*Review* **Business Email Compromise Phishing Detection Based on Machine Learning: A Systematic Literature Review**

**Hany F. Atlam 1,2,\* and Olayonu Oluwatimilehin <sup>1</sup>**


**Abstract:** The risk of cyberattacks against businesses has risen considerably, with Business Email Compromise (BEC) schemes taking the lead as one of the most common phishing attack methods. The daily evolution of this assault mechanism's attack methods has shown a very high level of proficiency against organisations. Since the majority of BEC emails lack a payloader, they have become challenging for organisations to identify or detect using typical spam filtering and static feature extraction techniques. Hence, an efficient and effective BEC phishing detection approach is required to provide an effective solution to various organisations to protect against such attacks. This paper provides a systematic review and examination of the state of the art of BEC phishing detection techniques to provide a detailed understanding of the topic to allow researchers to identify the main principles of BEC phishing detection, the common Machine Learning (ML) algorithms used, the features used to detect BEC phishing, and the common datasets used. Based on the selected search strategy, 38 articles (of 950 articles) were chosen for closer examination. Out of these articles, the contributions of the selected articles were discussed and summarised to highlight their contributions as well as their limitations. In addition, the features of BEC phishing used for detection were provided, as well as the ML algorithms and datasets that were used in BEC phishing detection models were discussed. In the end, open issues and future research directions of BEC phishing detection based on ML were discussed.

**Keywords:** business email compromise (BEC); email phishing; phishing detection; machine learning (ML); systematic literature review

#### **1. Introduction**

The popularity of Internet-based public resources, such as cloud computing, social networks and online money processing, has significantly raised the danger of cyberattacks against enterprises. Since email has become one of the effective worldwide standards for commercial communication, cybercriminals attack email networks to undertake cyberattacks against companies for financial gain [1]. A Business Email Compromise (BEC) attack, often known as a CEO attack, is one of the most significant spear phishing attacks. BEC attacks are defined as sophisticated email phishing schemes that target businesses doing mundane tasks, such as money transfers [1]. Social engineering has shown to be a highly effective component of BEC attacks, which are designed to deceive corporations and their employees throughout the world. According to the Federal Bureau of Investigation (FBI) [2], victims worldwide lost more than USD 26 billion to BEC attacks between June 2016 and July 2019. In 2018, almost AUD 60 million was reported lost in Australia using this strategy. In addition, the United States (39%), the United Kingdom (26%), Australia (11%), Belgium and Germany (3%), Canada, the Netherlands, Hong Kong, Singapore, and Japan (2%), were the top 10 victim nations for BEC attacks in 2018–2019.

The reason why cyberattacks are becoming increasingly prevalent is that launching a cyberattack is simpler, cheaper, and less dangerous than launching a physical attack. The

**Citation:** Atlam, H.F.; Oluwatimilehin, O. Business Email Compromise Phishing Detection Based on Machine Learning: A Systematic Literature Review. *Electronics* **2023**, *12*, 42. https://doi.org/10.3390/ electronics12010042

Academic Editor: Suleiman Yerima

Received: 20 November 2022 Revised: 15 December 2022 Accepted: 19 December 2022 Published: 22 December 2022

**Copyright:** © 2022 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https:// creativecommons.org/licenses/by/ 4.0/).

only requirements for committing a cybercrime are an Internet connection and a computer. In addition, the anonymity given by the Internet makes it difficult to trace and find attackers and bring them to justice [3].

BEC attacks are prevalent and have not been detected by conventional defence strategies, such as spam filters. Without a harmful payload, BEC attacks are difficult to detect with conventional screening equipment. BEC attacks are gaining popularity due to their effectiveness and difficulties in monitoring or detecting them [1]. Unlike other attacks using banking trojans or other forms of criminal ransomware, which may require a higher level of technical skill to execute, BEC attacks do not require an exceptionally high level of technical skill to execute; other than having the first name, last name, and email address of whoever they wish to address the email to, they do not need much analysis [2]. Hence, more investigation on BEC attacks is required to identify possible solutions for them.

