Business Email Compromise (BEC): Fake Transfers, CEO Fraud and Forensic Follow Up
Business Email Compromise (BEC) is when an attacker impersonates an executive or supplier to trick a company into a fake transfer. CEO fraud, fake invoices and IBAN swaps, the first 24 hours after money is sent, forensic analysis, the 72 hour breach angle and prevention with DMARC. Ankara DSET, incident response and forensics under one roof.
Quick answer: Business Email Compromise (BEC) is a targeted fraud where an attacker impersonates an executive, a supplier or accounting to trick a company into a fake money transfer. If money was sent, hours matter. Call your bank first and open a recall request, ask the receiving bank for a return and a freeze, then file a criminal complaint and report the incident to the national cyber authority. If a mailbox was accessed, this may also be a personal data breach that requires notification within 72 hours. Do not delete any logs, preserve email headers and login records. DSET runs incident response and digital forensics under one roof. Hotline: +90 536 662 38 09.
What Business Email Compromise (BEC) is
Business Email Compromise is not a technical break in, it is an abuse of trust. Without malware, the attacker simply convinces the right person at the right moment to redirect the company's money. Unlike ransomware there is no warning on screen and no encrypted files. Most victims discover it weeks later, when a supplier says the payment never arrived.
BEC is one of the highest loss cyber crime categories in the world. A single successful fake transfer instruction can move a very large sum instantly, and the money is usually scattered across other accounts within minutes.
Types of BEC
- CEO fraud: the attacker poses as the managing director and sends accounting an urgent, confidential transfer instruction.
- Fake supplier invoice: a real supplier thread is hijacked and the IBAN on the invoice is swapped.
- Legal pressure: a supposed lawyer demands an urgent payment for a confidential matter under time pressure.
- Payroll diversion: someone posing as an employee asks HR to change the salary account.
- Data request: instead of money, payroll or customer data is requested for later attacks.
How a BEC attack works
A successful BEC rests on patient preparation. First comes reconnaissance from the website, social profiles and leaked databases. Then comes access, either a real takeover of the mailbox through phishing or a leaked password, or impersonation through a look alike domain. Finally comes insertion, where the attacker joins a real thread, changes the reply address and swaps in the fake IBAN exactly at payment time.
Why AI made BEC more dangerous
Broken language used to give fake emails away. Today generative AI writes flawless text in the company's own tone, and voice cloning backs the email with a phone call that imitates the executive. When both the text and the voice feel familiar, the human defense weakens. Intuition alone is no longer enough.
Warning signs of a fake transfer instruction
| Warning sign | What it means |
|---|---|
| Sudden urgency and secrecy | An attempt to stop you from thinking and verifying |
| IBAN or bank change | A supplier account never changes silently by email |
| One letter off in the sender | Impersonation through a look alike domain |
| A different reply address | The attacker may have redirected replies |
| Unusual hours and odd language | Traces of a foreign time zone or generated text |
| Refusal of a phone confirmation | A real executive welcomes verification, a fraudster does not |
The first 24 hours after money is sent
- Call your bank now and open a recall request, start the return and freeze process. The fresher the transfer, the higher the chance of recovery.
- File a criminal complaint with the prosecutor, supported by receipts, correspondence and IBAN details.
- Report to the national cyber authority to help block the attacker infrastructure.
- Cut access and change passwords, close sessions on possibly compromised accounts and enforce multi factor authentication.
- Freeze the evidence: preserve email headers, server logs and login records. Delete nothing.
Digital forensics: what really happened
The key question is whether the attacker actually entered the mailbox or only wrote from a look alike domain. That distinction drives both legal liability and breach notification duty. The core of the review is the email header, which reveals server hops, authentication results and the true origin. Server login records complete the picture. A successful login from a foreign country proves takeover. The team builds a timeline, a kill chain that serves as court evidence and prevents reuse of the same weakness, with a strict chain of custody throughout.
The data protection angle
A mailbox is a personal data store holding employee, customer and supplier data. If an attacker accessed it, a personal data breach may have occurred, which can require notification to the authority within 72 hours. Skipping this adds a regulatory fine risk on top of the money loss. The right approach is to scope the breach with forensic findings and base the notification on them.
Prevention: stopping BEC at the source
BEC feeds on a process gap more than a technical flaw, so the strongest defense combines technical controls with human process. On the technical side, configure SPF, DKIM and DMARC correctly and set DMARC to reject so spoofed mail never reaches the recipient. Enforce multi factor authentication everywhere. On the process side, require callback verification for payment instructions through a second known channel, define a separate approval procedure for supplier IBAN changes, and keep awareness training alive.
Frequently asked questions
How is BEC different from ordinary phishing? Phishing is usually a mass attack chasing passwords or clicks. BEC targets one company, aims directly at a money transfer through impersonation and often contains no malicious link, so it can slip past classic filters.
Will I get my money back? Your odds track your speed. If the bank starts a recall and freeze within the first hours, the chance of return rises sharply. As hours pass the money is scattered and the chance drops. The first call must be to the bank.
How do I know if the attacker entered my email? Email headers and server login records show it. A successful login from a foreign location, created forwarding rules or a changed reply address point to takeover. A forensic expert should perform this analysis.
Do I need to file a data protection notification? If a mailbox was accessed, a breach may exist because the mailbox holds personal data, which can trigger a 72 hour notification duty. Scoping it with forensic findings is the right approach.
Which records should I keep for the investigation? Keep email headers, mail server login and audit logs, firewall and VPN logs, bank receipts and all related correspondence. Delete nothing and consult an expert before resetting the account.
Sources
- FBI Internet Crime Complaint Center (IC3), Business Email Compromise reports: https://www.ic3.gov
- USOM, national cyber incident response center of Türkiye: https://www.usom.gov.tr
- Turkish data protection authority, breach notification: https://www.kvkk.gov.tr
- MITRE ATT&CK, phishing and impersonation techniques: https://attack.mitre.org
- CISA, Business Email Compromise guidance: https://www.cisa.gov
If you suspect BEC or have suffered a fake transfer, do not delay incident response and forensics. Contact DSET for 24/7 support from our Ankara Hacettepe Teknokent laboratory.
Kimliğinizi doğrulayın
Yetkilendirilmiş erişim alanı. Tüm giriş denemeleri kayıt altına alınır.