Skip to main content
SMB employees discussing training about business email compromise attacks.

Business email compromise (BEC) attacks are an attack strategy that malicious actors use that includes phishing, spear phishing, social engineering, and other factors. These attacks will attempt to convince employees to send funds to the attacker, divulge sensitive company information, or enable the next steps in a larger cyberattacks. Business email compromise attacks can be especially dangerous because they can originate from compromised accounts that appear legitimate or leverage social engineering tactics to gain employee trust over a long period of time. These attacks rely on employees being too trusting and undertrained, so training employees to notice and properly respond to BEC attacks is critical to ensure a small business’ cybersecurity posture.

Consequences of BEC Attacks

A successful business email compromise attack can result in sensitive data being stolen from the company, funds being sent to attackers and lost from the business, a full account takeover, and more. Some BEC attacks will also infect the company’s network with malware that can siphon further information from company systems or lock down the network with ransomware that demands a high price. Overall, the consequences of a BEC attack can be wide ranging and disastrous, causing some small businesses to close their doors shortly after an attack. Businesses can also lose customer’s personally identifiable information (PII) or important data that damages the company’s reputation and erodes client trust.

Common Attack Strategies

Many BEC attacks are wide-net attacks apart of a phishing campaign that target a large number of businesses hoping someone accidentally clicks on a malicious email before they realize what they’ve done. The worst business email compromise attacks, however, can be targeted and try to take advantage of services and websites company employees are familiar with. Hackers will sometimes craft extremely convincing websites to include in their email, so the link and landing page do not raise suspicions for the end user. Hackers will impersonate important members of the company, spoof trusted website domains, and deploy a wide range of social engineering attacks to build a relationship with employees to complete an attack.

SMB Mitigation Strategies

Mitigating business email compromise attacks can be done with a number of common cybersecurity solutions, and our team recommends implementing multiple layers of protection to help prevent attackers from circumventing your protections. The first layer of defense SMBs should prioritize is proper cybersecurity training so that employees are less likely to click on BEC attacks in the first place. Multifactor authentication (MFA), DNS layer security, and email protection solutions are also effective at either preventing a BEC attack from reaching an employee’s inbox or stop a successful attack early so that your IT team or IT consultant can remediate the threat quickly.


Business email compromise attacks are a common attack strategy used by malicious actors, and it is only a matter of time before a malicious email lands in your employee’s inbox. Our security specialists here at Robinett Consulting recommend taking early action to protect your business by implementing engaging, hands-on cybersecurity awareness training and reliable cybersecurity solutions that can help quickly remediate BEC attacks. If your business needs help building a strong cybersecurity training program or assessing your network to determine which security solutions would be best for your business, our team members are ready to help today with a complimentary consultation for your business!

Robinett Consulting

Author Robinett Consulting

At Robinett Consulting, we are your consultative partner who strives to grow your business and have technology truly enabling you. We aim to understand you and your business so that you do what you do best unhindered by your IT.

More posts by Robinett Consulting