Email spoofing vs BEC infrastructure forecasting

Imagine this scenario: You receive an email from your boss requesting immediate and confidential funds. You, convinced of the message’s legitimacy, proceed to pay from your wallet or company’s funds– only to realise you’ve been a victim of a sophisticated BEC (Business Email Compromise) attack. While your training and security awareness programs may have prepared you to combat basic phishing and spoofing, the sheer amount of attacks are simply too much to avoid. According to IC3, in 2024 alone, reported threats from spoofing, phishing, and BEC totaled over 214,850. This suggests that, like with most crimes, there could also be a much larger number that went unreported.

Before we delve into the advanced nature of these threats and the critical role of preemptive mitigation, let’s first explore the basics and how they evolved over time. This will inform our understanding why a comprehensive “big picture” perspective is now essential, moving beyond a narrow, ineffective focus on email spoofing alone.

In email spoofing, cyber attackers forge the sender’s address, making it appear to be coming from a legitimate source. Imagine an employee in the finance department receiving an email, seemingly from the IT system administrator, instructing them to download a “new task attachment.” However, this email has typical typosquatting that potentially fools the unsuspecting employees, leading them into the next phase of the planned attack, like malware infection, system compromise, or sensitive file and data access.

Email spoofing is mostly used for spamming and phishing purposes and is still one of the most commonly occurring cyber threats that organizations are vulnerable to. Over 90% of the world’s top email domains are vulnerable to spoofing, as cited by Infosecurity Magazine.

However, Business Email Compromise (BEC) is different, though they live in the same general category of cyber threats. BEC is a more sophisticated and targeted attack that leverages social engineering, often involving spoofing. It has that human element, but with a more ambitious financial or data exfiltration motive. Based on IC3’s statistics, BEC scams are a widespread global threat, impacting all 50 U.S. states and 177 countries, with fraudulent transfers reaching 140 nations. In 2022, the primary international destinations for these illicit funds were banks in Hong Kong and China, followed by the United Kingdom (often an intermediary), Mexico, and Singapore.

The same report suggests that from October 2013 to December 2022, there have been 277,918 reported BEC incidents globally, resulting in a staggering $50.87 billion in publicly disclosed losses.This indicates that with the consistent rise of BEC threats and with conventional solutions only focused on detecting spoofing attempts, the need for robust, autonomous solutions with a capacity to assess the risk before the threat has a chance to be activated.

How about instead of just relying on solutions that offer us a shallow and reactive approach to one of the most financially-damaging types of cyberattack, we push further and move towards “infrastructure forecasting” for BEC?

What is infrastructure forecasting?

With infrastructure forecasting, we have a comprehensive lookout for “all” the tools and techniques deployed by an attacker or a group to execute a BEC attack. Leveraging these, as discussed in depth below, organizations can stay a step ahead by predicting attacks before they even launch and focus their efforts on mitigating them preemptively.

To be brief, our focus shifts from solely addressing emails landing in the inbox to an overall infrastructure where IPs, domains, histories of abuse, past campaign connections, registration dates, registrant details, emails associated, and other similar indicators are mapped to bring forward a rich, contextual analysis.

Coalition, a popular cyber insurance company, claims in its 2025 Cyber Claims Report that nearly 30% of BEC claims involved funds transfer fraud (FTF). Therefore, along with the typical phishing detections, organizations need to be concerned and preempt the temporary accounts for funds transfer, and develop capabilities to track the money laundering. This in turn, has a possibility to link to a bigger cybercrime network. By leveraging research and threat intelligence, the ultimate goal should be to reach the phishing kits and the source bank account providers that are associated with the criminal accounts.

Email spoofing: The traditional battleground (reactive detection)

What is traditional email spoofing?

In email spoofing, as we have seen in the example above, most of the attacks occur when attackers forge the “From” address. The methods can range from a simple typosquat of an email domain, to cleverly curated combinations of parked domains with IDN homographs. The majority of these attacks occur with the express purpose of collecting financial information, distributing malware, and/or impersonating a critical, high impact target.

Email spoofing can be done by typosquatting or manipulating the SPF and DKIM policies. SPF (Sender Policy Framework) policies authorize mail servers to send emails on behalf of a domain, and DKIM (DomainKeys Identified Mail) policies digitally sign outgoing emails to verify integrity and sender. However, there are limitations to detecting improper implementations of a spoofed email landing in an inbox and can be easily bypassed.

Why traditional methods fall short against BEC

Given the existing flaws and false positives in the conventional systems, detecting BEC would be even more difficult, highlighting the need for better solutions.

BEC often uses legitimate-looking domains (typosquatting or newly registered domains). However, in addition, BEC also focuses on “social engineering-as-a-technique” to bypass traditional email based scams detectors. These traditional systems are designed for spoofs that land in the inbox, which does not predict attacker infrastructure.

As seen in this example by Insurance Journal, in January 2023, a Dorchester, MA workers’ union reportedly lost $6.4 million after a spoofed email, seemingly from their investment manager, tricked them into transferring funds to a fraudulent third-party account. This incident points to a targeted and planned attack, rather than a random set of mails sent to a bunch of people to see what succeeds.

BEC infrastructure forecasting

BEC detection solutions that focus on infrastructure forecasting represent the new frontier in terms of preemptive defense by addressing the early indicators of an attack.

A. The Sophistication of BEC Attacks:

BEC attacks are used to target highly specific individuals and roles, leveraging a specific theme through which quick financial gains can be acquired. For example, attacks based on themes such as CEO fraud, invoice fraud, payroll diversion, or gift card scams.

