Phishing and Business Email Compromise: How Attackers Target Companies

The Email That Costs Millions

In 2023, business email compromise (BEC) attacks accounted for $2.9 billion in reported losses in the United States alone, according to the FBI's Internet Crime Complaint Center. Globally, the number is much higher. And Switzerland, with its concentration of financial services, international trade companies, and high-value targets, is not immune.

Phishing and BEC are not the same thing, though they are related. Phishing casts a wide net, sending the same lure to thousands of email addresses hoping some will bite. BEC is targeted, researched, and patient. An attacker spends days or weeks studying a company's structure, communication patterns, and business relationships before striking. The payoff for a successful BEC attack is often six or seven figures.

This article breaks down how these attacks work, what they look like in practice, and what businesses in Switzerland and beyond can do to defend against them.

How Phishing Has Evolved

The phishing emails of ten years ago were laughably bad. Poor grammar, generic greetings ("Dear Customer"), obviously fake logos, and links to domains like paypa1-secure-login.tk. Some of those still circulate, and some still work. But the phishing landscape has changed dramatically.

Modern Phishing Characteristics

• Perfect language. Attackers use native speakers or high-quality translation. Grammar errors are no longer a reliable indicator.
• Accurate branding. Logos, colors, footer text, and email signatures are cloned from legitimate emails. Some phishing emails are pixel-perfect replicas.
• Contextually relevant. Attackers reference real events (tax season, regulatory changes, industry news) to create urgency and credibility.
• Legitimate-looking URLs. Using subdomains (microsoft.com.attacker-domain.com), URL shorteners, or legitimate services (Google Docs, Dropbox sharing links) to mask malicious destinations.
• Multi-stage attacks. The initial email might not contain anything malicious. It establishes a conversation. The payload comes in a follow-up.

Spear Phishing: The Targeted Attack

Spear phishing targets specific individuals within an organization. The attacker researches the target using LinkedIn, company websites, social media, and public records. They know the target's name, job title, colleagues, current projects, and communication style.

Information Gathering

Before sending a single email, an attacker typically gathers:

• Organizational structure - Who reports to whom. Who has signing authority. Who handles finance.
• Business relationships - Key suppliers, law firms, auditors, banking contacts.
• Communication patterns - How formal are internal emails? Do executives use first names? What email signature format does the company use?
• Current activities - Is the company in the middle of an acquisition? Preparing for an audit? Launching a new product? These create natural pretexts for urgent requests.
• Out-of-office schedules - Auto-reply messages reveal when key people are traveling, making it harder for targets to verify requests in person.

Most of this information is publicly available. LinkedIn alone provides enough data for a convincing spear phishing campaign against most companies.

CEO Fraud: The Classic BEC Scenario

CEO fraud (also called "executive impersonation") is the most common BEC attack pattern. Here is how a typical scenario unfolds:

The Setup

1. The attacker identifies the CEO and the CFO (or finance controller) of a target company.
2. The attacker registers a domain that looks similar to the company's domain. For example, if the company is envestis.ch, the attacker might register envestis-ch.com, envestls.ch (l instead of i), or envesti5.ch (5 instead of s).
3. The attacker creates an email address that mimics the CEO's email: ceo@envestis-ch.com.
4. The attacker waits for the right moment. Perhaps the CEO is traveling (learned from a LinkedIn post or out-of-office auto-reply).

The Attack

1. The CFO receives an email that appears to be from the CEO. The display name shows the CEO's real name. The email address is close but not identical to the real one.
2. The email references something plausible: "We're finalizing the acquisition we discussed. I need you to wire CHF 340,000 to the escrow account of our legal counsel. This is time-sensitive and confidential. Please don't discuss with others until the deal closes."
3. The email creates urgency (time-sensitive), authority (from the CEO), and secrecy (don't discuss with others). These are the three pillars of social engineering.
4. If the CFO complies, the money goes to the attacker's account and is moved through multiple intermediary accounts within hours, making recovery nearly impossible.

We have seen cases in Switzerland where companies lost between CHF 50,000 and CHF 1.2 million to CEO fraud attacks. In one case, the attacker had been monitoring the company's email for three weeks before striking, timing the attack to coincide with the CEO's vacation.

Invoice Manipulation

Invoice manipulation is another common BEC variant, and it can be harder to detect because it exploits existing business relationships.

How It Works

1. The attacker compromises the email account of a supplier (or creates a convincing lookalike domain).
2. The attacker intercepts a legitimate invoice being sent from the supplier to the target company.
3. The attacker modifies the bank account details on the invoice (same amount, same reference number, different IBAN).
4. The modified invoice is sent to the target company, either from the compromised supplier account or from a lookalike domain.
5. The target company pays the invoice to the attacker's account, believing they are paying their legitimate supplier.