BEC is a relatively new and fast-evolving attack in the phishing domain with less than ten years since its first identification in 2013 by the FBI. The novelty of this type of attack has led to several challenges regarding how much of its attack pattern and structure has been fully understood by experts to build an effective phishing detection model. In addition, how to ensure the resources needed to identify a BEC attack and the measure used to detect it do not become outdated due to the fast-changing pattern of this type of attack is important. These challenges make detecting BEC attacks using conventional defence strategies a very difficult task to achieve. To overcome these challenges, Machine Learning (ML) has been proposed by various researchers as an effective way to detect BEC attacks in a timely manner. Instead of using conventional phishing detection techniques that detect and block emails based on their origin, as well as applying common block listed locations which require significant time and effort to maintain, ML-based phishing detection techniques can identify and even predict advanced attacks by analysing large datasets to spot similarities, correlations, and trends. For instance, ML can be used to build a phishing detection model based on profiles where ML can be used to build a profile by analysing emails using features such as date, time, geo-location from where a person is accessing emails, relation graph which captures with whom the person interacts, etc. Then, the ML-based model will scan every incoming email against the profile and raise an alert for BEC in case of any deviation. ML-based techniques leveraged by modern email security platforms have become more effective, in which most techniques can detect around 98% of advanced phishing attacks [4].

This paper aims to provide a comprehensive systematic literature review that investigates and evaluates the state of the art of BEC phishing attacks, one of the primary attack domains that has a significant impact on organisations and has resulted in the loss of billions every year. Based on the selected search strategy, 38 articles out of 950 were chosen for further analysis. Out of the collected and analysed articles, articles were selected based on the manner of detection using ML algorithms, and additional assessment was obtained from the articles to comprehend what feature criteria were used for detection. In addition, a summary of the selected papers' contributions was provided. Compared to other surveys, to the best of the authors' knowledge, this is the first work to provide a systematic literature review of BEC phishing attacks. Most existing surveys focus on providing a general investigation and discussion of phishing attacks without focusing on BEC attacks and how creating effective BEC phishing detection models is now a necessity for various organisations around the world. This paper also provides a detailed discussion of BEC phishing attacks to allow researchers to have a complete overview of this type of attack, its detection methods, features, and challenges, which can allow them to develop optimised and sustainable techniques for detecting it effectively.

The contribution of this paper can be summarised as follows:


The rest of the paper is organised as follows. Section 2 presents an overview of BEC attacks; Section 3 describes the research methodology used to produce the systematic literature review; Section 4 describes the analysis of data; Section 5 describes how this systematic review answers suggested research questions; Section 6 presents challenges and future research directions; and Section 7 is the conclusion.

#### **2. An Overview of BEC Attack**

Phishing is a type of email-based fraud and attack. Phishing happens when an attacker sends a bogus email that seems to originate from a reputable and approved source. The objective of the message is to deceive users into downloading malware on their devices and divulging sensitive information. Spear phishing is a targeted kind of phishing. Phishing and spear phishing both utilise email to target victims, but spear phishing delivers a personalised message to a particular individual. Before sending the email, the criminal searches the interests of the intended victim. It is important to understand that phishing emails nowadays are mostly used to acquire credentials [3].

BEC is one of the most significant spear-phishing attacks. This section provides an overview of this type of BEC attack to highlight the BEC lifecycle, types, and techniques that are used for detecting it.

#### *2.1. BEC Attack*

BEC is a form of attack that has evolved over the years from a simply compromised vendor email to requests for sensitive information, such as by targeting the real estate sector, and fraudulent requests for large amounts of gift cards. For a BEC attack to be successful, hackers first need to gain access to legitimate vendor email accounts. The most common method for accomplishing this is via phishing emails sent to the company's staff. The credentials of a worker who unknowingly lets themselves be compromised are a springboard for an attack [3].

The FBI created the term "business email compromise", or in short BEC, in 2013 when it first began tracking this issue. However, the strategy might be regarded as the natural progression of huge spamming campaigns that came before it. These promotions originated with what is now commonly referred to as Nigerian prince or lottery schemes. These email frauds were noticeable for their lack of professionalism—misspellings, grammatical errors, and implausible tales—and were easy to recognise and disregard. However, the offenders swiftly acquired technological expertise and today deploy some extremely sophisticated approaches [4].

#### *2.2. BEC Lifecycle*

BEC attacks are usually harder to spot than other phishing attacks, as they can play out in various ways. Figure 1 shows common steps for performing a successful BEC attack [4].

