Attack Type: BEC/Fraud

Business Email Compromise (BEC) and fraud attacks rely on deception and social engineering. Instead of using links or attachments, attackers impersonate trusted figures like coworkers, executives, or vendors to trick you into sharing sensitive information or transferring funds. These attacks can bypass traditional security tools because the emails often seem harmless.
Expect fake invoices, urgent wire transfer requests, or a vendor asking you to update payment details. The first email is usually brief—just enough to start a conversation. The attacker might spoof a display name, reply to an old thread, or ask you to continue the conversation via personal email or phone. That is often the giveaway.
Even though these attacks may appear low-effort, the impact can be significant. They can lead to wire fraud, compliance violations, and damage to the organization's reputation. Organizations lose billions to BEC attacks each year.
Blog Posts
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Hiding a $50,000 BEC financial fraud in a fake email thread · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
Callback phishing via invoice abuse and distribution list relays · Blog · Sublime Security
B2B freight-forwarding scams on the rise to evade financial fraud crackdowns · Blog · Sublime Security
B2B freight-forwarding scams on the rise to evade financial fraud crackdowns · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Detecting malicious AnonymousFox email messages sent from compromised sites · Blog · Sublime Security
Combating GenAI Email Attacks with BERT LLM · Blog · Sublime Security
Combating GenAI Email Attacks with BERT LLM · Blog · Sublime Security
Payroll Fraud via LLM-Generated Emails · Blog · Sublime Security
Payroll Fraud via LLM-Generated Emails · Blog · Sublime Security
Fake invoice used to conduct $16,800 BEC attempt · Blog · Sublime Security
Fake invoice used to conduct $16,800 BEC attempt · Blog · Sublime Security
Unmasking BEC attacks using Natural Language Understanding + MQL · Blog · Sublime Security
Unmasking BEC attacks using Natural Language Understanding + MQL · Blog · Sublime Security
Tactics & Techniques (19):
Social engineering
Free email provider
Impersonation: Brand
Lookalike domain
PDF
Evasion
Free subdomain host
Impersonation: Employee
Spoofing
Impersonation: VIP
Free file host
Out of band pivot
HTML injection
OneNote
Open redirect
Scripting
Encryption
Macros
QR code
Detection Methods (16):
Content analysis
Header analysis
Sender analysis
File analysis
Optical Character Recognition
Exif analysis
URL analysis
Natural Language Understanding
Whois
HTML analysis
Computer Vision
URL screenshot
Javascript analysis
Archive analysis
QR code analysis
YARA
Rule Name & Severity
Last Updated
Author
Types, Tactics & Capabilities
Service abuse: Adobe legitimate domain with document approval language
15h ago
Jan 23rd, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Social engineering
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/service-abuse-adobe-legitimate-domain-with-document-approval-language-237f4da4
BEC/Fraud: Romance scam
23h ago
Jan 22nd, 2026
Sublime Security
BEC/Fraud
Free email provider
Social engineering
Content analysis
Header analysis
/feeds/core/detection-rules/becfraud-romance-scam-0243cdaa
Brand impersonation: AuthentiSign
2d ago
Jan 21st, 2026
Sublime Security
Credential Phishing
BEC/Fraud
Impersonation: Brand
Lookalike domain
Social engineering
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/brand-impersonation-authentisign-445a8c8b
Attachment: Invoice and W-9 PDFs with suspicious creators
2d ago
Jan 21st, 2026
Sublime Security
BEC/Fraud
PDF
Social engineering
Impersonation: Brand
File analysis
Optical Character Recognition
Exif analysis
Content analysis
/feeds/core/detection-rules/attachment-invoice-and-w-9-pdfs-with-suspicious-creators-305d6e32
Link: Self-sent message with quarterly document review request
2d ago
Jan 21st, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Social engineering
Evasion
Content analysis
Header analysis
Sender analysis
URL analysis
/feeds/core/detection-rules/link-self-sent-message-with-quarterly-document-review-request-3c42cec6
Job scam with specific salary pattern
2d ago
Jan 21st, 2026
Sublime Security
BEC/Fraud
Social engineering
