Business email compromise is the second most expensive cybercrime — expert explains how hackers impersonate bosses and what companies can do to protect themselves
Cybercriminals are constantly searching for more effective attack methods. While cyber-aware employees can spot the red flags in basic, award-promising email scams, most won’t think twice about clicking on a link sent by their boss. Vakaris Noreika, a cybersecurity expert at NordStellar, a threat management platform, explains how hackers exploit employee trust in their colleagues to infiltrate business networks and inflict multi-million dollar damage.
Business email compromise is a sophisticated social engineering attack meant to deceive victims by impersonating trusted individuals — their colleagues. Unlike traditional phishing scams, these attacks are highly targeted and personalized, relying on broader research about the company, its employees, and even conversations within the organization.
According to the FBI Internet Crime Report, business email compromise was the second most expensive cybercrime by experienced loss, amounting to over $2.7 billion. It’s held this title for three consecutive years, and the reported losses haven’t gone under the $2.7 billion mark.
Noreika explains that business email compromise attacks are financially devastating because they provide a direct entry point to infiltrate a company’s network by targeting employees.
“From a technical standpoint, business email compromise is a very effective attack because it doesn’t require the use of malware, which makes them easier to deploy and they can go undetected by standard cybersecurity tools,” says Noreika. “They’re a more sophisticated version of common phishing scams. However, the reason for their efficiency lies in the target — a single compromised account is enough for cybercriminals to access internal networks or gather more information and prepare to strike when the opportunity arises.”
How do they work?
According to Noreika, cybercriminals typically carry out business email compromise attacks using data available online: they research the company, its departments, and its employees using platforms like LinkedIn. Afterward, they create look-alike domains to impersonate authority figures in the company, such as managers, and craft convincing emails asking for credentials, sensitive data, or wire transfers.
“Attacks that utilize data available online are more standard, resembling basic social engineering scams. However, since they’re targeting companies — not individuals — they usually carry the potential of more significant monetary gain for cybercriminals. Even without gaining access to the network, hackers can trick employees into transferring company funds to their controlled accounts, get their hands on confidential data that they can sell to competitors or publish on the dark web, or gather sensitive personal information on employees or clients, resulting in a data leak”, says Noreika.
He explains that in more advanced cases, cybercriminals utilize the dark web to search for previously leaked employee credentials and use them to access business accounts. Once they have access, they monitor daily conversations, gather more context, and wait for the right time to strike — once the stakes are high or the target is more likely to fall for their scam.
“If they manage to infiltrate an account to collect intelligence, hackers could be waiting for the perfect opportunity to request a wire transfer by impersonating a vendor or re-direct employee salary payments. However, business email compromises are often a gateway to deploy more damaging attacks,” explains Noreika. “Once inside the network, cybercriminals can facilitate a ransomware attack, spread malware to employees, clients, and partners, and deploy supply chain attacks.”
Prevention and defense
Noreika emphasizes that the first step companies should take to safeguard against business email compromise attacks is to build a comprehensive security strategy and raise employee cybersecurity awareness.
“Even the most cyber-aware user can fall victim to business email compromise attacks because they exploit the added layer of trust that comes with impersonating a person of authority in the organization. As a result, businesses should educate their employees on this specific type of attack — what constitutes suspicious activity and how to adopt a better-safe-than-sorry approach,” says Noreika. “Reinforcing policy and procedures requiring written documentation and dual approvals where sensitive data or wire transfers are involved also help to reduce the possibility of employees falling victim to scams.”
Noreika advises companies to monitor the dark web for potential employee data leaks to prevent cybercriminals from infiltrating the network using leaked or stolen credentials. He explains that adopting a proactive approach enables companies to receive an early warning and deploy swifter mitigation measures.
“The quicker security teams can spot a cybersecurity incident, the less damage it can cause. Once the organization is aware of any leaked credentials associated with its employees, it can take appropriate actions, such as preparing for a potential data breach and informing the affected users to stay on high alert,” says Noreika.
If employee credentials have been compromised and published on the dark web, Noreika advises companies to monitor the affected users for suspicious activity, such as unusual log-in attempts. Enforcing multi-factor authentication and resetting the passwords of compromised users can also prevent hackers from infiltrating the network.
ABOUT NORDSTELLAR
NordStellar is a next-generation threat exposure management platform that enables companies to detect and respond to cyber threats before they escalate. NordStellar offers visibility into how threat actors work and what they do with compromised data. NordStellar was created by Nord Security, a globally recognized company behind one of the world’s most popular digital privacy tools, NordVPN. For more information, visit nordstellar.com.
