Weekly Security Report #1 — BEC didn't go away, it got quieter
Welcome to the first WhiteMail weekly security report. Each week we share what stood out across the email we analyzed — patterns, a technique worth understanding, and something you can act on.
This week
The new year reliably brings a wave of business email compromise (BEC). Budgets reset, invoices pile up, and finance teams are moving fast — exactly the conditions attackers want.
What stood out in this week's samples: the highest-risk messages carried no link, no attachment, and no malware. Just a few sentences of text. A short note that appears to come from a senior leader or a known supplier, asking to update banking details before a payment, or to push a transfer through quietly because "I am in meetings all day."
These are invisible to anything that scans for a malicious payload, because there is no payload. The attack is entirely in the language and the relationship it borrows.
Technique in focus: the trusted-sender pivot
The most effective BEC does not spoof a stranger. It rides on an identity the recipient already trusts:
- A display-name match with no matching domain — the name reads "CFO Jane Park" while the actual address is a free webmail account.
- A Reply-To that diverges from the From — you read the familiar name, but your reply quietly routes to the attacker.
- A plausible reason to break routine — urgency, secrecy, travel, a closing deadline.
None of these is malicious on its own. Together, in the right thread at the right moment, they are the whole attack.
What you can do
- Treat any banking-detail or payment change as a verification trigger, every time, through a second channel you already trust — never by replying to the email.
- Watch the gap between the display name and the actual address, and between From and Reply-To.
- Be most careful exactly when the message tells you to hurry. Urgency is not evidence of legitimacy; in BEC it is the method.
This is precisely the reconciliation WhiteHat runs on every message — SA-01 on identity, SA-04 on intent — so the trusted-sender pivot surfaces before a human has to notice it.
Paste a suspicious message into the Analyze console to see the per-agent breakdown for yourself.