While this can be done through typical email spoofing, BEC has evolved in terms of use of compromised accounts, impersonated social media, look-alike domains, and multi-stage attack methods. BEC attempts are highly human-reliant, where psychological aspects like urgency or fear frequently come into play. Even though organizations heavily invest and are ready to combat the threats, if employees remain vulnerable to taking the bait, all these investments might go to waste. CEO impersonations, much like requests from a super admin, are particularly effective because they create a strong sense of urgency. Under this psychological pressure to look good and perform well, employees may act without stopping to consider if they are being scammed.

B. The Imperative for Infrastructure Forecasting

Malicious infrastructure has seen a lot of advancements in recent years, so solutions to the problem should match the level of sophistication of the attackers. Why wait for an attack until it’s too late? When it comes to these kinds of attacks, a preemptive approach may greatly outshine the traditional reactive measures usually taken. But for that, let us understand a breakdown of the common phases of a spoofing attack, identifying the key indicators that can be caught during each stage.

In terms of an infrastructure set up, the typical cycle includes attackers having to do multiple domain registrations which could range from free hosting providers or a paid domain for long term operations. Next, they would need to set up a C2 server with the help of a phishing kit that either delivers malware or harvests personal information. Eventually, the attacker ends up spreading this kit through emails via typical email spoofing attacks.

Here, our goal should lie in disrupting the campaigns before they launch or achieve impact, and this newly needed approach suggests we leverage advanced threat monitoring solutions.

Advanced threat monitoring solutions

Solutions that provide continuous monitoring and dig beyond the typical blacklists are what are truly required to detect BEC attacks. The focus of detections needs to be pivoted to tracking the attacker groups, their TTPs (Tactics, Techniques, and Procedures), and emerging infrastructure associated with them.

For example, this includes common indicators of maliciousness such as detecting anomalies in email communication patterns (e.g., unusual senders, times, or recipients). With the help of predictive artificial intelligence (AI) technology, security teams can analyze email content for subtle linguistic cues, urgency, financial keywords, and deviations from normal communication styles, which further get flagged unless removed by the organization. By leveraging threat intelligence feeds and contextual analysis, solutions should be able to identify newly registered domains, suspicious IP addresses, and unusual email metadata.

The malicious indicators we’ve discussed are just the beginning. By leveraging this data for predictive analysis, we can map past relationships between domains, IP addresses, email addresses, and known threats. For attackers operating within a certain time zone or region or during particular events, any related accounts can be flagged if they’re using old or newly set-up infrastructure during those specific times. This helps in discovering indicators of future attack and the triggers causing it.

Additionally, emphasis on brand protection solutions that actively scan the internet for impersonation attacks, typosquatting domains, and fraudulent social media profiles should be leveraged. Once identified as a confirmed threat, these solutions can initiate rapid takedown requests for identified malicious infrastructure.

Bridging the gap between traditional detection measures and today’s needs

The problem of spoofing shows no signs of stopping and there’s a gap to bridge with the modern detection methods discussed above. For those to work successfully, we need the solutions (both traditional and preemptive) to be complementary to each other. For example, mail sending policies are a foundational part of traditional security mitigation measures, but our approach will need to evolve with more proactive additions.

Continuous security awareness training for employees is essential to recognize social engineering attempts, especially when it comes to BEC. This includes simulations of spoofing that move beyond typical attempts and are inclusive of social media impersonations across different themes, and having them identified at different stages. Ultimately, the goal is for employees to instantly recognize suspicious messages, raise alerts, and make others aware of the new malicious infrastructure.

From an employee perspective (again psychological), when a phishing email is spotted and marked as spam, some employees tend to quietly avoid the matter altogether. This element of fear of being phished or targeted could likely make them vulnerable and wonder whether speaking up is the right thing to do. Organizations must encourage and value these voices, making it clear that speaking up is both welcome and crucial. This shift in culture directly addresses the human element—often the initial attack vector—in combating BEC.

Additionally, with BEC, there is always an interdependability across third party solutions providers and vendors, assessing their security posture who might be targeted in BEC attacks that could then impact the organization, as well.

Organizations and their vendors are often actively engaged in transactional services, giving rise to more opportunities for cybercriminals. This includes campaigns surrounding fake invoices, notifications of change in bank details, vendor account impersonations, and vendor account takeover attempts. Such attacks lead to significant losses in money, damaged reputation, lost business opportunities as many vendors might refuse to work.

For vendors, the same scenario applies and is even more devastating for vendors, and can lead to operational sabotage. Additionally, in case of both the vendors, exposure of personal data can attract legal and compliance based penalties.

While continuous threat monitoring for suspecting and predicting plausible BEC attempts, inter-vendor dependability should go beyond this– including clear contractual agreements, vendor vetting, security posture checks, policies and response analysis during incident, and in some cases, “right to audit” clauses as well.

The future of email security is preemptive

While there’s no denying that advanced technology has been giving rise to sophisticated cyberattacks, the solutions needed to meet these challenges should represent a shift from a reactive stance to a preemptive, intelligence-driven approach for attacks, especially when the human element is involved. These solutions, while being resistant to simple spoofing, must also cover additional indicators of future attack and provide contextual analysis to be able to better map the event.

While employee awareness is crucial, particularly for non-technical teams, even experienced technical staff can miss sophisticated BEC threats that deploy advanced technologies and processes. For such adversaries, the battle against email-based fraud is won not just by blocking attacks, but by predicting and disrupting them at the source.