BEC Attack Investigation

How our BEC Attack Investigators can Help

You detected a Business Email Compromise (BEC) attack within your company, and now want to remediate. Detecting a breach often hinges on specific indicators, such as unidentified payments, inquiries from vendors about missing payments, or phishing emails to colleagues and external contacts. When an attacker takes precautions to minimize disruptions, it’s probable that the breach will go unnoticed until significant harm has already occurred. At this stage, conducting an investigation may give limited results, as vital investigative traces tend to vanish with time, primarily due to log files being deleted after some time.

Rexxfield can provide valuable assistance with Business Email Compromise (BEC) investigations through its expertise in digital forensics and online investigations. We offer a comprehensive suite of services to assist individuals and organizations in BEC investigations, from initial analysis and evidence collection to scammers’ identification and recovery efforts. Our expertise can be invaluable in mitigating the damage caused by BEC scams and holding cybercriminals accountable.

Here’s how Rexxfield can help with a BEC attack investigation:

Collecting Evidence

Our digital forensics investigators gather and preserve digital evidence that can be crucial for law enforcement or legal proceedings. This evidence can include, but is not limited to email trails, email permissions, forwarding, IMAP settings, financial records, and communication logs.

Our investigators also analyze email communications involved in the BEC incident. This includes tracing the origin of suspicious emails, identifying patterns, and uncovering any forged or spoofed email addresses. We track the digital footprints of cybercriminals involved in BEC scams. This involves identifying IP addresses, domain registrations, and other online traces to pinpoint the culprits.

Identifying The BEC Attackers

Our social engineering investigators can identify the individuals or groups behind BEC scams. This can involve tracing money flows, undercover social engineering tactics, and profiling cybercriminals.

In most cases, individuals engaged in malicious online activities take meticulous precautions to obscure their tracks, often relying on VPNs and proxies to shield their identities. Nevertheless, thanks to our proprietary tools, we have the means to effectively bypass VPNs and other concealment methods.

Legal Support

We assist in preparing evidence packages and reports that can be presented to law enforcement agencies or used in legal actions against the perpetrators of BEC scams. If you decide to take this to court, our experts provide expert testimony in legal proceedings related to BEC cases.

Recover your BEC losses

Depending on the BEC scam, recovery may be possible. We can provide guidance on recovery efforts, such as the possibility of recouping lost funds or assets through legal channels.

Consider reaching out to law enforcement authorities, such as your local United States Secret Service or FBI office, at your earliest convenience. These agencies may offer valuable assistance in recovering stolen funds for financial institutions.

Contacting Law Enforcement can be crucial in an investigation. Both the Secret Service and the FBI have additional tools and legal avenues to assist financial institutions in halting illicit money transfers when notified promptly. Federal law enforcement agencies have the capacity to collaborate across state borders and have established strong working relationships with banks to combat this type of criminal activity. 

Our evidence report will give law enforcement all the evidence they need to investigate this case to give you the best chance at recovering your losses.

Contact us for a free consultation

Preserving Perishable Evidence After a BEC Attack

In any digital forensics investigation, the initial crucial step is to preserve the evidence intact. This entails taking measures to ensure that the data relevant to the case remains unaltered and immune to destruction. Vital investigative traces such as log files may perish with time, so depending on how soon you detected a BEC attack, preserving evidence may be urgent.

Another significant challenge in this process arises from the fact that Internet Service Providers (ISPs) often delete IP address log files within six months of their creation. This deletion can result in the loss of vital evidence that should ideally have been secured or obtained at the early stages of the investigation.

It’s worth noting that identifying the owners of these log files typically occurs after the initial round of subpoenas has been issued to front-facing ISPs. However, we have developed strategies to potentially circumvent these delays. By identifying the responsible individuals or entities outside of the courtroom, we can potentially save valuable time, reducing delays caused by non-compliance with subpoenas from front-facing websites and ISPs, which can amount to a significant 60 to 120 days.

How a BEC Attack Takes Place

Business Email Compromise (BEC) scams encompass various deceptive tactics, all sharing a common modus operandi. These are the typical methods employed within BEC scams:

Email Impersonation or Spoofing:

Scammers manipulate email addresses to create slight variations on legitimate ones. For instance, they might alter “[email protected]” to “[email protected].” These subtle changes are designed to deceive victims into believing that fake accounts are genuine.

Phishing Emails:

Phishing emails are crafted to mimic messages from trusted senders, aiming to dupe recipients into divulging sensitive information. These fraudulent emails seek access to company accounts, calendars, and data, enabling scammers to gather the details necessary for executing BEC schemes.


Many BEC scam emails contain malicious software intended to infiltrate company networks and gain access to authentic emails related to billing and invoices. This access is exploited to dispatch invoices and payment reminders precisely when they are least likely to arouse suspicion among accountants or financial officers. Malware also provides cybercriminals with covert access to a victim’s data, including passwords and financial account details.

These practices are employed within the realm of BEC scams, highlighting the elaborate and multifaceted nature of these cyber threats. Regardless of whether your email was spoofed, or if scammers gained access through phishing emails, malware, or a combination of these methods, we are here to provide assistance.

Contact our cyber crime investigators to learn if and how we can help. 

Contact us for a free consultation