security where every employee feels responsible for verifying unusual requests.

Memory Tip

Remember BEC by thinking of the three U’s: Urgency, Unusual request, and Unverified change. If an email has all three, it is likely a BEC attack.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Frequently Asked Questions

What is the main difference between business email compromise and regular phishing?

Regular phishing often uses mass emails with malicious links or attachments to steal login credentials or install malware. Business email compromise is a targeted attack that impersonates a trusted person to directly request money or sensitive information, usually without any malicious payload.

Is business email compromise considered a type of social engineering?

Yes, business email compromise is a form of social engineering because it manipulates people through deception and psychological tactics, such as creating urgency and exploiting trust, rather than relying on technical exploits.

How can SPF, DKIM, and DMARC help prevent business email compromise?

These email authentication protocols help prevent domain spoofing by verifying that an email claiming to be from your domain actually originated from an authorized server. Proper configuration makes it harder for attackers to send spoofed emails that appear to come from your organization.

What should I do if I suspect I received a business email compromise email?

Do not respond to the email or click any links. Report it to your IT security team immediately. If the email includes a financial request, verify it by contacting the supposed sender using a known phone number or official communication channel.

Can multi-factor authentication prevent business email compromise?

Multi-factor authentication can help prevent account takeover, which is one method attackers use in BEC. By requiring a second form of verification, MFA makes it harder for an attacker to gain access to a legitimate email account even if they have the password.

Is business email compromise only about wire transfers?

No, while wire transfer requests are common, BEC can also involve requests for gift card purchases, payroll diversion, or sharing of sensitive data like W-2 forms. The core element is impersonation of a trusted party to achieve financial gain or data theft.

Why do business email compromise attacks often go undetected by security software?

Because BEC emails typically do not contain malicious links or attachments. They are purely text-based requests that look legitimate. Security software designed to block malware or phishing links may not flag a well-crafted, socially engineered message.

Summary

Business email compromise is a sophisticated social engineering attack that targets organizations by impersonating trusted individuals to fraudulently obtain money or sensitive information. Unlike many cyber threats, BEC does not rely on technical vulnerabilities or malware. Instead, it exploits human psychology through urgency, authority, and trust.

The attacker conducts careful research to craft a convincing message, often using spoofed email addresses, lookalike domains, or compromised accounts. For IT professionals and Security+ exam candidates, understanding BEC is crucial because it represents a growing and financially devastating threat that bypasses traditional technical defenses. Defending against BEC requires a multi-layered approach.

Technically, organizations should implement email authentication protocols like SPF, DKIM, and DMARC to prevent domain spoofing, and use multi-factor authentication to reduce the risk of account takeover. Procedurally, clear verification policies for financial requests and separation of duties can stop an attack before money leaves the organization. Crucially, ongoing user awareness training helps employees recognize the red flags of urgency, secrecy, and unusual requests.

In the Security+ exam, BEC appears in scenarios where a candidate must identify the attack type or select the best mitigation. The key exam takeaway is to distinguish BEC from related attacks like whaling and spear phishing by focusing on the attack’s goal of financial fraud through impersonation. Remember the three U’s: Urgency, Unusual request, and Unverified change.

By staying informed and vigilant, IT professionals can help their organizations avoid the costly consequences of business email compromise.