What is Business Email Compromise (BEC)?

Business email compromise is a targeted email scam in which attackers impersonate a trusted party, such as a CEO, vendor, or attorney, to trick employees into transferring funds or sharing sensitive data. BEC does not rely on malware or malicious links. It exploits human trust. According to the FBI's 2024 Internet Crime Report, BEC caused $2.77 billion in reported losses across 21,442 incidents in a single year, making it the second most financially damaging cybercrime category.

What is the definition of Business Email Compromise?

Business email compromise (BEC) is a form of social engineering fraud conducted through email. The FBI defines BEC as a scam targeting businesses or individuals that regularly perform wire transfer payments, where criminals compromise email accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.

BEC is also referred to as email account compromise (EAC), "man-in-the-email" fraud, or CEO fraud. Unlike traditional phishing, BEC messages rarely contain malicious attachments or links. Instead, attackers rely on impersonation, urgency, and the appearance of legitimacy to manipulate recipients into acting without verification.

The five primary variants of BEC recognized by the FBI are:

CEO fraud. The attacker impersonates a senior executive and emails an employee in finance or accounting with an urgent wire transfer request. The message typically stresses confidentiality and time pressure.

Invoice manipulation. The attacker impersonates a vendor or supplier and sends a fraudulent invoice with updated payment details. The recipient, expecting a legitimate bill, processes the payment to an account controlled by the attacker.

Account compromise. A real employee's email account is hacked and used to send payment requests to vendors or contacts listed in the address book. Because the email originates from a legitimate account, it bypasses most technical filters.

Attorney impersonation. The attacker poses as a lawyer or legal representative handling a confidential or time-sensitive matter. This variant typically targets junior employees who may be less likely to question authority.

Payroll diversion. The attacker impersonates an employee and contacts HR or payroll to request a change in direct deposit information. Salary payments are then redirected to the attacker's account.

Each variant exploits a different relationship within or around an organization, but all share the same fundamental mechanism: trust-based deception delivered through email.

Why does Business Email Compromise matter?

BEC is among the most financially destructive cybercrimes in the world. The numbers from the FBI's 2024 Internet Crime Complaint Center (IC3) Annual Report make the scale clear.

BEC accounted for $2.77 billion in reported losses in 2024, making it the second highest loss category behind investment fraud. The IC3 received 21,442 BEC complaints in 2024, roughly consistent with prior years, indicating that BEC volume remains persistent even as individual attacks grow more targeted. Cumulatively, nearly $8.5 billion in BEC losses were reported to the IC3 between 2022 and 2024. The Association for Financial Professionals (AFP) reported in its 2025 Fraud and Control Survey that 63% of organizations experienced at least one BEC attack in 2024.

Total cybercrime losses reported to the IC3 reached $16.6 billion in 2024, a 33% increase from the prior year. BEC alone accounted for roughly 17% of that total.

BEC is not limited to large enterprises. Freelancers, nonprofits, municipalities, small businesses, and independent professionals are frequent targets. Smaller organizations are particularly vulnerable because they often lack dedicated security teams, formal payment verification workflows, and email authentication infrastructure. An estimated 70% of all organizations have been targeted by at least one BEC attack.

What makes BEC uniquely dangerous is that it bypasses traditional technical defenses entirely. There is no malware signature to detect, no malicious URL to block. The weapon is a convincing email from what appears to be a trusted source. This is why the IRS includes email phishing and BEC-related scams as the number one item on its 2025 Dirty Dozen list of tax scams.

How does a Business Email Compromise attack work?

A typical BEC attack follows a structured sequence that unfolds over days, weeks, or even months. Understanding each phase is critical for detection and prevention.

Step 1: Target research. Attackers study the target organization through publicly available sources: LinkedIn profiles, corporate websites, press releases, SEC filings, social media, and industry publications. They identify key personnel in finance, accounting, HR, and executive leadership. They map reporting structures, vendor relationships, and communication patterns. In some cases, attackers monitor job postings to identify new hires who may not yet know internal processes.

