Skip to content

What is Business E-mail Compromise?

What is Business E-mail Compromise?

If you’ve done any reading on the subject of cybersecurity, you’ve probably been told to be careful about opening strange emails. This is some generic advice, but we are about to explain why that advice is so often given. Email is one of the most common attack vectors for serious hacking attacks and may even be the most common. When speaking of corporate hacking incidents, email is definitely the most common method of attack. So, how can your business Email be compromised, and (more importantly) what can you do about that?

What Is Business E-Mail Compromise?

This is a hacking method that involves the impersonation of legitimate network users. In order to do this, the hacker must gain control of another person’s email account. Because most people and organizations are still using unsecured email (i.e., non-encrypted), there is a glaring flaw in their security net that anyone could exploit. All they have to do is find a single unwary employee. These attacks are similar to “man-in-the-middle” type attacks, except that the target is an individual rather than a domain name server.

How Do These Kinds Of Attacks Work?

There are a couple of key ways in which cyber-attackers can gain control of someone else’s email account. The first and most common method is phishing. We have discussed this method many times, but that’s because it is such a regular problem. Phishing works by tricking the unwary user into giving up their login credentials. Once those are obtained, the criminal can then impersonate a legitimate employee to deceive your organization or its associates.

Brute-force hacking is another method that is often used. A short or non-complicated password can be cracked very quickly, and it doesn’t even take much skill on the part of the hacker. In fact, the program does pretty much all the work for them. The good news, however, is that these attacks can only work on weak passwords. Some people use weak passwords out of laziness or negligence, and that is just ridiculously unwise.

One of the most common forms of business Email compromise is the fake invoice scam. This one requires a little more research on the part of the attacker, as they have to take control of the right account. Once your business partners receive an invoice for payment from a trusted source, they will probably pay the invoice as normal. Unfortunately, they will not be aware that they just sent money to a criminal. Some might also pretend to be your boss and demand that you send money to a particular account.

How To Prevent Business E-Mail Compromise

Thankfully, there are a lot of ways in which you can prevent these sorts of incidents. You see, business Email compromise is an example of what some people call “social engineering hacking.” That means that it works by compromising the human element. More specifically, it works by tricking the user. By realizing this, we can understand how best to prevent such things.

Brute force compromise can easily be avoided with a strong password policy. IT teams can use brute-force cracking tools to check all passwords that are currently in use. You should encourage people to use 18-20 characters and a mixture of letters, numbers, and symbols. As a general rule, weird and random are the hardest things to crack.

To prevent email phishing, you need to make sure that everyone knows to be careful about email attachments and links within emails. In fact, you might even want to disallow the use of such things (if possible). You can also equip your end-use devices with a “sandbox,” giving you a safe testing ground for suspicious links or attachments. A sandbox is a virtual replica of your system, installed temporarily on a section of a hard drive. If something goes wrong, you can just delete the section and the email in question. Any good IT computer services company should be able to help you set up a sandboxing solution.

Encrypted email is another valid option that should be considered. These types of email accounts are protected via encryption in much the same way as a VPN. Although encryption will not protect you from social engineering hacks, it can protect you from virtually all other methods. In fact, strong encryption in capable hands can keep out even the best of hackers. We would recommend that you make the use of encrypted email mandatory for those who are able to authorize transfers of money.


If we wanted this article to go on for pages and pages, we would start listing all the known incidents in which business Email compromise led to serious problems. However, these incidents are far too numerous to list here, as they happen all the time. Large business organizations use email for just about everything, which is (probably) why it makes such an appealing target. Still, it is certainly possible to prevent these dangers with a little bit of knowledge and basic precaution. If you need some managed IT support services, or if you just need a little bit of advice on this matter, you can call PCH Technologies at (856) 754-7500.