Spear Phishing and BEC Attacks
Spear Phishing and BEC Attacks

Photo by Ann H on Pexels
While mass phishing emails cast a wide net, spear phishing and Business Email Compromise (BEC) attacks are precision strikes. They target specific individuals or organizations using gathered intelligence to create highly convincing messages. These attacks are the most financially damaging form of phishing, with the FBI reporting losses exceeding $2.7 billion annually from BEC alone.
Spear Phishing: Targeted Attacks
Spear phishing differs from mass phishing in the level of research involved. The attacker learns about their target — your role, colleagues, vendors, ongoing projects — using LinkedIn, company websites, and public records. They then craft an email that references real details, making it far more convincing than a generic phishing attempt.
Example: An attacker researches a company's structure on LinkedIn, identifies the CFO and the accounts payable manager, and sends an email to the AP manager appearing to come from the CFO. The email references a real vendor from the company's website, requests an urgent change to the vendor's bank details, and asks for a wire transfer to be processed by end of day. Because the names, roles, and vendor are all real, the email feels legitimate. The urgency prevents the AP manager from verifying through normal channels.
Business Email Compromise (BEC)
BEC attacks are a specialized form of spear phishing that targets financial transactions. The FBI identifies five common BEC scenarios:
1. CEO/CFO Fraud: The attacker impersonates an executive and requests urgent wire transfers or gift card purchases. The email typically says the executive is "in a meeting" or "traveling" and cannot be reached by phone.
2. Attorney Impersonation: The attacker poses as an outside attorney handling a confidential matter, requesting payment of legal fees or settlement funds. These often arrive at the end of the day or week when the target is eager to wrap up before leaving.
3. Account Compromise: An employee's email account is hijacked through a prior phishing attack. The attacker monitors communications and, at the right moment, sends payment instructions to clients or partners from the compromised account. Because the email genuinely comes from the real account, it is extremely hard to detect.
4. Fake Invoice Scam: The attacker poses as a vendor and requests a change to their payment bank account. When the next invoice is paid, the money goes to the attacker's account instead of the vendor's.
5>Payroll Diversion: The attacker poses as an employee and emails HR requesting a change to their direct deposit account. Paychecks are redirected to the attacker.
How Attackers Gather Intelligence
The information that makes spear phishing convincing comes from public sources. Attackers use LinkedIn for employee names and roles, company websites for vendor and partner information, SEC filings for financial details, social media for travel plans and personal connections, and data from previous breaches. Conduct an honest audit of your digital footprint — what information about your organization is publicly available that an attacker could weaponize?
Defense Against Spear Phishing and BEC
- Verify out-of-band: Any financial request received by email must be verified through a phone call to a known number — not the number in the email
- Implement payment verification procedures: Require two-person approval for wire transfers above a threshold; require verbal confirmation for any change to vendor banking details
- Register look-alike domains: If your domain is company.com, register company-secure.com, company-support.com, and common misspellings to prevent attackers from using them
- Use DMARC: Implement DMARC with enforcement (p=reject) to prevent email spoofing of your domain
Key Takeaways
- Spear phishing uses gathered intelligence to create targeted, convincing attacks
- BEC attacks target financial transactions and have caused billions in losses
- Out-of-band verification is the most effective defense against BEC
- Audit your public digital footprint to see what attackers see
Common Questions: Spear Phishing and BEC Attacks
Q: How can I verify a financial request from an executive?
Always use an out-of-band verification method. If you receive an email from a CEO or CFO requesting a wire transfer, do not reply to the email or use the phone number in the email. Instead, call the executive's known, verified phone number from your company directory. Establish a verbal or in-person confirmation for any unusual financial request, especially those involving urgency, secrecy, or changes to payment instructions. Implement a dual-authorization policy for wire transfers above a set threshold.
Q: What free tools can help detect BEC attacks?
DomainTools offers a free WHOIS lookup to check domain registration details for lookalike domains. SpoofCheck can verify if your domain is vulnerable to spoofing. EmailRep.io provides reputation scoring for email addresses. Additionally, enabling DMARC reports (free with most email providers) gives visibility into spoofing attempts using your domain. Set up email rules that flag external emails mentioning "wire transfer," "urgent payment," or "invoice attached" for additional scrutiny.