Why It Works

The invoice looks real because it is real, except for the bank details. The amount matches expectations. The timing is correct. The formatting is identical. The only change is the IBAN, and most people don't memorize their suppliers' bank account numbers.

Swiss-Specific Risk

Switzerland's position as a hub for international trade and financial services makes invoice manipulation particularly attractive to attackers. Cross-border payments are routine, invoices in multiple currencies are normal, and payment processes may involve multiple parties across different countries. This complexity creates opportunities for interception and manipulation.

Domain Lookalike Attacks

Lookalike domains (also called "cousin domains" or "typosquatting") are a key tool in BEC attacks. They exploit the fact that people rarely inspect email addresses character by character.

Common Techniques

Technique	Real Domain	Lookalike
Character substitution	envestis.ch	envestls.ch (l for i)
Added character	envestis.ch	envestiss.ch
Removed character	envestis.ch	envetis.ch
Transposition	envestis.ch	envesits.ch
TLD change	envestis.ch	envestis.com
Hyphen addition	envestis.ch	en-vestis.ch
Homoglyph (IDN)	envestis.ch	envestis.ch (using Cyrillic 'e')

Defense

Monitor for registration of domains similar to yours. Services like DNSTwist, PhishTank, and commercial brand monitoring tools can alert you when someone registers a lookalike domain. Then you can take action (domain takedown, alerting your team) before the domain is used in an attack.

How to Recognize Phishing

While modern phishing is sophisticated, there are still indicators that can help identify attacks:

Red Flags in Emails

• Urgency and pressure. "This must be done within 2 hours." "Your account will be suspended." Legitimate organizations rarely impose artificial urgency via email.
• Secrecy requests. "Don't share this with anyone." "Handle this personally." This is designed to prevent the target from checking with a colleague who might spot the fraud.
• Unusual requests. Changes to payment details, requests for gift cards, requests to bypass normal approval processes.
• Sender address mismatch. The display name says "John Smith, CEO" but the actual email address is from a different domain. Always check the full email address, not just the display name.
• Link inspection. Hover over links (don't click) to see the actual URL. Does it go where you'd expect? Is the domain correct?
• Attachment types. Be especially cautious with .exe, .scr, .js, .vbs files. But also with Office documents that request you to "enable macros" or "enable content."

Verification Procedures

For any request involving money transfers, credential changes, or sensitive data:

1. Verify via a different channel. If you get an email asking for a wire transfer, call the person who supposedly sent it. Use a phone number you already have on file, not one from the suspicious email.
2. Don't reply to the email. If the email account is compromised, your reply goes to the attacker. Start a new email thread using the known email address from your contacts.
3. Check with a colleague. The secrecy request is a red flag specifically because it prevents this. Override it.

Employee Training

Technical controls are essential, but employees are the last line of defense. Training should be practical, regular, and non-punitive.

What Effective Training Looks Like

• Simulated phishing exercises. Send realistic test phishing emails to employees. Track who clicks and provide targeted follow-up training. Do this quarterly, not annually.
• Role-specific training. Finance teams need training on invoice fraud and BEC. IT teams need training on credential phishing. Executives need training on CEO fraud impersonation.
• Positive reinforcement. Reward employees who report suspicious emails. If someone catches a real phishing attempt, acknowledge it publicly. If someone falls for a simulation, train them without shaming.
• Practical exercises, not just slides. Show real examples. Let employees analyze actual phishing emails (sanitized). Practice the verification procedures.
• Clear reporting procedures. Every employee should know exactly what to do when they receive a suspicious email: who to forward it to, what not to click, and that reporting is always the right choice even if the email turns out to be legitimate.

Technical Defenses

Employee awareness is critical, but it is not sufficient on its own. Technical controls should catch as many phishing attempts as possible before they reach inboxes.

Email Authentication: SPF, DKIM, DMARC

These three protocols work together to prevent email spoofing:

• SPF (Sender Policy Framework) specifies which mail servers are authorized to send email on behalf of your domain.
• DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails, allowing recipients to verify the email hasn't been tampered with.
• DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with a policy that tells receiving mail servers what to do with emails that fail authentication: nothing (none), quarantine, or reject.

For a detailed guide on implementing these protocols, read our article on SPF, DKIM, and DMARC email protection.

