Email Fraud and CEO Fraud (BEC): How to Detect, Prevent and Prove It

Quick answer: Business Email Compromise (BEC) is when an attacker impersonates an executive or a supplier, usually with pressure for urgency and secrecy, and makes the company pay money or an invoice to a fraudulent account. The attacker either compromises the real mailbox or spoofs the sender name. The FBI reported that global exposed BEC losses exceeded 55.5 billion dollars across more than 305,000 incidents from October 2013 to December 2023. The most effective defense is to always verify changes to payment instructions through a second channel, for example a phone call to a known number, to deploy SPF DKIM DMARC, and to analyze the email header forensically when in doubt.

BEC is not a noisy attack; it often causes millions in losses with a single email and well crafted social engineering. The FBI Internet Crime Complaint Center defines BEC as "a sophisticated scam carried out when a subject compromises legitimate business email accounts through social engineering or computer intrusion techniques resulting in an unauthorized transfer of funds." The target is anyone with payment authority, in finance, procurement or executive support.

How BEC works

1. Executive impersonation (CEO fraud). The attacker emails as the CEO and asks a finance employee for an urgent, confidential transfer. "I am in a meeting, get this done today, do not talk to anyone" is the classic pattern.
2. Invoice redirection. The attacker impersonates a real supplier and says "our bank account changed, pay the new IBAN." The company pays a regular invoice into a fraudulent account.
3. Mailbox compromise. The attacker phishes into an employee's account, watches the real correspondence and inserts themselves at the exact moment of payment.
4. Display name spoofing and lookalike domains. Two methods: making the visible name correct but the address fake, or registering a domain very similar to the real one (one letter changed). M3AAWG notes that DMARC prevents spoofing of the domain in the "From" line but does not stop "lookalike" or "cousin" domains.

Defense 1: Email authentication (SPF, DKIM, DMARC)

In the UK NCSC definition, SPF lets you publish IP addresses to be trusted for your domain; DKIM lets you cryptographically sign the email you send; and DMARC lets you set a policy for how to handle email that fails SPF or DKIM. Together they largely prevent your domain being spoofed as sender. For setup, see our guide on corporate email security: SPF, DKIM, DMARC. But DMARC does not stop lookalike domains, so process defense is essential.

Defense 2: Process and verification

1. Out of band verification. Never verify a payment or IBAN change by replying to the email, verify it by phone on a known, pre registered number. The FBI recommends verifying account information changes through a secondary channel or two factor.
2. Dual approval. Require two people to approve transfers above a threshold and limit the number of people with payment authority.
3. Urgency and secrecy flag. Language of "urgent, confidential, tell no one" is a warning sign; slow such requests down and verify.
4. Staff awareness. Train the team against the CEO fraud scenario and test regularly with a phishing simulation.

Defense 3: Forensic email header analysis

The technical way to prove an email is fake is to analyze its header. As Microsoft documents, SPF DKIM DMARC results are stamped in the "Authentication-Results" header of an inbound message. Forensic review looks at three things: a mismatch between the "From" address the recipient sees and the envelope sender (Return-Path, smtp.mailfrom), whether the "Reply-To" points to a different address than the real sender, and whether the "Received" chain shows the message actually passing through the expected servers. These mismatches are evidence of fraud. Header records preserved with chain of custody can be used in court; see our guide on the digital forensics process, KVKK and chain of custody.

What to do if you are defrauded

The first hours are critical. Call your bank to try to recall the transfer, report the incident to USOM and the Public Prosecutor, sign out of all sessions and change the password of the compromised account, and preserve email headers and correspondence forensically without deleting them. If there is also a personal data breach, KVKK requires notification within 72 hours of becoming aware; see our guide on KVKK data breach notification.

Frequently Asked Questions

How is BEC different from classic phishing? Phishing is a wide net cast at the masses; BEC is personalized, usually link free and persuasion based, targeting a specific company and its payment process.

Do SPF DKIM DMARC stop every fake? No. They largely stop spoofing of your own domain but not lookalike domains and compromised real accounts; process verification is essential.

How do I prove the fake? The authentication results in the email header and mismatches in From, Reply-To, Return-Path and Received are technical evidence.

Sources

• FBI IC3, Business Email Compromise public service announcement (September 11, 2024, 55.5 billion dollars in global losses): https://www.ic3.gov/PSA/2024/PSA240911
• FBI IC3, BEC info page: https://www.ic3.gov/CrimeInfo/BEC
• NCSC (UK), email security and anti spoofing: https://www.ncsc.gov.uk/collection/email-security-and-anti-spoofing
• M3AAWG, DMARC summary (lookalike domain caveat): https://www.m3aawg.org/TechnologySummaries/DMARC
• Microsoft, email header authentication results: https://learn.microsoft.com/en-us/defender-office-365/message-headers-eop-mdo
• KVKK, data breach notification (72 hours): https://www.kvkk.gov.tr/Icerik/5362/Veri-Ihlali-Bildirimi

To audit your company's email security and BEC resilience, contact DSET.