Threat Type

Business Email Compromise: Stopping Wire-Transfer Fraud at the Inbox

BEC attacks cost US businesses an estimated $2.9 billion in 2023 (FBI IC3). They work because they're indistinguishable from legitimate requests — same writing style, plausible context, clean authentication. Phishaver scores the semantic content of every request, not just the sender's domain reputation.

How BEC attacks are constructed

The attack pattern

A BEC attacker studies a target organization's executive team and finance or operations staff — identifying who has authority to initiate payments and who processes them. They register a lookalike domain (e.g., company-finance.com vs. companyfinance.com) or compromise an actual email account. They send a request that matches the executive's known communication style, references a real project or vendor, creates urgency ("board meeting in 2 hours"), and asks for a wire transfer, gift card purchase, or change to banking details. The email is targeted, contextually accurate, and passes all authentication checks — because the attacker controls the sending domain or compromised account.

What makes it hard to detect

BEC emails often have no malicious links, no malicious attachments, and no known-bad sending domain. They're pure social engineering — a convincing text request. Rule-based email filters have no mechanism to evaluate the semantic content of a wire-transfer request the way an experienced analyst would. LLM-based analysis does.

How Phishaver detects BEC attempts

Lookalike domain proximity

Edit-distance scoring against your tenant's known-good sender list. Catches visual lookalikes (rnm, transpositions, inserted hyphens) even when authentication records are valid for the attacker's domain.

Financial request pattern scoring

LLM semantic analysis scores emails containing wire-transfer framing, invoice change requests, payment authorization language, and gift card purchase requests — especially when combined with urgency signals.

Domain age and registration

Domains registered within 30 days impersonating known vendors or counterparties receive elevated risk scores. BEC attackers frequently register fresh domains to avoid reputation-based blocking.

Reply-to mismatch detection

BEC emails often display a legitimate From: address but route replies to an attacker-controlled address. Phishaver flags Reply-to mismatches against the From: domain, especially when combined with financial framing.

Observable BEC indicators in Phishaver's triage queue

  • From: domain has edit-distance ≤3 from a known counterparty or executive domain
  • Email body contains wire-transfer, payment, invoice change, or gift card language
  • Urgency phrasing: "before end of day," "board approval," "confidential," "do not forward"
  • Reply-to address differs from From: address domain
  • Sending domain registered within the last 30 days
  • Email arrives outside normal business hours for the claimed sender's timezone
  • No prior email relationship exists between this sender domain and your tenant
Threat Type

Spear Phishing

Targeted email attacks using contextual research — BEC is the financial-fraud variant.

 Threat Type

Attachment Malware

BEC attacks sometimes include malicious invoice documents as the payload.

 Threat Type

URL Sandboxing

Credential harvesting links in BEC emails requesting "verify your payment portal."

Stop BEC fraud

Catch wire-transfer requests before they're approved.

Phishaver connects to M365 or Google Workspace in under 5 minutes. BEC detection active immediately.

Get protected Talk to our team