Related
This entry was posted on July 2, 2025 at 8:54 am and is filed under Commentary with tags NordStellar. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Guest Post: Colleague or cybercriminal? How blind employee trust in email requests can cost businesses millions of dollars
Business email compromise is the second most expensive cybercrime — expert explains how hackers impersonate bosses and what companies can do to protect themselves
Cybercriminals are constantly searching for more effective attack methods. While cyber-aware employees can spot the red flags in basic, award-promising email scams, most won’t think twice about clicking on a link sent by their boss. Vakaris Noreika, a cybersecurity expert at NordStellar, a threat management platform, explains how hackers exploit employee trust in their colleagues to infiltrate business networks and inflict multi-million dollar damage.
Business email compromise is a sophisticated social engineering attack meant to deceive victims by impersonating trusted individuals — their colleagues. Unlike traditional phishing scams, these attacks are highly targeted and personalized, relying on broader research about the company, its employees, and even conversations within the organization.
According to the FBI Internet Crime Report, business email compromise was the second most expensive cybercrime by experienced loss, amounting to over $2.7 billion. It’s held this title for three consecutive years, and the reported losses haven’t gone under the $2.7 billion mark.
Noreika explains that business email compromise attacks are financially devastating because they provide a direct entry point to infiltrate a company’s network by targeting employees.
“From a technical standpoint, business email compromise is a very effective attack because it doesn’t require the use of malware, which makes them easier to deploy and they can go undetected by standard cybersecurity tools,” says Noreika. “They’re a more sophisticated version of common phishing scams. However, the reason for their efficiency lies in the target — a single compromised account is enough for cybercriminals to access internal networks or gather more information and prepare to strike when the opportunity arises.”
How do they work?
According to Noreika, cybercriminals typically carry out business email compromise attacks using data available online: they research the company, its departments, and its employees using platforms like LinkedIn. Afterward, they create look-alike domains to impersonate authority figures in the company, such as managers, and craft convincing emails asking for credentials, sensitive data, or wire transfers.
“Attacks that utilize data available online are more standard, resembling basic social engineering scams. However, since they’re targeting companies — not individuals — they usually carry the potential of more significant monetary gain for cybercriminals. Even without gaining access to the network, hackers can trick employees into transferring company funds to their controlled accounts, get their hands on confidential data that they can sell to competitors or publish on the dark web, or gather sensitive personal information on employees or clients, resulting in a data leak”, says Noreika.
He explains that in more advanced cases, cybercriminals utilize the dark web to search for previously leaked employee credentials and use them to access business accounts. Once they have access, they monitor daily conversations, gather more context, and wait for the right time to strike — once the stakes are high or the target is more likely to fall for their scam.
“If they manage to infiltrate an account to collect intelligence, hackers could be waiting for the perfect opportunity to request a wire transfer by impersonating a vendor or re-direct employee salary payments. However, business email compromises are often a gateway to deploy more damaging attacks,” explains Noreika. “Once inside the network, cybercriminals can facilitate a ransomware attack, spread malware to employees, clients, and partners, and deploy supply chain attacks.”
Prevention and defense
Noreika emphasizes that the first step companies should take to safeguard against business email compromise attacks is to build a comprehensive security strategy and raise employee cybersecurity awareness.
“Even the most cyber-aware user can fall victim to business email compromise attacks because they exploit the added layer of trust that comes with impersonating a person of authority in the organization. As a result, businesses should educate their employees on this specific type of attack — what constitutes suspicious activity and how to adopt a better-safe-than-sorry approach,” says Noreika. “Reinforcing policy and procedures requiring written documentation and dual approvals where sensitive data or wire transfers are involved also help to reduce the possibility of employees falling victim to scams.”
Noreika advises companies to monitor the dark web for potential employee data leaks to prevent cybercriminals from infiltrating the network using leaked or stolen credentials. He explains that adopting a proactive approach enables companies to receive an early warning and deploy swifter mitigation measures.
“The quicker security teams can spot a cybersecurity incident, the less damage it can cause. Once the organization is aware of any leaked credentials associated with its employees, it can take appropriate actions, such as preparing for a potential data breach and informing the affected users to stay on high alert,” says Noreika.
If employee credentials have been compromised and published on the dark web, Noreika advises companies to monitor the affected users for suspicious activity, such as unusual log-in attempts. Enforcing multi-factor authentication and resetting the passwords of compromised users can also prevent hackers from infiltrating the network.
ABOUT NORDSTELLAR
NordStellar is a next-generation threat exposure management platform that enables companies to detect and respond to cyber threats before they escalate. NordStellar offers visibility into how threat actors work and what they do with compromised data. NordStellar was created by Nord Security, a globally recognized company behind one of the world’s most popular digital privacy tools, NordVPN. For more information, visit nordstellar.com.
Share this:
Like this:
Related
This entry was posted on July 2, 2025 at 8:54 am and is filed under Commentary with tags NordStellar. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.