Lessons from the Underground: How to Combat Business Email Compromise

Business Email Compromise (BEC) attacks have long been a thorn in the side of organizations worldwide, with hackers using sophisticated tactics to infiltrate and manipulate email systems. But BEC is more than just an email scam – it’s a multi-faceted operation that requires patience, planning, and a deep understanding of the target organization.

A recent analysis by security researchers at Flare has shed light on the inner workings of BEC attacks, revealing the complexity and scope of these operations. According to the research, BEC often involves gaining access to a targeted business’s email system or SaaS account, gathering raw data on the company’s procurement process, analyzing the mailbox context, building a reliable communication channel with the target organization, accessing payment infrastructure, and orchestrating the entire attack in perfect timing.

What’s striking is that this analysis comes from examining underground posts related to BEC from the past year. The findings show that AI-powered BEC is becoming increasingly popular, allowing hackers to reduce their learning time and increase the “quality” of their scams. Moreover, threat actors are specifically targeting corporate leadership and financial employees, using call centers designed to apply pressure on a targeted business to finalize fraudulent payments.

But here’s the thing: cash-out is often the biggest bottleneck in BEC operations. Hackers need to find relevant business bank accounts or cash-out partners, which can be a difficult task. This is where Flare’s monitoring of underground discussions comes into play – by tracking these open forums, security teams can get a glimpse into the planning and preparation that goes into these attacks.

BEC attacks don’t start with a suspicious email from an unknown sender; they begin with access to an organizational mailbox or SaaS account. Once inside, threat actors analyze the account, studying organizational structure, financial privileges, procurement processes, internal conversations, communication with vendors, and invoices. This level of detail makes it challenging for employees to detect these attacks, as the messages are often sent from compromised mailboxes using real names, invoice references, and familiar wording.

The research also highlights the importance of email accounts held by finance department employees – they provide a treasure trove of information on financial operations. Threat actors use this data to craft targeted attacks that play on the company’s own internal processes.

To illustrate just how these attacks work, Flare analyzed a thread on underground forums where hackers discussed their experiences with BEC. In this thread, threat actors shared tips and advice on everything from using remote access malware to gain initial access to compromising company mailboxes and sending invoices. They also debated the finer points of creating urgency, asking for large amounts without raising suspicion, and providing proof if questioned.

The takeaway is clear: BEC attacks are not just about email scams – they require a deep understanding of an organization’s internal workings. By tracking underground discussions and analyzing these threads, security teams can get a glimpse into the mindset of threat actors and prepare their defenses accordingly. As Flare’s research shows, uncovering these signals can be a game-changer in preventing BEC attacks before they happen.

So what can you do to protect your organization from these sophisticated attacks? First and foremost, ensure that your employees are aware of the signs of BEC – including requests for large payments, urgent deadlines, or suspicious communication with vendors. Implement robust security measures, such as multi-factor authentication and regular software updates. And above all, stay vigilant: by monitoring underground forums and staying informed about emerging threats, you can uncover signals of impending attacks before it’s too late.


Source: Bleeping Computer — 2026-06-30