Skip to main content
Skip to article content

How to Spot a BEC Attack: 5 Patterns That Fool Smart People in 2026

By SO Email Security9 min read estimated reading time

Business Email Compromise cost organizations $2.77 billion in 2024 according to FBI IC3. The attacks succeed because they exploit trust, urgency, and routine. Here are the 5 patterns BEC attackers use to fool smart people, and how to spot each one before money moves.

business email compromiseBEC attackemail fraud detectionwire transfer fraudvendor impersonationCEO fraudinvoice fraudemail security 2026SMB securitynonprofit securityfreelancer securityphishing patterns

How to Spot a BEC Attack: 5 Patterns That Fool Smart People in 2026

What Is Business Email Compromise and Why Is It So Hard to Spot?

Business Email Compromise is a category of email fraud where attackers impersonate a trusted party, usually an executive, vendor, or known business contact, to convince the recipient to transfer money, change payment details, or share sensitive data. According to the FBI Internet Crime Complaint Center's 2024 report, BEC accounted for $2.77 billion in reported losses, with an average loss of $137,132 per incident. The attacks succeed not because the emails look clever but because the requests fit routines the recipient already follows.

Most BEC emails are short, plain, and contextually appropriate. There are no spelling errors, no obvious red flags, no suspicious attachments. The attacker has done their reconnaissance, often after a prior credential compromise, and they know exactly when to send the request and what to ask for. This post breaks down the five patterns that make BEC work, and what to look for in each one before money moves.

How Do BEC Attackers Get the Information They Need?

Most successful BEC attacks begin weeks before the target email is sent. The attacker either compromises an account through phishing, purchases credentials from a breach marketplace, or simply observes public information from LinkedIn, company websites, and press releases. They map the financial relationships, identify the people who can authorize payments, and learn the communication patterns of the parties they will impersonate.

Verizon's 2024 Data Breach Investigations Report found that the median time between initial compromise and the first BEC email is 18 days. That window is reconnaissance time. The attacker is reading the inbox, learning vocabulary, identifying invoice cycles, and waiting for the right moment to act.

When the email finally arrives, it does not look like an attack. It looks like an ordinary request from a person you have reason to trust. That is the entire point.

Pattern 1: The Vendor Payment Change

What it looks like: An email from a known vendor saying their banking details have changed. The new account is at a different bank. The email may attach an updated W-9 or invoice with the new routing and account numbers. The request is timed to land before a scheduled payment cycle.

Why it works: Payment changes are routine. Vendors switch banks, get acquired, change accounting providers. The recipient has no reason to suspect a familiar vendor relationship. The attacker may have compromised the vendor's email account weeks earlier, which means the email is sent from the actual vendor address with no spoofing required.

What to look for:

  • The change request comes by email rather than through a phone conversation or your accounts payable portal
  • The email includes urgency about an upcoming payment that needs to be redirected
  • The reply-to address is slightly different from the from address
  • The new bank is in a different jurisdiction than previous payments
  • The request comes from a person you have not previously corresponded with at the vendor

How to verify: Call the vendor at a phone number you already have on file, not a number provided in the email. Ask for the person who normally handles your account, not the person named in the email. Confirm the change in person or via your AP portal before any payment is made.

Pattern 2: The CEO Wire Transfer

What it looks like: An email appearing to come from your CEO, CFO, or another executive, asking you to wire funds for a confidential transaction. The email mentions a deal in progress, an acquisition, a tax matter, or a similar reason that explains why the request bypasses normal channels. The amount is significant but not so large it would be obviously suspicious.

Why it works: The recipient is usually someone with payment authority who reports up to the impersonated executive. The email leverages organizational hierarchy, social pressure, and the natural reluctance to question a senior leader. Confidentiality framing reduces the recipient's instinct to verify with colleagues.

What to look for:

  • The sender address is a lookalike domain (the real CEO's address with one letter changed, or a different top-level domain)
  • The email asks you to keep the request confidential or to bypass standard processes
  • The request comes outside normal business hours or while the executive is known to be traveling
  • Reply-to address differs from the from address
  • The signature block is slightly different from the executive's normal signature
  • The email asks for a wire transfer rather than a check or ACH

How to verify: Walk to the executive's office. If they are remote, call them on a phone number you already have. Do not reply to the email and do not use any phone number provided in the email. If the executive cannot be reached, the request waits. No legitimate confidential transaction requires bypassing identity verification.

