Business Email Compromise (BEC) is one of the costliest forms of online fraud facing organizations today, yet it rarely relies on the malware or technical exploits people expect. Instead, BEC weaponizes trust. A criminal impersonates a CEO, a vendor, an attorney, or a colleague, and uses a believable message to convince an employee to send money or sensitive data to the wrong place. Because the email often looks legitimate and arrives inside a normal business conversation, it can slip past both spam filters and careful employees.
According to the FBI and its Internet Crime Complaint Center (IC3), BEC has caused tens of billions of dollars in reported losses worldwide, making it one of the most damaging scam categories tracked by law enforcement. What makes it so dangerous is that it targets your process — how payments get approved and how account changes are handled — rather than your firewall.
This guide explains how BEC scams actually work, the most common scenarios to recognize, the warning signs hidden in emails and invoices, and the practical verification, technical, and response controls that can stop fraud before money or data is lost.
What Business Email Compromise Means
Business Email Compromise is a targeted form of email fraud in which an attacker impersonates a trusted person or organization to trick a victim into transferring funds, redirecting payments, or handing over confidential information. The FBI describes BEC as a scam that exploits the fact that so much business now depends on email, where a single convincing message can authorize a large wire transfer.
A closely related term is Email Account Compromise (EAC). In a pure BEC attack, the criminal often spoofs or imitates a legitimate address. In EAC, the criminal actually gains control of a real mailbox — through phishing or stolen credentials — and sends fraudulent messages from inside a genuine account. That stolen access makes the fraud even harder to detect, because the email is truly coming from the person it claims to be.
The defining feature of BEC is social engineering rather than technical intrusion. There is frequently no malicious attachment to scan and no obvious link to block. The attacker simply supplies the right context, the right name, and the right amount of urgency to make a fraudulent request feel routine.
How BEC Scams Usually Work
Most BEC attacks follow a recognizable chain. Understanding each stage helps teams interrupt the fraud before the final payment.
- Research and targeting. Criminals study a company using its website, social media, press releases, and leaked data. They identify finance staff, executives, vendors, and the language used internally.
- Access or impersonation. The attacker either compromises a real mailbox (often via a phishing page that steals a password) or creates a lookalike domain and display name that closely resembles a trusted sender.
- Building believable context. They watch ongoing email threads, learn about pending invoices or deals, and time their request to match real business activity.
- The request with urgency. A message asks for a wire transfer, a change to banking details, gift cards, payroll redirection, or sensitive records — usually with pressure to act quickly and quietly.
- Fraud completion and laundering. Funds are sent to an account the criminal controls, then quickly moved or withdrawn, making recovery difficult once time passes.
Because each step looks ordinary in isolation, the scam succeeds by blending into legitimate workflows rather than breaking them.
Common BEC Scenarios to Recognize
BEC is not a single trick but a family of related schemes. The FinCEN advisory and FBI guidance highlight several recurring patterns.
CEO or Executive Fraud
An employee receives an email that appears to come from a senior leader requesting an urgent, confidential transfer. The message often discourages phone calls and stresses that the executive is traveling or in a meeting.
Vendor or Invoice Change Fraud
A supplier you genuinely work with seems to email new banking details for an upcoming payment. In reality, the attacker has hijacked or spoofed the vendor’s communications to redirect a legitimate invoice.
Payroll Diversion
A criminal impersonates an employee and asks HR or payroll to update direct-deposit information, quietly rerouting that worker’s salary to a fraudulent account.
Real Estate Wire Fraud
During property closings, scammers impersonate agents, title companies, or attorneys to send fake wiring instructions to buyers — a pattern IC3 specifically warns about because the sums are large and time-sensitive.
Compromised Employee Accounts
Once an attacker controls a real internal mailbox, they can request data, reset access, or message customers and partners with full credibility, expanding the damage well beyond a single payment.
Red Flags in Emails, Invoices, and Payment Requests
BEC messages share recurring warning signs. Training staff to pause when they see these cues is one of the most effective defenses.
- Last-minute changes to bank details on an invoice or payment instruction.
- Pressure to bypass normal process — secrecy, urgency, or “do this before end of day.”
- Requests to switch channels, such as moving the conversation to a personal or unfamiliar email address.
- Slightly altered domains (for example, an extra letter or a swapped character) that mimic a trusted sender.
- Unusual tone or phrasing from a known contact, or odd grammar in an otherwise official message.
- Reply-chain manipulation, where attackers insert themselves into a real thread to appear authentic.
- Requests for gift cards, cryptocurrency, or unusual payment forms outside normal procedure.
No single red flag is proof of fraud, but a combination — especially a payment change plus urgency — should trigger independent verification every time.
Controls That Stop BEC Before Money Moves
Because BEC targets process, the strongest defenses are procedural. These controls work even when an email looks completely genuine.
Out-of-Band Callback Verification
Before sending funds or changing banking details, confirm the request by calling the requester at a known, previously verified phone number — never a number supplied in the suspicious email. This single habit stops a large share of BEC losses.
Approval Workflows and Separation of Duties
Require dual approval for wire transfers above a set threshold, and ensure the person who initiates a payment is not the only one who authorizes it. This makes it far harder for one deceived employee to complete a fraud alone.
Formal Payment-Change Procedures
Treat any change to vendor or payroll bank details as a high-risk event requiring documented verification through an established contact, not a reply to the request email.