**Figure 1.** Common steps of performing a BEC attack.

The description of each step is as follows:


#### *2.3. Types of BEC Attacks*

According to the FBI [4], there are five types of BEC attacks which include the following:

1. Email Account Compromise: This attack is targeted at small firms that use email to organise their financial transactions. The specifics of a recent transaction can be gleaned by breaking into an employee's email account and stealing the invoice. Attackers call a vendor and explain the situation, persuading the vendor that the final payment could not be processed. A new account, which the scammers would have set up to steal the money, is gently requested by them [4].


#### *2.4. Phishing and BEC Techniques*

This section highlights techniques of phishing attacks generally and BEC attack specifically.

#### 2.4.1. Phishing-Related Techniques

Typically, a phishing attack includes sending an email that contains a spoof URL link that leads to a web page. The following are common phishing techniques:


#### 2.4.2. BEC Techniques

• **Spoofed BEC Messages:** The email domain may be manipulated to make the email appear to be legitimate in this method. Email header spoofing is used by attackers to produce fraudulent emails that appear to originate from a legitimate source. In the "From" address area, they use the true domain of the target company [4].


#### 2.4.3. Feature Selection Techniques

When developing an ML-based phishing detection model in the real world, it is usually never the case that all variables in the dataset are significant. Adding duplicate variables diminishes the model's capacity for generalisation and affects the overall accuracy of the detection model. Additionally, when more variables are added to the model, its total complexity grows. According to the Law of Parsimony of 'Occam's Razor,' the optimal answer for a problem is the one that requires the fewest assumptions. Thus, feature selection becomes an essential component in ML-based model development [9].

Feature selection is the method of reducing the input variables of a ML-based model by using only relevant data and getting rid of noise in the data. Its main goal is to clean up a model by getting rid of irrelevant or unnecessary data. Due to the complexity of some predictive modelling issues, considerable memory is often needed during model creation and training. In addition, certain models' functionality can deteriorate if the input variables are not pertinent to the target variable. In ML, the strategies for feature selection are categorised into two main categories: supervised and unsupervised. The supervised feature selection methods are applied to labelled data to discover the most important variables for improving the performance of supervised models. In other words, they use the target variables to identify the variables which can increase the efficiency of the model. Unsupervised feature selection methods are applied to unlabelled data in which the outcome is not considered while making the feature selection [10]. Figure 2 shows the categories of feature selection methods.

**Figure 2.** Feature selection methods.

The supervised methods are further divided into three methods, including filter, wrapper, and intrinsic methods [10,11].


#### 2.4.4. Evaluation Metrics for BEC Detection

Determining the effectiveness of BEC phishing detection models is significant to compare different models and identify the most effective model for each context. Based on numerous studies reviewed in the literature [5,9,10], the effectiveness of BEC phishing detection models is computed based on four main evaluation metrics, including accuracy, precision, recall, and F-measure. A description of how these evaluation metrics is computed is discussed below:

• **True Positive (TP):** This represents the percentage of phishing emails in the training dataset that are correctly classified by a phishing detection model. Formally, if the number of phishing emails in the dataset is denoted by *P* and the number of correctly classified phishing emails by the phishing detection model is denoted by *NP*, the formula of *TP* is as follows:

$$TP = \frac{NP}{P} \tag{1}$$

• **True Negative (TN):** This represents the percentage of legitimate emails that are correctly classified as legitimate by a phishing detection model. If we denote the number of legitimate emails that are correctly classified as legitimate as *NL* and the total number of legitimate emails as *L*, the formula of *TN* is as follows:

$$TN = \frac{NL}{L} \tag{2}$$

• **False Positive (FP):** This is the percentage of legitimate emails that are incorrectly classified by a phishing detection model as phishing emails. If we denote the number of legitimate emails that are incorrectly classified as phishing as *Nf* and the total number of legitimate emails as *L*, the formula of *FP* is as follows:

$$FP = \frac{Nf}{L} \tag{3}$$

• **False Negative (FN):** This represents the percentage of the number of phishing emails that are incorrectly classified as legitimate by a phishing detection model. If we denote the number of phishing emails that are classified as legitimate by the algorithm as *Npl* and the total number of phishing emails in the dataset is denoted as *P*, the formula of *FN* is as follows:

$$FN = \frac{Npl}{P} \tag{4}$$

Using TP, TN, FP, and FN, the four evaluation metrics, including accuracy, precision, recall, and F-measure, can be computed as follows:

• **Accuracy**: It represents the average number of successfully categorised emails throughout the entire dataset using the following formula:

$$Accuracy = \frac{TP + TN}{TP + FP + FN + TN} \tag{5}$$

• **Precision**: It measures the exactness of a classifier, i.e., what percentage of emails that the classifier has labelled as BEC phishing are actually BEC phishing emails, and it is represented by this formula:

$$Precision = \frac{TP}{TP + FP} \tag{6}$$

• **Recall:** It measures the completeness of a classifier's results, i.e., what percentage of phishing emails the classifier has labelled as phishing, and it is represented by this formula:

$$Recall = \frac{TP}{TP + FN} \tag{7}$$

• **F-measure:** This is also known as *F*1 score and is defined as the harmonic mean of Precision and Recall, and it is calculated based on this formula:

$$F1 - Score = \frac{2TP}{2TP + FP + FN} \tag{8}$$

#### **3. Research Methodology**

The purpose of a systematic literature review is to define, analyse, and interpret all available research relevant to a research topic, a specific subject, or a set of interesting occurrences. While several experts have offered solutions to detecting BEC attacks, the threat environment is expanding and becoming more dangerous despite their efforts. This systematic literature review investigates existing BEC attack techniques and detection methods, as well as various studies presented by researchers using different ML algorithms employed in the detection process and these studies' conclusions.

Conducting a systematic literature review consists of five stages, as shown in Figure 3. The objective of the first stage is to formulate the research questions that the current review

will answer. This is followed by determining the inclusion and exclusion criteria to ensure that the selected articles are the best and most pertinent concerning the research objectives. The third stage is to specify which research databases will be searched to find relevant articles. In the fourth stage, the findings are analysed, and, in the fifth stage, the outcomes of each study topic are discussed.

**Figure 3.** Stages of conducting a systematic literature review.

This methodology was utilised to allow readers to understand the stages used to complete this literature review systematically. Before beginning to evaluate many sources, we defined our research questions so that the review would be more focused. Next, the selection criteria were used to narrow down the retrieved publications to those relevant to the study's objectives. The digital libraries that were used to compile these articles are also offered as data sources. Article selection based on relevance was also covered. The presented methodology offers various benefits to show the steps taken by researchers to reach their study's intended results.

Although this methodology has been used in several systematic literature studies, there are some limitations, including the fact that it narrows the focus of the review/study and, hence, may not provide readers with all the facts they need to fully understand the subject matter at hand. In addition, data collection was limited to only six sources for collecting relevant publications in our study, which could limit the number of publications reviewed. Although these sources are the most reliable sources identified in various systematic literature studies, this could be considered a limitation as not all sources were investigated to identify relevant articles related to the study objectives. In addition, this study reviewed only articles published between 2012 and 2022. Although this study provides readers a review of state-of-the-art articles published in the last ten years, the search methodology limits the number of publications that can be reviewed in the study.

#### *3.1. Research Questions*

This paper seeks to address the following research questions:


• **RQ4**: What are the conventional features used in developing an effective BEC detection model?

#### *3.2. Inclusion and Exclusion Criteria*

Inclusion and exclusion criteria were used to choose the applicable research. The primary purpose of these criteria was to answer the research questions and assure the creation of an effective literature review. The inclusion criteria were as follows:


The exclusion criteria were as follows:


#### *3.3. Data Sources*

Digital libraries were used to conduct the searches. The electronic databases used in this systematic literature review included the following:


The papers pertinent to the subject and study questions were gathered using keyword searches. The search terms used included the following:


#### *3.4. Selection of Relevant Articles*

This step involved choosing relevant and recent studies on BEC phishing attacks among the 950 articles gathered from various online digital libraries. The process of selecting relevant publications was divided into three phases:


#### **4. Analysis of Results**

The inclusion and exclusion criteria were applied to the collected publications in three phases, as indicated earlier. A total of 887 articles were removed based on the evaluation by simply reading the titles and abstracts and their relevance to the research questions. Furthermore, duplication across various online digital databases (25 publications) was removed, as shown in Figure 4.

**Figure 4.** Flow diagram of the search.

The search that was executed in six different well-known online databases enabled us to collect most of the publications that are relevant to BEC phishing attacks. The results of the collected publications from each online database and the resultant number of publications after applying the three selection phases are shown in Table 1. The results show that Google Scholar and IEEE are the richest data sources of publications related to BEC phishing attacks.