Pattern 3: The Invoice Manipulation

What it looks like: An email forwarding what appears to be a legitimate invoice from a known vendor. The email may come from a colleague's compromised account or from the vendor directly. The invoice details look correct except for the payment information, which has been modified. Sometimes the modification is small enough to escape casual review, such as a transposed digit in an account number or a slightly different routing number.

Why it works: Accounts payable teams process hundreds of invoices per month. Each invoice gets a quick review for amount, vendor name, and approval, then moves to payment. The attacker exploits the volume by inserting one altered invoice into the normal flow.

What to look for:

  • The invoice arrives slightly outside the usual cycle for that vendor
  • The amount is similar but not identical to typical invoices from this vendor
  • The bank details differ from the bank details on prior invoices from the same vendor
  • The invoice is forwarded by a colleague rather than coming directly from the vendor system
  • The email language asks for expedited processing or apologizes for a delay

How to verify: Compare the invoice line by line against the vendor's previous invoice in your records. If your AP system supports vendor verification, run the new bank details against historical payments. For any change in payment routing, require phone verification with the vendor before processing.

Trust Aside: Ṣọ Mail's document comparison feature checks new invoices against historical patterns from your own inbox. When a known vendor's bank details change, the extension flags the discrepancy before the invoice gets approved. Analysis runs on our secure servers with zero retention — your invoice data is never stored or shared.

Pattern 4: The Reply-Chain Hijack

What it looks like: An email that appears to be a continuation of an existing conversation. The thread shows a real exchange between you and a vendor, colleague, or partner, and the latest reply includes a request for payment, credentials, or a document. The reply is sent from what looks like the original participant's address but is actually a lookalike or compromised account.

Why it works: The conversation is real. The attacker compromised one of the participants' accounts and inserted themselves into a thread that was already underway. The recipient sees the full email history, recognizes the participants, and trusts the context. The request feels like the natural next step in a conversation that was already happening.

What to look for:

  • The latest reply comes from a slightly different domain than the earlier messages in the thread (one letter changed, different TLD)
  • The latest reply addresses you in a way that does not match the prior tone of the conversation
  • The request escalates the conversation in an unexpected direction (asking for payment when the discussion was about scope)
  • The latest reply forwards a link or attachment that was not part of the original conversation
  • The reply timestamp is unusual (very late at night, weekends, or while the impersonated party is known to be unavailable)

How to verify: Look at the actual sender address in the latest reply, not the display name. Hover over the address to see the full domain. If anything looks different from the rest of the thread, contact the person through a separate channel before responding.

Pattern 5: The Account Takeover Followup

What it looks like: An email from a colleague asking you to review a document, complete a payment, or share login credentials. The email comes from your colleague's actual address. There is no spoofing, no lookalike domain, no obvious red flag. The request is reasonable but slightly outside the normal pattern of your interactions with that colleague.

Why it works: The attacker has already compromised your colleague's email account, often weeks earlier. They have read enough of the inbox to understand the relationship, the vocabulary, and the typical request patterns. The email comes from a real address because the attacker has full access to send from that address.

What to look for:

  • The request asks you to do something time-sensitive that bypasses normal verification
  • The colleague's writing style is slightly off (different sentence rhythms, different word choices, different signoff)
  • The reply-to address is different from the from address (a tactic to avoid the real colleague seeing the response)
  • The email includes a link to a document on a service the colleague does not normally use
  • The request involves information the colleague would normally already have

How to verify: Call or message the colleague through a different channel. Slack, phone, in-person, anything that is not the email thread itself. If the colleague's email account has been compromised, replying via email reaches the attacker, not the colleague.

What Do All Five Patterns Have in Common?

Every BEC pattern exploits one of three things: trust in a known relationship, urgency that prevents verification, or a routine workflow that processes requests automatically. The technical sophistication of the attack matters less than the social engineering. An attacker who knows your invoice cycle does not need to write a clever email. They need to send a plausible one at the right moment.

