Abnormal Security Research Team finds that of all the attacks our customers are facing, only 5 percent are BEC scams. BEC attacks are different because they do not have attachments carrying malware, nor do they contain URLs leading to malicious websites. The content of the email is generally simple, and the attacks are customized for each individual target. As such, they disproportionately represent the greatest financial risk, the payload-less nature of these attacks evades detection from traditional email security solutions. In order to protect against social engineering attacks, security teams need to analyze a broader set of identity data.
Source: https://threatpost.com/understanding-payload-less-email-attacks/156299/