**Table 1.** The number of search results per database after applying the three selection phases.

Additionally, the number of publications related to BEC phishing attacks per year is shown in Figure 5. The evidence suggests an upsurge in the study of BEC phishing attacks since 2017. However, many scientists still consider this to be a frontier. Research on BEC attacks has received consistent attention since 2017, as shown by the number of publications in 2017, 2018, 2019, 2020, 2021, and 2022.

**Figure 5.** Number of selected articles published per year from 2012 to 2022.

Furthermore, the papers on BEC phishing attacks that were retrieved are separated by year and type (either as a journal or conference publication), as shown in Figure 6. Conference and journal articles both yield similar numbers of outcomes that meet our study objectives. In addition, Table 2 lists the ID, citation, publication category, and publication year for each of the examined articles. All of the papers that were read and retrieved were originally presented at academic conferences or published in scholarly publications.

**Figure 6.** Number of journal and conference publications per year from 2012 to 2022.

**Table 2.** Retrieved publications that are related to the research questions.



#### **5. Discussion**

Many researchers are still investigating BEC phishing attacks to identify better and more effective ways to counteract this growing threat. This paper serves as an excellent place for such researchers to begin understanding this paradigm by reviewing prior research that may be relevant to their study questions. To demonstrate how the reviewed papers have addressed our research questions, a discussion of the retrieved/analysed publications is provided in this section.

#### **RQ1: What is the most recent and peer-reviewed literature regarding BEC phishing attacks?**

To answer this research question, the retrieved/analysed publications that are related to BEC phishing attacks will be discussed. Table 3 summarises the contributions of each publication.

**Table 3.** Summary of recent studies in the literature regarding BEC phishing attacks.






Table 3 provides a summary of the contributions of the retrieved publications that are related to BEC phishing attacks. Looking at the various reviewed studies illustrates that there are some similarities and differences among various researchers. Some researchers presented a comparative study of various supervised and unsupervised ML techniques to provide an effective BEC phishing detection model that provides the highest accuracy, precision, recall, and F-measure to detect phishing emails. For example, Butt et al. [8], Ripa, Islam, and Arifuzzaman [41], and Chakraborty and Mondal [11] created a comparative study using various ML algorithms, including DT, SVM, LSTM, RF, LR, ANN, NB, KR, and DT, to identify a ML algorithm that provides the highest accuracy on a specific dataset. Other researchers provided hybrid ML-based techniques that combine two or more algorithms with changes in variables to provide better accuracy for the BEC phishing detection model. For instance, Dewis and Viana [10] proposed a hybrid ML-based approach combining NLP and deep learning to detect BEC phishing emails. Their LSTM model has achieved an average accuracy of 99% for text-based datasets. In addition, Qasem, Shamsuddin, and Zain [12] proposed a new hybrid multi-objective learning algorithm combining MPPSON, MEP-GAN, and MEPDEN to achieve a compact RBFN model with good prediction accuracy and prominent structure while detecting BEC attacks.

Furthermore, some researchers focused more on the detection algorithm by investigating the best ML algorithm to implement their BEC phishing detection model, while other researchers focused more on the feature selection techniques to identify the best features that ensure the creation of a high-accuracy BEC phishing detection model. For example, Rendall, Nisioti, and Mylonas [37] used a multi-layered detection system where a potential phishing domain is classified multiple times by models using different feature sets, while the studies by Salahdine, El Mrabet, and Kaabouch [40] and Ripa, Islam, and Arifuzzaman [41] focused more on identifying the best ML algorithm for the detection model by comparing their effectiveness against various datasets.

Evaluating the proposed BEC phishing detection models by various researchers also revealed another difference among the retrieved publications: some researchers utilised publicly available datasets, while other researchers utilised real-world and dynamic datasets that they created in specific circumstances to evaluate the effectiveness of their detection models. For example, Garces and Cazres [36], Ripa et al. [41], Alam et al. [38], Dewis and Viana [10], Mridha et al. [44], and Nidhin et al. [31] evaluated the effectiveness of their phishing detection model using Kaggle dataset, one of the most common datasets

in phishing detection domain, while other researchers created their own datasets, such as Baykara and Gurel [26], Rawal et al. [21], etc.