Content analysis
Natural Language Understanding
Header analysis
Sender analysis
/feeds/core/detection-rules/job-scam-with-specific-salary-pattern-af7f9e21
Link: Breely link masquerading as PDF
7d ago
Jan 16th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Free subdomain host
Social engineering
Content analysis
URL analysis
/feeds/core/detection-rules/link-breely-link-masquerading-as-pdf-4a498c21
BEC: Employee impersonation with subject manipulation
7d ago
Jan 16th, 2026
Sublime Security
BEC/Fraud
Impersonation: Employee
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/bec-employee-impersonation-with-subject-manipulation-9adfc77b
Request for Quote or Purchase (RFQ|RFP) with suspicious sender or recipient pattern
8d ago
Jan 15th, 2026
Sublime Security
BEC/Fraud
Evasion
Free email provider
Content analysis
Natural Language Understanding
URL analysis
/feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-suspicious-sender-or-recipient-pattern-2ac0d329
Brand impersonation: SendGrid
11d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Spam
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Optical Character Recognition
Sender analysis
/feeds/core/detection-rules/brand-impersonation-sendgrid-d800124f
Vendor impersonation: Thread hijacking with typosquat domain
11d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Lookalike domain
Social engineering
Spoofing
Content analysis
Natural Language Understanding
Sender analysis
Whois
/feeds/core/detection-rules/vendor-impersonation-thread-hijacking-with-typosquat-domain-9c2f38ed
Callback phishing via Zelle Service Abuse
11d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Callback Phishing
Evasion
Social engineering
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/callback-phishing-via-zelle-service-abuse-08727484
Russia return-path TLD (untrusted sender)
11d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Malware/Ransomware
Header analysis
Sender analysis
/feeds/core/detection-rules/russia-return-path-tld-untrusted-sender-588b3954
Business Email Compromise (BEC) with request for mobile number
11d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Social engineering
Content analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/business-email-compromise-bec-with-request-for-mobile-number-514ffd68
VIP impersonation: Fake thread with display name match, email mismatch
11d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Evasion
Impersonation: VIP
Social engineering
Spoofing
Content analysis
Header analysis
Sender analysis
Whois
/feeds/core/detection-rules/vip-impersonation-fake-thread-with-display-name-match-email-mismatch-11cc3e28
Business Email Compromise (BEC) attempt from untrusted sender
11d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Social engineering
Content analysis
Header analysis
Natural Language Understanding
Sender analysis
/feeds/core/detection-rules/business-email-compromise-bec-attempt-from-untrusted-sender-96d4c35a
Service abuse: DocSend share from newly registered domain
11d ago
Jan 12th, 2026
Sublime Security
BEC/Fraud
Credential Phishing
Evasion
Free file host
Impersonation: Brand
Social engineering
Content analysis
Header analysis
Sender analysis
/feeds/core/detection-rules/service-abuse-docsend-share-from-newly-registered-domain-3bc152f2
Service abuse: Dropbox share with suspicious sender or document name
11d ago
Jan 12th, 2026
Sublime Security
Callback Phishing
BEC/Fraud
Evasion
Social engineering
Sender analysis
Header analysis
Content analysis
/feeds/core/detection-rules/service-abuse-dropbox-share-with-suspicious-sender-or-document-name-27007c9f
Service Abuse: HelloSign share with suspicious sender or document name
11d ago
Jan 12th, 2026
Sublime Security
Callback Phishing
BEC/Fraud
Evasion
Social engineering
Sender analysis
Header analysis
Content analysis
/feeds/core/detection-rules/service-abuse-hellosign-share-with-suspicious-sender-or-document-name-464d98f3
Brand impersonation: QuickBooks notification from Intuit themed company name
11d ago
Jan 12th, 2026
Sublime Security
Callback Phishing
Credential Phishing
BEC/Fraud
Evasion
Social engineering
Content analysis
Sender analysis
Header analysis
/feeds/core/detection-rules/brand-impersonation-quickbooks-notification-from-intuit-themed-company-name-42058fc4
Page 1 of 8