Email Security Gateway

A dedicated email security gateway (Microsoft Defender for Office 365, Proofpoint, Mimecast, Barracuda) provides:

• Advanced threat detection (sandboxing suspicious attachments, analyzing URLs)
• Impersonation protection (detecting emails that claim to be from internal executives)
• Banner warnings for external emails (a visual indicator that an email came from outside the organization)
• Link rewriting (replacing URLs in emails with safe links that are checked at click time)

Multi-Factor Authentication (MFA)

If an attacker steals email credentials through phishing, MFA prevents them from accessing the account. Use hardware security keys (YubiKey, FIDO2) or authenticator apps. SMS-based MFA is better than nothing but vulnerable to SIM swapping attacks.

Conditional Access Policies

Configure your email system to:

• Block login attempts from unusual locations or devices
• Require MFA for access from outside the corporate network
• Block legacy authentication protocols (IMAP, POP3) that don't support MFA
• Alert security teams on impossible travel (login from Zurich, then login from Singapore 30 minutes later)

Real Cases and Financial Losses

These are not theoretical scenarios. Here are some documented cases that illustrate the scale of the problem:

The Belgian Crelan Bank - EUR 70 Million

In 2016, Belgian bank Crelan lost approximately EUR 70 million to a BEC attack. Attackers impersonated the CEO and instructed staff to transfer funds to accounts controlled by the criminals.

Toyota Boshoku - USD 37 Million

In 2019, a European subsidiary of Toyota was tricked into transferring approximately USD 37 million to an attacker's account through a BEC invoice manipulation scheme.

Ubiquiti Networks - USD 46.7 Million

In 2015, Ubiquiti Networks reported a USD 46.7 million loss from a BEC attack targeting its finance department. The company recovered some of the funds, but the majority was lost.

Swiss Context

Switzerland's National Centre for Cybersecurity (NCSC, formerly MELANI) regularly reports on BEC attacks targeting Swiss companies. The financial sector, commodities trading firms, and SMEs handling international payments are frequent targets. The NCSC recommends treating any request for changes to payment details with extreme caution and always verifying through a separate communication channel.

What to Do If You've Been Attacked

If you discover a BEC attack has succeeded:

1. Contact your bank immediately. Time is critical. If the transfer was initiated within the last few hours, the bank may be able to recall or freeze the funds.
2. Report to law enforcement. In Switzerland, file a report with the cantonal police and the NCSC. For international cases, you may also need to involve the FBI's IC3 or Europol.
3. Preserve evidence. Do not delete emails, logs, or any communication related to the attack. These are needed for investigation and potential legal proceedings.
4. Identify the breach point. How did the attacker get in? Was an email account compromised? Was it a lookalike domain? Was it an intercepted email? Understanding the method is essential for preventing repeat attacks.
5. Notify affected parties. If supplier or client data was exposed, notify them promptly.
6. Review and strengthen procedures. Use the incident to justify stronger controls: mandatory verification procedures for payment changes, additional approval layers for large transfers, improved email authentication.

Practical Recommendations

Based on our experience working with businesses in Lugano and across Switzerland on email security:

1. Implement SPF, DKIM, and DMARC with enforcement. Start with DMARC in monitor mode (p=none), then move to quarantine, then reject. This prevents attackers from spoofing your domain.
2. Require dual authorization for payments above a threshold. No single person should be able to authorize a large transfer alone.
3. Establish a verification procedure for payment detail changes. Any request to change bank details must be verified via phone call to a known number.
4. Enable MFA on all email accounts. No exceptions. Especially for executives and finance staff.
5. Add external email banners. A simple "[EXTERNAL]" tag or warning banner on emails from outside the organization helps employees recognize when an email claiming to be from a colleague is actually from an external address.
6. Conduct regular phishing simulations. Quarterly at minimum. Adjust difficulty based on results.
7. Monitor for lookalike domains. Set up alerts for new domain registrations similar to yours.
8. Review auto-reply messages. Out-of-office messages should not include detailed travel information, reporting structures, or alternative contacts.

Conclusion

Phishing and BEC attacks are not going away. They are getting more sophisticated, more targeted, and more expensive for victims. The combination of technical controls (email authentication, security gateways, MFA) and human controls (training, verification procedures, reporting culture) provides the best defense.

No single measure is sufficient. An attacker only needs to succeed once. Your defense needs to work every time. That requires layers: technology catches most attempts, training catches what technology misses, and verification procedures catch what training misses.

If you want to assess your company's exposure to phishing and BEC risks, or if you need help implementing email security controls, contact our team in Lugano. We help businesses across Switzerland build robust defenses against email-based attacks.