#### **RQ2: What are the common ML algorithms for developing ML-based BEC detection models?**

The technique used to identify a BEC attack is important to the process of identifying such an attack. It is possible to utilise a wide variety of algorithms to guarantee accuracy, although their detection effectiveness differs. This section lists various techniques that have been used by various researchers to build a BEC phishing detection model, as shown in Table 4. The most common techniques include the following:


From Table 5, we can see that DT, SVM, ANN, NB, and Logistic algorithms have all been utilised in at least 10 of the 38 studies, indicating that researchers have found their results to be consistent enough to justify reusing these algorithms. In addition, it is important to highlight that certain algorithms, such as DT, SVM, NB, ANN, and Logistic algorithms, have a broad user base and are widely utilised by researchers and data scientists. As a result, they have well-updated libraries, and further enhancements are available to make them more compatible with several datasets due to their continuous use [53,54].


**Table 4.** List of algorithms used in the literature and their abbreviations.

These algorithms have been used extensively by various researchers due to their effectiveness and accuracy in detecting BEC phishing attacks with various networks and datasets. Identifying the effective algorithm within each communication network should be the right course of action for an effective and successful BEC detection model. In addition, creating a hybrid technique that integrates two or more of these algorithms can yield an effective technique that can provide a better BEC phishing detection model.

In addition, if we look at supervised and unsupervised ML algorithms that have been utilised by researchers to build BEC phishing detection models, we find that most researchers prefer using supervised ML algorithms. For example, supervised ML algorithms, including DT, SVM, NB, and Logistic algorithms, were used in at least 10 of the 38 reviewed articles, while unsupervised algorithms, such as PCA, were utilised in only two of the 38 reviewed articles. Researchers prefer utilising supervised ML algorithms in BEC phishing detection models since unsupervised learning typically uses clustering algorithms to group email categories, such as BEC emails. However, a clustering algorithm would typically categorise many common categories (e.g., social emails and marketing emails), but since BEC emails are so rare, it results in low precision and many false positives. Therefore, supervised learning algorithms are more suitable for detecting BEC attacks at high precision.

It is also important to note that certain algorithms, such as GMDH, PNN, GP, MP, PCA, and GK, were used less than other algorithms; these algorithms were used in only one or two articles out of the 38 selected articles, making them less well known than the first group of algorithms. These algorithms may still not be known for various researchers to try and identify their effectiveness in various communication networks, but these algorithms can be the basis for creating an effective hybrid BEC phishing detection model in the near future.

*Electronics* **2023**, *12*, 42


**Table 5.** ML algorithms utilised by various researchers to build BEC phishing detection models.

#### **RQ3: What are the common datasets used in creating BEC detection models?**

Building a ML-based technique requires having a dataset for training and testing the suggested model to identify its effectiveness and accuracy. There are many common datasets that have been used by various researchers to build BEC phishing detection models. Table 6 summarises the datasets used by various researchers to build BEC phishing detection models. This paper highlights the fact that many datasets were created previously and get regular updates from their creators. For example, the Nazario dataset gets regular updates with fresh sample data, with the latest being in 2021. Other examples are the Spam email dataset, which was compiled in 2010, the Phishing corpus in 2005, the Enron spam in 2006, and the Spamassassin dataset in 2002, all of which get regular updates. The titles of the datasets used by the 38 publications are further categorised in Table 6.

In addition, out of the 38 studies, more than half used customised datasets in their study. In light of the ever-shifting nature of BEC attacks, most of the researchers acquired email samples from actively running servers and organisations' email systems. To keep up with the latest trends and conduct an in-depth study of emerging BEC attack routes and methodologies, a dynamic and continuously updated dataset that captures a wide range of emails is required. This further supports the argument that new customised datasets from working contexts are more widely utilised in research than the standard datasets provided.

#### **RQ4: What are the conventional features used in developing an effective BEC detection model?**

There are three primary locations from which features used to detect BEC phishing attacks are often extracted: header, body, and URLs. The URL is a subset of both the header and the body; thus, it is not surprising that it is a frequently utilised detection feature.


*Electronics* **2023**, *12*, 42


**Table 6.** Datasets utilised by various researchers to build BEC phishing detection models.


**Table 7.** Common features used by various researchers to build BEC detection models.

From Table 7, there is a large number of researchers utilising the body and header features, with a total of 28 researchers utilising the body and a total of 23 researchers utilising the header feature for BEC phishing detection. Furthermore, a total of 14 researchers used a combination of header and body features.