Staff Training and a Reporting Culture
Regular, realistic training helps employees recognize social engineering, and a blame-free reporting culture encourages people to flag suspicious messages early. The UK’s National Cyber Security Centre emphasizes that easy reporting and layered defenses matter more than expecting staff to spot every fake.
Technical Defenses That Reduce BEC Risk
While process controls are central, technical safeguards shrink the attack surface and limit account takeover.
- Multi-factor authentication (MFA): Protect email accounts so a stolen password alone cannot unlock a mailbox. Phishing-resistant methods, such as security keys, offer the strongest protection where available.
- Email authentication (SPF, DKIM, DMARC): Properly configured records help block spoofed domains and reduce the odds that lookalike mail reaches inboxes.
- Secure email gateways: Filtering tools can flag impersonation attempts, suspicious display names, and newly registered lookalike domains.
- Mailbox rule and account monitoring: Attackers often create hidden inbox rules that auto-forward or delete messages to conceal their activity. Regular audits of forwarding rules and unusual logins help catch EAC early.
- Least-privilege access: Limit who can approve payments or change financial records, reducing the number of accounts worth compromising.
These measures complement, rather than replace, human verification — together they form the layered defense that security agencies recommend.
What to Do After a Suspected BEC Incident
If you believe a fraudulent transfer has occurred, speed matters enormously. The first hours offer the best chance of recovery.
- Pause and contain. Stop any further payments and freeze related approvals immediately.
- Contact your bank. Ask your financial institution to issue a recall or reversal request as quickly as possible; some funds can be frozen if reported fast.
- Preserve evidence. Keep the fraudulent emails, headers, invoices, and transaction details intact for investigators.
- Secure accounts. Reset passwords, revoke suspicious sessions, enable MFA, and remove any unauthorized mailbox forwarding rules.
- Report to authorities. File a complaint with the FBI’s IC3 at ic3.gov (or your country’s equivalent), which can engage recovery mechanisms for cross-border wire fraud.
- Review the gap. Identify which control failed and strengthen your verification, approval, and training processes to prevent a repeat.
Prompt reporting also helps law enforcement track criminal networks and, in some cases, recover transferred funds before they are fully laundered.
A Practical BEC Prevention Checklist
The table below summarizes the key habits and controls business owners, finance teams, and IT staff can put in place quickly.
| Control | Who Owns It | Why It Helps |
|---|---|---|
| Callback verification for payments and bank-detail changes | Finance / Accounts Payable | Confirms requests through a trusted channel the attacker cannot control |
| Dual approval for wire transfers above a threshold | Finance / Management | Prevents a single deceived employee from completing fraud |
| MFA on all email accounts | IT / Security | Blocks account takeover even if a password is stolen |
| SPF, DKIM, and DMARC configured | IT / Security | Reduces domain spoofing and lookalike email delivery |
| Mailbox rule and login audits | IT / Security | Detects hidden forwarding rules and compromised accounts early |
| Regular phishing and BEC awareness training | HR / Security | Helps staff spot social engineering and report it safely |
| Documented payment-change procedure | Finance / Operations | Forces verification before money is redirected |
Frequently Asked Questions
Is Business Email Compromise the same as phishing?
Not exactly. Phishing is a broad technique that casts a wide net to steal credentials or deliver malware. BEC is more targeted and usually relies on impersonation and social engineering to authorize a specific payment or data transfer. Phishing is often the first step attackers use to gain the access that enables a BEC scam.
Can small businesses be targeted by BEC scams?
Yes. Criminals target organizations of every size, and small businesses are often more vulnerable because they may lack dual-approval processes or dedicated security staff. Any business that sends payments or handles vendor invoices is a potential target.
What should I do first if a fraudulent wire transfer was sent?
Contact your bank immediately to request a recall or freeze, then report the incident to the FBI’s IC3 (or your local authority) as quickly as possible. Preserve all related emails and transaction records, and secure any affected accounts. Rapid action gives you the best chance of recovering the funds.
Conclusion
Business Email Compromise succeeds not because it is technically sophisticated, but because it exploits the everyday trust and urgency built into how organizations communicate and pay. The good news is that the same predictability that makes BEC effective also makes it preventable. By combining strong verification habits — especially out-of-band callbacks and dual approvals — with technical safeguards like MFA, DMARC, and account monitoring, you can stop most attacks before any money moves.
Treat BEC as a process-protection challenge, not just an IT problem. Train your team, document your payment-change procedures, and rehearse your response plan so everyone knows what to do if a suspicious request appears. With layered defenses and a culture that rewards careful verification, your organization can dramatically reduce the risk of becoming the next costly BEC statistic.
References
- FBI – Business Email Compromise – Official FBI overview explaining how BEC scams work, common examples, protection steps, and where to report incidents.
- FBI Internet Crime Complaint Center – Business Email Compromise: The $50 Billion Scam – Primary IC3 public service announcement defining BEC/EAC, showing major loss data, real estate BEC trends, and specific protection and recovery steps.
- FBI Internet Crime Complaint Center – 2025 IC3 Annual Report – Official annual cybercrime data source for current BEC complaint counts, loss figures, crime-type definitions, and IC3 recovery efforts.
- FinCEN – Updated Advisory on Email Compromise Fraud Schemes – Authoritative financial-crime advisory covering BEC typologies, red flags, vulnerable business processes, and reporting considerations for financial institutions.
- National Cyber Security Centre – Phishing attacks: defending your organisation – Practical official guidance on layered defenses against phishing and spear-phishing, including DMARC/SPF/DKIM, MFA, reporting culture, and incident response.
