BEC/Fraud

Attack Type: BEC/Fraud

Business Email Compromise (BEC) and fraud attacks rely on deception and social engineering. Instead of using links or attachments, attackers impersonate trusted figures like coworkers, executives, or vendors to trick you into sharing sensitive information or transferring funds. These attacks can bypass traditional security tools because the emails often seem harmless.

Expect fake invoices, urgent wire transfer requests, or a vendor asking you to update payment details. The first email is usually brief—just enough to start a conversation. The attacker might spoof a display name, reply to an old thread, or ask you to continue the conversation via personal email or phone. That is often the giveaway.

Even though these attacks may appear low-effort, the impact can be significant. They can lead to wire fraud, compliance violations, and damage to the organization's reputation. Organizations lose billions to BEC attacks each year.

Blog Posts

Hiding a $50,000 BEC financial fraud in a fake email thread

Callback phishing via invoice abuse and distribution list relays

B2B freight-forwarding scams on the rise to evade financial fraud crackdowns

Detecting malicious AnonymousFox email messages sent from compromised sites

Combating GenAI Email Attacks with BERT LLM

Payroll Fraud via LLM-Generated Emails

Fake invoice used to conduct $16,800 BEC attempt

Unmasking BEC attacks using Natural Language Understanding + MQL

Tactics & Techniques (11):

Impersonation: Employee

Detection Methods (9):

Content analysis

Natural Language Understanding

Sender analysis

Header analysis

Optical Character Recognition

Rule Name & Severity	Last Updated	Author	Types, Tactics & Capabilities
Scam: Piano Giveaway	7d ago Jun 11th, 2025 UTC	Sublime Security	BEC/Fraud Free email provider Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/scam-piano-giveaway-1a91a203
Brand Impersonation: SendGrid	9d ago Jun 9th, 2025 UTC	Sublime Security	BEC/Fraud Credential Phishing Spam Impersonation: Brand Social engineering Content analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/brand-impersonation-sendgrid-d800124f
Brand Impersonation: Mailgun	12d ago Jun 6th, 2025 UTC	Sublime Security	Credential Phishing BEC/Fraud Impersonation: Brand Sender analysis	/feeds/core/detection-rules/brand-impersonation-mailgun-59cc84e6
Encrypted Microsoft Office Files From Untrusted Senders	14d ago Jun 4th, 2025 UTC	Sublime Security	BEC/Fraud Callback Phishing Credential Phishing Extortion Malware/Ransomware Spam Encryption Evasion File analysis YARA Sender analysis	/feeds/core/detection-rules/encrypted-microsoft-office-files-from-untrusted-senders-eb7b26e7
Lookalike sender domain (untrusted sender)	19d ago May 30th, 2025 UTC	Sublime Security	BEC/Fraud Credential Phishing Malware/Ransomware Lookalike domain Social engineering Sender analysis	/feeds/core/detection-rules/lookalike-sender-domain-untrusted-sender-67721993
VIP impersonation with BEC language (near match, untrusted sender)	20d ago May 29th, 2025 UTC	Sublime Security	BEC/Fraud Impersonation: VIP Social engineering Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/vip-impersonation-with-bec-language-near-match-untrusted-sender-303081da
VIP / Executive impersonation (strict match, untrusted)	20d ago May 29th, 2025 UTC	Sublime Security	BEC/Fraud Impersonation: VIP Header analysis Sender analysis	/feeds/core/detection-rules/vip-executive-impersonation-strict-match-untrusted-e42c84b7
VIP impersonation with urgent request (strict match, untrusted sender)	20d ago May 29th, 2025 UTC	Sublime Security	BEC/Fraud Impersonation: VIP Social engineering Content analysis Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/vip-impersonation-with-urgent-request-strict-match-untrusted-sender-0dd1fa60
Fake request for tax preparation	21d ago May 28th, 2025 UTC	Sublime Security	BEC/Fraud Malware/Ransomware Social engineering Content analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/fake-request-for-tax-preparation-e36b85b3
Free Email Provider Sender with Mismatched Provider Reply-To	26d ago May 23rd, 2025 UTC	Sublime Security	BEC/Fraud Credential Phishing Free email provider Social engineering Header analysis Sender analysis	/feeds/core/detection-rules/free-email-provider-sender-with-mismatched-provider-reply-to-fcd831d0
Service Abuse: HelloSign Share with Suspicious Sender or Document Name	26d ago May 23rd, 2025 UTC	Sublime Security	Callback Phishing BEC/Fraud Evasion Social engineering Sender analysis Header analysis Content analysis	/feeds/core/detection-rules/service-abuse-hellosign-share-with-suspicious-sender-or-document-name-464d98f3
Attachment: USDA Bid Invitation Impersonation	26d ago May 23rd, 2025 UTC	Sublime Security	BEC/Fraud Impersonation: Brand PDF Macros Social engineering Content analysis File analysis Header analysis Natural Language Understanding Optical Character Recognition Sender analysis	/feeds/core/detection-rules/attachment-usda-bid-invitation-impersonation-34eb9493
PayPal Invoice Abuse	26d ago May 23rd, 2025 UTC	Sublime Security	BEC/Fraud Callback Phishing Evasion Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/paypal-invoice-abuse-0ff7a0d4
Request for Quote or Purchase (RFQ\|RFP) with suspicious sender or recipient pattern	1mo ago May 14th, 2025 UTC	Sublime Security	BEC/Fraud Evasion Free email provider Content analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/request-for-quote-or-purchase-rfqorrfp-with-suspicious-sender-or-recipient-pattern-2ac0d329
Link: Display Text Matches Subject Line	1mo ago May 9th, 2025 UTC	Sublime Security	BEC/Fraud Credential Phishing Social engineering Evasion Header analysis Content analysis Natural Language Understanding URL analysis	/feeds/core/detection-rules/link-display-text-matches-subject-line-ba722cf0
HR Impersonation via E-sign Agreement Comment	1mo ago May 5th, 2025 UTC	Sublime Security	BEC/Fraud Credential Phishing Evasion Impersonation: Brand Out of band pivot Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/hr-impersonation-via-e-sign-agreement-comment-796c6f0f
Service Abuse: Adobe Sign Notification From an Unsolicited Reply-To Address	1mo ago Apr 30th, 2025 UTC	Sublime Security	BEC/Fraud Callback Phishing Spam Social engineering Impersonation: Brand Header analysis Sender analysis	/feeds/core/detection-rules/service-abuse-adobe-sign-notification-from-an-unsolicited-reply-to-address-d00893ba
Callback Phishing: SumUp Infrastructure Abuse	2mo ago Apr 18th, 2025 UTC	Sublime Security	BEC/Fraud Callback Phishing Evasion Social engineering Content analysis Header analysis Sender analysis	/feeds/core/detection-rules/callback-phishing-sumup-infrastructure-abuse-1c41649e
Generic Service Abuse From Newly Registered Domain	2mo ago Apr 15th, 2025 UTC	Sublime Security	BEC/Fraud Callback Phishing Credential Phishing Evasion Social engineering Header analysis Sender analysis Whois	/feeds/core/detection-rules/generic-service-abuse-from-newly-registered-domain-0937b4c5
Impersonation: Human Resources with link or attachment and engaging language	2mo ago Apr 14th, 2025 UTC	Sublime Security	BEC/Fraud Credential Phishing Impersonation: Employee Social engineering Content analysis Header analysis Natural Language Understanding Sender analysis	/feeds/core/detection-rules/impersonation-human-resources-with-link-or-attachment-and-engaging-language-8c95a6a8