Lessons from the Underground: How to Combat Business Email Compromise

Business Email Compromise Attacks Exposed: What’s Behind the Rise in Sophisticated Scams

A closer look at underground forums reveals that Business Email Compromise (BEC) attacks are more complex and organized than previously thought. The typical notion of BEC as a simple email scam doesn’t do justice to the intricate operation behind it. Threat actors don’t just send phishing emails; they invest time and effort in understanding an organization’s procurement process, building a reliable communication channel, and orchestrating a multi-step attack.

Researchers at Flare have been monitoring underground posts related to BEC and have uncovered some disturbing trends. One notable finding is the increasing use of AI-powered tools to streamline the scamming process, making it more efficient and effective. This shift towards automation has reduced the learning time for attackers, allowing them to adapt quickly to new targets.

The most desirable targets appear to be employees in corporate leadership and financial roles, who often have access to sensitive information and are responsible for making financial decisions. Threat actors are particularly interested in obtaining SaaS accounts, such as Microsoft Office 365, which provide a gateway to an organization’s email and communication systems.

Once inside, attackers analyze the account, mapping the organizational structure and identifying key employees with financial privileges. They study procurement processes, internal conversations, and communication with vendors to build a convincing narrative for their scam. This is where BEC becomes difficult to detect – a suspicious email from an unknown sender can be easily flagged, but a message sent from a compromised mailbox, using real names and familiar wording, is much harder to identify as malicious.

A recent case study on underground forums reveals the level of sophistication involved in BEC attacks. A threat actor named Bigjack shared his experience with compromising company mailboxes and using them to send invoices. His questions focused on the practical aspects of the scam, including creating urgency, asking for large amounts without raising suspicion, and providing proof if questioned.

These discussions illustrate that threat actors learn from their experiences and adapt their tactics accordingly. They understand the importance of cash-out, which is often the biggest bottleneck in BEC operations. Finding reliable business bank accounts or cash-out partners is a challenging task, but it’s essential for monetizing the scam.

Flare’s monitoring of underground forums provides valuable insights into the planning and execution of BEC attacks. By tracking these discussions, organizations can uncover signs of an impending attack before it’s too late. Understanding the mindset and tactics of threat actors is crucial in developing effective defense strategies against BEC.

In light of these findings, it’s essential for organizations to prioritize email security, educate employees on the warning signs of BEC attacks, and develop robust communication channels that can withstand internal and external threats. By staying informed about the latest trends and techniques used by threat actors, we can better protect ourselves against these sophisticated scams.


Source: Bleeping Computer — 2026-06-30