Step 2: Email compromise or spoofing. The attacker gains access to the attack channel through one of two methods. In the first, they compromise a legitimate email account through credential phishing, brute-force attacks, or session hijacking. In the second, they register a lookalike domain designed to closely mimic the target's domain. A domain like "company-inc.com" might be registered to mimic "companyinc.com," or "cornpany.com" to mimic "company.com" using character substitution (in this case, replacing the letter "m" with "rn").

Step 3: Trust establishment. Using the compromised or spoofed account, the attacker initiates communication that mirrors the tone, format, and cadence of legitimate business correspondence. In account compromise scenarios, the attacker may monitor the victim's inbox for weeks, reading email threads, studying invoice formats, and identifying upcoming payment deadlines. Some attackers set up email forwarding rules to maintain persistent access without the victim's knowledge.

Step 4: The fraudulent request. The attacker sends a request designed to trigger a financial action. Common requests include changing wire transfer details for an existing vendor, processing an urgent invoice, updating direct deposit information for payroll, or sharing sensitive documents. These requests typically invoke urgency, confidentiality, or authority: "Please process this before end of day. Do not discuss with others until finalized." The request is crafted to feel routine rather than extraordinary.

Step 5: Funds extraction and laundering. Once the wire transfer is completed, the attacker moves the money rapidly through a series of accounts, often crossing international borders. Funds may be routed through banks in the United Kingdom, Hong Kong, China, Mexico, or the UAE before reaching the attacker's final account. Recovery is difficult and time-sensitive. The FBI's IC3 Recovery Asset Team reported a 66% success rate in freezing fraudulent BEC transfers in 2024, but this success depends entirely on victims acting within hours.

What does a real BEC attack look like?

BEC attacks have struck organizations of every size and sector. Two cases illustrate how devastating these attacks can be.

Orion S.A. (2024): $60 Million

In August 2024, Orion S.A., a Luxembourg-based chemical manufacturer, disclosed in an SEC filing that a non-executive employee had been targeted by a BEC scheme. The employee was manipulated into executing multiple wire transfers to accounts controlled by unknown third parties. The total loss reached $60 million. No technical infrastructure was breached. The attack exploited a single employee's trust in what appeared to be a legitimate request.

Google and Facebook (2013 to 2015): $121 Million

Between 2013 and 2015, a Lithuanian national named Evaldas Rimasauskas impersonated Quanta Computer, a legitimate hardware supplier used by both Google and Facebook. He sent fraudulent invoices to both companies over a two-year period, supported by counterfeit contracts and forged legal documents. The scheme extracted approximately $121 million before it was discovered. The case demonstrates that even the most technologically sophisticated organizations are vulnerable to BEC when payment verification processes have gaps.

These cases share a common pattern. The largest BEC losses typically stem not from technical failure but from procedural gaps in payment verification.

How do you detect a Business Email Compromise attempt?

BEC emails are designed to look legitimate. Detection requires a combination of technical controls and human vigilance. Use this checklist to evaluate suspicious messages before acting on any financial or data request.

Sender domain analysis. The sender's domain contains subtle misspellings, character substitutions, or added/removed characters. Compare the domain letter by letter against known contacts.

Reply-to mismatch. The reply-to address differs from the sender's display name or the expected domain. This is a common indicator of spoofing.

Payment change requests. The email requests a change to existing payment instructions, bank account details, or direct deposit information. Any such change warrants independent verification.

Urgency and secrecy cues. The message creates unusual urgency ("handle this personally," "time-sensitive," "do not share with others") or invokes authority to bypass standard procedures.

Workflow bypass. The request circumvents standard approval processes. Legitimate transactions should follow established internal controls regardless of who initiates them.

Timing anomalies. The email arrives outside of normal business hours or departs from the sender's typical communication patterns, including tone, formatting, and signature.

Email authentication Failures. SPF, DKIM, or DMARC authentication checks fail on the incoming message. These failures indicate the email may not originate from the claimed domain.

Forwarding rule changes. Unexpected email forwarding rules have been created on an account, which may indicate that an attacker has compromised the account and is monitoring communications.

