Stop business email compromise before the money moves

BEC is the costliest attack in email, and the emptiest: no malware, no link, just a credible instruction from the wrong person. Sentaro detects the impersonation itself, in Microsoft 365 and Google Workspace.

Last updated 2026-07-09

Why BEC beats traditional email security

Business email compromise costs organizations billions annually according to the FBI Internet Crime Complaint Center, yet a typical BEC message would pass any payload scanner ever built, because there is no payload. The attack is pure social engineering delivered as routine correspondence: the "CFO" needing an urgent transfer, the supplier with new bank details in a genuine invoice thread. Filters ask "does this contain something malicious?" and the honest answer is no. The right question is "does this instruction fit this sender, this relationship, this thread?", and answering it requires knowing what normal looks like.

How Sentaro decides

Sentaro's Behavioral Intelligence builds a live model of each organization's communication graph: who instructs whom, how payments are actually discussed, which addresses, devices and tones belong to which relationships. Message Intelligence reads intent, recognizing the urgent-confidential-payment pattern and its variants in any language. Domain Intelligence catches the infrastructure side: lookalike domains, newly registered senders, spoofing that slips past authentication. The verdict weighs all three, so fraud is caught by its deviation, not its content.

What it stops, by fraud type

CEO fraud and executive impersonation

The classic whaling play: an instruction "from" leadership to finance staff, timed for quarter close or the executive's travel. Sentaro knows the executive's real sending patterns and flags the impostor, whether the address is spoofed, lookalike or a display name trick.

Vendor and invoice fraud

The hardest BEC to spot: a real supplier thread, real invoice history, and new bank details injected by an attacker inside the vendor's compromised mailbox. Every technical signal passes. Sentaro flags the behavioral break: payment details changing in a relationship whose pattern never included such changes, and tone or timing shifts mid-thread.

Payroll diversion and internal impersonation

"Update my direct deposit before payday", sent as an employee to HR. Sentaro evaluates whether the request fits the claimed sender's history and infrastructure, not just whether the name matches. The same logic covers spear phishing pretexts against finance staff.

The pretexting build-up

BEC rarely starts with the payment ask. It starts with clean smalltalk ("Are you at your desk?") that builds trust while showing filters nothing. Sentaro's intent analysis recognizes the pretexting pattern early, including the channel-switch attempts ("text me") that move fraud off monitored ground.

The deepfake-reinforced attack

When fraudulent email is "confirmed" by a cloned executive voice, the call is out of any email tool's reach, but the setup email is not. Sentaro stops the chain at its detectable link, so the deepfake has nothing to confirm. The same behavioral layer flanks OAuth abuse via consent phishing.

Coverage compared

Native filtering (EOP/Gmail)Secure email gatewaySentaro
Payload-free payment fraudLimitedNoCore strength
Lookalike domain detectionPartialPartialYes, at first contact
Compromised vendor threadsNoNoYes, behavioral break detection
Display name and reply-to tricksPartialPartialYes, with relationship context
Internal mail after account takeoverLimitedNoYes
Learns your payment communication patternsNoNoYes

From detection to evidence

Every flagged BEC attempt comes with its reasoning: what deviated, from which baseline, with what confidence. That serves the immediate decision, and it doubles as the incident documentation your reporting duties may require, whether that is an internal post-mortem or a regulatory clock under NIS2 or DORA (see our compliance page).

FAQ

What makes BEC different from phishing?
Phishing usually carries something malicious to click. BEC carries only trust: an impersonated sender and a fraudulent instruction. That is why payload-based defenses miss it and behavioral detection is required.
Can Sentaro detect fraud coming from a real, compromised vendor account?
Yes. When the mailbox is genuine but the behavior breaks pattern (new bank details, changed tone, unusual urgency in a relationship with an established history), the deviation itself is the signal.
Does this replace our payment verification procedures?
No, and it should not. Callback verification and dual approval remain essential controls. Sentaro reduces how often they are your last line, and catches the attempts that never reach a human decision.
Do we need DMARC if we have Sentaro?
Yes. DMARC prevents exact forgery of your own domain and protects your brand toward others. Sentaro covers what DMARC cannot: lookalike domains, display name tricks and compromised real accounts. They are complements.
How fast is deployment?
Minutes, via API connection to Google Workspace or Microsoft 365. Relationship-aware detection uses existing mailbox history to establish baselines quickly rather than requiring a long learning period.
What happens when a BEC attempt is detected?
The message is removed or flagged according to policy, finance/HR-facing lookalikes can be blocked domain-wide, and the full reasoning and evidence trail is available for follow-up and reporting.

The next fake invoice should never reach finance

Connect Sentaro to Google Workspace or Microsoft 365 and behavioral BEC protection starts the same day.