Business Email Compromise

BEC succeeds because it targets the processes organizations rely on, not the weaknesses in their security controls. Most wire transfer processes assume that an email from the CEO is legitimate because the CEO sends emails. Verifying the request by a different channel -- a phone call to a known number -- breaks the attack, but interrupting a CEO request feels presumptuous to most employees.

The three levers BEC attacks consistently use: authority (the request comes from a senior executive), urgency (this must be done before end of business today, the CEO is in a meeting and cannot be reached), and secrecy (do not discuss this with others, it is confidential). Together these create pressure to act without verification.

Homoglyph domains and look-alike sender addresses are the technical component -- but the attack would fail if the organization had a verified callback procedure for all wire transfers above a threshold amount.

CEO fraud / wire transfer: Attacker impersonates the CEO or CFO and instructs finance to wire funds urgently. Target: accounts payable, finance team. This is BEC-001 in the Ficsit scenario.

Vendor/invoice fraud: Attacker impersonates a known vendor and claims banking details have changed for invoice payment. Target: accounts payable. This is VF-001 in the Ficsit scenario (acme-industr1al.com homoglyph targeting l.park).

Account takeover BEC: Attacker compromises a real employee email account and uses it to send internal BEC requests. Far more convincing because it comes from a legitimate account. This requires detecting the initial compromise (AiTM, credential phishing) before it leads to BEC.

Payroll redirect: Attacker impersonates an employee and requests direct deposit banking details be changed. Target: HR. Losses are per-paycheck until detected.