Any single indicator warrants verification through a separate communication channel. Multiple indicators together should halt the transaction entirely until the request is confirmed by a known, trusted contact through a different medium.

How can organizations prevent Business Email Compromise?

Prevention requires a layered approach combining technical controls, process safeguards, and ongoing human training. No single control is sufficient. The most resilient organizations implement all of these together.

Enforce Email Authentication protocols. Implement SPF, DKIM, and DMARC at enforcement level (p=reject) for your domain. This prevents attackers from spoofing your organization's email address in outbound communications. NIST Special Publication 800-177 Rev. 1 (Trustworthy Email) recommends these protocols as baseline email security controls. DMARC has moved from best practice to mandatory requirement across most major security frameworks in 2025, including NIST and ISO 27001.

Require Multi-Factor Authentication. Every email account should be protected with MFA. Account compromise is the most direct path to a successful BEC attack, and MFA significantly raises the barrier. CISA recommends phishing-resistant MFA, such as FIDO2 security keys, as the strongest option for high-value accounts.

Establish out-of-band verification. Any request to change payment details, redirect funds, or share sensitive data must be confirmed through a separate communication channel. This means a phone call to a previously known number, not a number provided in the suspicious email itself. This single control has prevented more BEC losses than any other measure.

Implement dual authorization for financial transactions. No single employee should be able to initiate and approve a wire transfer independently. Dual control is a fundamental financial safeguard against BEC and is required by most financial compliance frameworks.

Conduct regular security awareness training. Employees in finance, HR, executive support, and procurement roles are primary targets. Training should focus on recognizing social engineering tactics specific to BEC rather than generic phishing awareness. Simulated BEC exercises help build pattern recognition for real-world scenarios.

Deploy AI-powered email security. Modern email protection tools analyze behavioral patterns, sender reputation, and communication anomalies to flag BEC attempts that bypass traditional filters. Ṣọ Email Security detects these threats by analyzing sender behavior directly in your browser, so your email content never touches an external server. Protection without the privacy trade-off.

Monitor Email forwarding rules. Attackers who gain account access frequently create auto-forwarding rules to maintain visibility into communications. Regular audits of mailbox rules can reveal compromise early. Configure alerts for any new forwarding rules created on accounts with financial authority.

Register lookalike domains. Proactively register common misspellings and variations of your primary domain to prevent attackers from using them in spoofing campaigns. Monitor domain registration databases for new domains that closely resemble your brand.

What should you do if a BEC attack succeeds?

Speed is critical. The first 24 hours after a BEC incident determine whether funds can be recovered and whether the compromise can be contained. Follow these steps in order, based on NIST SP 800-61r3 incident handling guidelines and FBI IC3 recommendations.

Immediate response (first 1 to 2 hours)

Contact your financial institution immediately and request a recall or freeze of the fraudulent transfer. Provide all transaction details, including the destination account, amount, and timestamp. Isolate the compromised email account by resetting the password, revoking active sessions, and enabling MFA if not already active. Report the incident to the FBI's IC3 at ic3.gov. The IC3's Recovery Asset Team can initiate the Financial Fraud Kill Chain (FFKC) process to freeze funds at the receiving institution.

Short-term containment (hours 2 to 24)

Review the compromised account for unauthorized forwarding rules, delegated access, or mailbox rules that redirect incoming messages. Audit login activity for unauthorized access from unfamiliar IPs, locations, or devices. Identify whether other accounts in the organization may have been compromised by searching for similar indicators. Preserve all evidence, including email headers, IP logs, forwarding rules, and the original fraudulent message.

Investigation and eradication (days 1 to 7)

Conduct a thorough review of all email accounts with financial authority. Notify vendors, clients, or partners who may have been targeted through the compromised account. Engage legal counsel to assess disclosure obligations, particularly if sensitive data was exposed. Coordinate with your cybersecurity insurance provider if applicable.

Recovery and improvement

Update payment verification procedures based on lessons learned. Conduct a blameless post-incident retrospective with all stakeholders. Implement additional technical controls identified during the investigation. Provide targeted training for affected employees and their teams.

