Cybercriminals Exploit B2B Lead Generation Tools for Business Email Compromise Attacks
Business email compromise (BEC) represents one of the most insidious and costly cyber threats facing organizations today—with losses reaching $2.7 billion last year alone. Unlike many attacks involving malware or technical exploits, BEC is a fundamentally human-centered form of fraud perpetrated through careful social engineering and deception.
At a high level, BEC attacks typically involve a threat actor impersonating an executive, vendor, or other trusted entity to trick an employee into wiring funds, paying a fake invoice, or divulging sensitive data. While simple on the surface, these attacks often involve sophisticated levels of planning and preparation by criminal actors.
There are numerous different BEC "scenarios" or lures attackers may attempt. Some of the most common include:
Attack Type | Example Scenario |
An employee receives an urgent email appearing to be from the CEO requesting they purchase $5,000 in gift cards for client gifts and send the card numbers and PINs back discreetly. | |
Finance staff receive an email from a company vendor they regularly pay, with instructions to wire a $25,000 payment for services to a fraudulent bank account provided. | |
A homebuyer receives instructions appearing to be from the title company to wire closing costs of $80,000 to an account controlled by the attacker. | |
An HR employee receives a request appearing to be from a manager asking for the employee’s latest PII data, which is then used for identity theft by the attacker. | |
An employee receives an email pretending to be from the payroll department requesting they update their direct deposit information to redirect their paycheck to the attacker's account. |
While the lures vary, a common thread across BEC campaigns is attackers' heavy use of corporate data and business intelligence to make their phishing attempts as convincing and targeted as possible.
There are multiple online data broker services like ZoomInfo, Apollo, and others that sell comprehensive dossiers on companies, employees, organizational charts, relevant contact details, and other vital business information. These vendors market their products as sales intelligence and lead generation tools for legitimate businesses—which is indeed how most clients use the data.
However, a shady sub-economy exists where cybercriminals purchase credentials providing access to these same troves of corporate data. Rather than sign up for paid subscription plans that could expose their real identities, attackers instead buy stolen account logins or data credits on cybercrime forums and marketplaces from paid subscription accounts.
A cybercriminal looking to purchase a ZoomInfo account for $300+
A cybercriminal looking to sell a ZoomInfo account for $2000+
A cybercriminal looking to purchase B2B lead generation platform accounts
With access to a data broker platform, BEC attackers can pinpoint prime targets by filtering datasets based on criteria like:
Industry and Company Size
Specific Roles/Job Titles
Geographic Location
Revenue and Financial Metrics
Organizational Charts and Reporting Structure
They can then cross-reference this valuable corporate data against open sources like company websites, LinkedIn, press releases, and more.
A cybercriminal recommending B2B lead generation platforms for BEC attacks
It’s important to note that cybercriminals primarily utilize business-to-business (B2B) lead generation platforms in two main ways for BEC attacks:
1. Mass Business Email Compromise
One approach is to use the filtered contact data from these broker platforms to build lists of potential victims matching certain criteria like roles, industries, locations, etc. The attackers then launch widespread email blasts spoofing real executives or vendors. These bulk emails sometimes use mail-merge tactics to insert personal details like first names pulled from the data broker's intelligence.
While reaching a large number of inboxes, these mass campaigns tend to lack the tailored, contextual elements that make individualized lures seem highly credible. However, they allow attackers to maximize their potential victim pool and the small amount of personalization can still be enough to make the target react accordingly.
2. Personalized Business Email Compromise
The other common tactic is for cybercriminals to carefully research and profile specific high-value targets in order to construct extremely personalized social engineering lures. They mine the data broker platforms for insights into an organization's hierarchies, reporting structures, key personnel details, and any other available context.
With this level of organizational knowledge, BEC actors can then impersonate a company's real executives with a high degree of accuracy. They can spoof an executive's genuine email address with a request that references precise details like job titles, working relationships, and more—making the lure seem legitimately urgent.
As an example, an attacker may identify a promising target company, use data broker intelligence to map out the executive team and reporting lines, then spoof the CEO's email with an urgent wire transfer request referring to the victim's role, manager, and other particulars that make it convincing. The added personalization here makes it much more likely that the target will respond as the attacker intends, ultimately wiring the requested money to a bank account owned by the threat actor.
Shut Down Personalized BEC Threats With Abnormal Security
BEC attacks have drained more than $43 billion from organizations in the last decade, partially fueled by cybercriminals gaining illicit access to corporate data broker platforms. Abnormal Security stops these attacks, detecting BEC lures no matter how personalized they are—even if they use comprehensive company intelligence from brokers like ZoomInfo and Apollo.
By understanding known behavior across all identities in an organization, Abnormal can detect subtle anomalies in email content and tone associated with invoice fraud, executive impersonation, and other BEC tactics. The AI-native platform utilizes behavioral data to understand known behavior, communications, and processes for every identity and then uses computer vision and natural language processing to identify anomalous activity—before it reaches employee inboxes.
Take action against BEC attacks enabled by data brokers by scheduling a demo with Abnormal today.