Q: What happens if we don't train employees on BEC specifically?
BEC attacks are the most financially damaging phishing variant, with average losses exceeding $125,000 per incident. Without specific BEC training, employees in finance, HR, and executive assistant roles may not recognize the subtle signs of a BEC attack, since these emails often don't contain traditional phishing indicators like suspicious links or attachments. A single successful BEC attack can wipe out months of revenue for a small business.
Q: How do attackers know which employees handle finances?
Attackers research publicly available information: LinkedIn profiles, company "About Us" pages, press releases, conference attendee lists, and even social media posts. Job titles like "Accounts Payable," "Controller," or "CFO" are prime targets. Limit the amount of financial role information publicly available on your website and social media. Consider using generic titles in public-facing materials while keeping precise role descriptions internal.
Spear Phishing and BEC Attacks

Photo by Ann H on Pexels
While mass phishing emails cast a wide net, spear phishing and Business Email Compromise (BEC) attacks are precision strikes. They target specific individuals or organizations using gathered intelligence to create highly convincing messages. These attacks are the most financially damaging form of phishing, with the FBI reporting losses exceeding $2.7 billion annually from BEC alone.
Spear Phishing: Targeted Attacks
Spear phishing differs from mass phishing in the level of research involved. The attacker learns about their target — your role, colleagues, vendors, ongoing projects — using LinkedIn, company websites, and public records. They then craft an email that references real details, making it far more convincing than a generic phishing attempt.
Example: An attacker researches a company's structure on LinkedIn, identifies the CFO and the accounts payable manager, and sends an email to the AP manager appearing to come from the CFO. The email references a real vendor from the company's website, requests an urgent change to the vendor's bank details, and asks for a wire transfer to be processed by end of day. Because the names, roles, and vendor are all real, the email feels legitimate. The urgency prevents the AP manager from verifying through normal channels.
Business Email Compromise (BEC)
BEC attacks are a specialized form of spear phishing that targets financial transactions. The FBI identifies five common BEC scenarios:
1. CEO/CFO Fraud: The attacker impersonates an executive and requests urgent wire transfers or gift card purchases. The email typically says the executive is "in a meeting" or "traveling" and cannot be reached by phone.
2. Attorney Impersonation: The attacker poses as an outside attorney handling a confidential matter, requesting payment of legal fees or settlement funds. These often arrive at the end of the day or week when the target is eager to wrap up before leaving.
3. Account Compromise: An employee's email account is hijacked through a prior phishing attack. The attacker monitors communications and, at the right moment, sends payment instructions to clients or partners from the compromised account. Because the email genuinely comes from the real account, it is extremely hard to detect.
4. Fake Invoice Scam: The attacker poses as a vendor and requests a change to their payment bank account. When the next invoice is paid, the money goes to the attacker's account instead of the vendor's.
5>Payroll Diversion: The attacker poses as an employee and emails HR requesting a change to their direct deposit account. Paychecks are redirected to the attacker.
How Attackers Gather Intelligence
The information that makes spear phishing convincing comes from public sources. Attackers use LinkedIn for employee names and roles, company websites for vendor and partner information, SEC filings for financial details, social media for travel plans and personal connections, and data from previous breaches. Conduct an honest audit of your digital footprint — what information about your organization is publicly available that an attacker could weaponize?
Defense Against Spear Phishing and BEC
- Verify out-of-band: Any financial request received by email must be verified through a phone call to a known number — not the number in the email
- Implement payment verification procedures: Require two-person approval for wire transfers above a threshold; require verbal confirmation for any change to vendor banking details
- Register look-alike domains: If your domain is company.com, register company-secure.com, company-support.com, and common misspellings to prevent attackers from using them
- Use DMARC: Implement DMARC with enforcement (p=reject) to prevent email spoofing of your domain
Key Takeaways
- Spear phishing uses gathered intelligence to create targeted, convincing attacks
- BEC attacks target financial transactions and have caused billions in losses
- Out-of-band verification is the most effective defense against BEC
- Audit your public digital footprint to see what attackers see
There are no comments for now.