The FBI's IC3 Recovery Asset Team froze over $561 million in fraudulent transfers in 2024, with a 66% success rate. Recovery is possible, but only when organizations act within hours.

Frequently Asked Questions about Business Email Compromise

What is the difference between BEC and phishing?

Phishing is a broad category of email-based attacks that typically use malicious links or attachments to steal credentials or deliver malware at scale. BEC is a targeted subset that relies on impersonation and social engineering rather than technical payloads. BEC emails usually contain no links or attachments, making them harder for traditional security filters to detect. The FBI tracks them as separate categories: phishing generated 193,407 complaints in 2024, while BEC generated 21,442, but BEC losses ($2.77 billion) far exceeded phishing losses ($70 million).

Who is most at risk for BEC attacks?

Employees with financial authority are the primary targets: finance teams, accounts payable, HR and payroll administrators, and executive assistants. Organizations of all sizes are targeted, but small businesses, nonprofits, and freelancers face disproportionate risk because they often lack formal verification procedures and dedicated security resources. The AFP's 2025 survey found that 63% of organizations experienced BEC in 2024.

Can email filters stop BEC attacks?

Traditional spam filters and secure email gateways struggle to detect BEC because these attacks contain no malicious payloads. There is no malware, suspicious link, or dangerous attachment to flag. Advanced email security tools that use behavioral analysis, sender reputation modeling, and AI-powered anomaly detection are significantly more effective at identifying BEC. These tools analyze communication patterns rather than content signatures.

What should I do if I suspect a BEC email?

Do not respond to the email or take any financial action. Verify the request through a separate communication channel by contacting the purported sender at a previously known phone number. Report the suspicious email to your IT security team. If a payment has already been made, contact your financial institution immediately and report to the FBI's IC3 at ic3.gov.

How does BEC relate to wire fraud?

BEC is the most common method used to initiate wire fraud. The FBI has noted that real estate transactions, vendor payments, and payroll are the most frequent contexts for BEC-driven wire fraud. Once a fraudulent wire transfer is executed, funds are typically moved through multiple international accounts within hours, making recovery time-sensitive and often difficult. The IC3 classifies BEC as a standalone crime category due to its scale and financial impact.

Executive summary: what you need to know about BEC

Business email compromise is a targeted email scam that cost organizations $2.77 billion in 2024 according to the FBI. Attackers impersonate executives, vendors, or attorneys to trick employees into making unauthorized wire transfers or sharing sensitive data. BEC uses no malware and no malicious links, making it invisible to traditional email filters.

BEC works through a five-step process: target research, email compromise or spoofing, trust establishment, the fraudulent request, and funds extraction. The attack exploits human trust and procedural gaps rather than technical vulnerabilities.

Prevention requires three fundamental controls: email authentication (SPF, DKIM, DMARC at enforcement), out-of-band verification for all payment changes, and dual authorization for financial transactions. If a BEC attack succeeds, contact your bank and the FBI's IC3 immediately. Recovery is possible but only within a narrow time window.

The organizations most vulnerable to BEC are those that rely on email for financial transactions without independent verification procedures. The organizations most resilient against BEC are those that enforce verification as a non-negotiable step in every payment workflow, regardless of who initiates the request.

---

Sources

FBI Internet Crime Complaint Center, 2024 Annual Report (ic3.gov) FBI, "Business Email Compromise" (fbi.gov) FBI IC3 Public Service Announcement, "Business Email Compromise: The $55 Billion Scam" (ic3.gov, September 2024) NIST Special Publication 800-177 Rev. 1, Trustworthy Email (nist.gov) NIST SP 800-61r3, Incident Handling Guide (nist.gov) IRS, Dirty Dozen Tax Scams for 2025 (irs.gov) CISA, "Business Email Compromise Continues to Swindle and Defraud U.S. Businesses" (cisa.gov) Association for Financial Professionals, 2025 Fraud and Control Survey Report Orion S.A. SEC Filing, August 12, 2024 CIS, "Security Primer: Business Email Compromise" (cisecurity.org)

---

AI-powered protection, zero data collection. That's the Ṣọ promise. soemailsecurity.com