Moreover, the body feature is utilised by various researchers, as BEC is mainly focused on crafting a good email body to deceive corporations and their employees in which the content used in the BEC attacks includes a good and official mode or tone of writing to achieve the required level of deception. In addition, the header provides a good source for determining the authenticity of emails as most of the information, such as the sender's email address, SCL, and other vital components, which can serve as a good indicator for a malicious BEC email, will also be easily spotted from the header.

#### **6. Challenges and Future Directions**

BEC phishing attacks are particularly dangerous because they do not contain malicious links or dangerous email attachments. They are used to impersonate or compromise corporate or publicly accessible email accounts of executives or high-level employees, who are involved in finance or who wire transfer payments, to conduct fraudulent transfers, costing billions of dollars in damages. Detecting BEC phishing attacks is getting harder since hackers change their tactics regularly to deceive email recipients and BEC detection tools. There are several open issues and future research directions that still need to be investigated to provide an effective BEC phishing detection model, including the following:


tion of NLP with deep learning can develop better accuracy in BEC phishing detection models [59]. More studies are required to investigate the integration of NLP with deep learning that allows us to combine the best of both approaches to create a better BEC phishing detection system.


#### **7. Conclusions**

Research efforts have mostly focused on finding ways to stop basic phishing emails that use text as their medium. In recent years, attacks have come up with new and creative tactics to utilise BEC phishing emails to attack organisations and businesses. BEC phishing email is a legitimate-looking email meant to trick the receiver. These emails may download harmful software if the receiver clicks on dangerous links in the body. Tricking a user involves telling them their business email user information have changed and asking them to check in to evaluate the changes. Once users click on an obfuscated link, they are led to a rogue site, which steals their information and redirects them to the corporate site. Although there are some efforts made to create effective methods to detect BEC phishing emails, there is still a need for more work to investigate this topic further and to provide better and more effective solutions. This paper presents a systematic literature review and analysis of the state of the art of BEC phishing attacks. This paper systematically analyses journal articles and conference proceedings published between 2012 and 2022. Based on the selected search strategy, 38 articles (out of 950 articles) were chosen for a closer examination in terms of recent BEC phishing detection models, ML-based algorithms used to build these models, common datasets used to develop these models, and common features utilised to detect BEC phishing emails. The results provide a summarised version of selected articles to give readers a basic view of the state of the art of BEC phishing attacks. The results indicate that several researchers are interested in utilising ML-based techniques for detecting BEC attacks, as the number of BEC attacks is increasing daily and the attacks' measures are changing and evolving daily, with DT, SVM, ANN, NB, and Logistic algorithms being the most common techniques used by various researchers. In addition, there is a large number of researchers who have utilised the body and header features to detect BEC phishing attacks, with 28 articles utilising the body features, 23 articles utilising the header features, and 14 articles using a combination of both header and body features. The paper also presents challenges and future research directions related to BEC phishing detection based on ML. There is a need for more research studies on dynamic feature selection, creating

real-life datasets, integrating NLP with deep learning, and combining ML with XAI to develop an effective and optimised BEC phishing detection system.

**Author Contributions:** Conceptualization, H.F.A. and O.O.; methodology, H.F.A.; Implementation, H.F.A. and O.O.; validation, H.F.A.; investigation, H.F.A. and O.O.; resources, O.O.; writing—original draft preparation, H.F.A. and O.O.; writing—review and editing, H.F.A.; visualization, H.F.A. and O.O.; supervision, H.F.A.; project administration, H.F.A. All authors have read and agreed to the published version of the manuscript.

**Funding:** This research received no external funding.

**Data Availability Statement:** No new data were created or analyzed in this study. Data sharing is not applicable to this article.

**Conflicts of Interest:** The authors declare no conflict of interest.

#### **References**


**Disclaimer/Publisher's Note:** The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

MDPI St. Alban-Anlage 66 4052 Basel Switzerland Tel. +41 61 683 77 34 Fax +41 61 302 89 18 www.mdpi.com

*Electronics* Editorial Office E-mail: electronics@mdpi.com www.mdpi.com/journal/electronics

MDPI St. Alban-Anlage 66 4052 Basel Switzerland

Tel: +41 61 683 77 34

www.mdpi.com ISBN 978-3-0365-7174-4