This is why most legacy email security tools struggle with BEC. The emails do not contain malicious links or suspicious attachments. They do not trigger keyword-based filters. They look like normal business correspondence because that is exactly what they are designed to look like.

Detection requires comparing the new email against the recipient's historical patterns. Has this vendor's bank details changed before? Does the CEO normally request wires by email? Is the colleague's writing style consistent with their previous messages? These checks are pattern-matching against the recipient's own history, not against a generic threat database.

How Does Local Pattern Matching Catch BEC?

Most BEC detection happens at the moment a known relationship deviates from its established pattern. A vendor whose bank details have always been at one institution suddenly requests payment to a different institution. An executive who never sends wire requests by email sends one. A colleague whose writing style is consistently formal sends a casual urgent request. Each of these is a deviation that matters in context but is invisible without context.

Local-processing email security tools have an advantage here. The pattern data lives on the recipient's device, in their own email history. The detection does not require uploading historical email content to a vendor for comparison. The pattern check runs locally, against the recipient's own data, without that data ever leaving their environment.

Server-side tools can do the same comparison, but they require routing your email content through their infrastructure, which is the architectural tradeoff that defines most legacy email security.

Frequently Asked Questions About BEC Detection

What is the average BEC loss per incident?

According to the FBI Internet Crime Complaint Center 2024 report, the average BEC loss per incident is $137,132, with total reported losses of $2.77 billion in 2024 alone. These figures reflect only reported incidents. The actual number is almost certainly higher because many incidents go unreported by smaller organizations.

Can spam filters catch BEC attacks?

Generally not. BEC emails are designed to look like normal business correspondence. They do not contain malicious links, attachments, or keywords that traditional spam filters detect. Effective BEC detection requires pattern matching against the recipient's historical correspondence, which is outside the scope of most spam filters.

What is the most effective single defense against BEC?

Out-of-band verification for any payment change, wire transfer, or sensitive request. Phone calls to numbers you already have on file, in-person confirmation, or verified portal communication. The single most reliable signal that an email is fraudulent is that the request asks you to bypass the verification step that would catch it.

Should I rely on DMARC alone to prevent BEC?

DMARC at p=reject prevents attackers from sending email that appears to come from your domain, which addresses one specific BEC vector. It does not address attackers using lookalike domains, compromised vendor accounts, or compromised colleague accounts. DMARC is necessary but not sufficient for BEC defense.

How quickly can BEC funds be recovered?

The FBI Recovery Asset Team reported a 66 percent recovery rate on BEC fraud reported within 72 hours. After 72 hours, recovery rates drop sharply. Speed of detection is the single most important factor in actually getting funds back. This is why pattern detection that flags suspicious requests in real time matters more than after-the-fact analysis.

Executive Summary: TL;DR

Business Email Compromise cost organizations $2.77 billion in 2024 according to FBI IC3, with an average loss of $137,132 per incident. The attacks succeed because they exploit trust, urgency, and routine, not because they look obviously suspicious. Five patterns account for the majority of successful BEC attacks: vendor payment changes, CEO wire transfers, invoice manipulation, reply-chain hijacks, and account takeover followups.

The defense in every pattern is the same: out-of-band verification before money moves or credentials are shared. Phone calls to numbers you already have, in-person confirmation, or verified portal communication. The single most reliable signal that an email is fraudulent is that the request asks you to bypass the verification step that would catch it.

Detection at the technical layer requires pattern matching against the recipient's own historical correspondence. Local-processing email security tools can do this without uploading email content to external servers. Server-side tools can do it too, with the architectural tradeoff of routing your content through their infrastructure.

If your organization handles vendor payments, executive wire authorizations, or sensitive account changes by email, the practical step is to write down a verification protocol that requires out-of-band confirmation for any of those requests, regardless of how the email looks.

Sources: FBI Internet Crime Complaint Center 2024 Annual Report; Verizon 2024 Data Breach Investigations Report; Proofpoint Q1 2026 Threat Landscape Review; CISA Account Compromise Advisory 2026; NIST Special Publication 800-63B.

iOS: apps.apple.com/us/app/so-mail/id6756896070 Android: play.google.com/store/apps/details?id=com.app.somail

Protecting your inbox without ever seeing what's in it.