BEC is the highest-dollar cybercrime category in the world — and most business owners have never heard of it.
Ransomware gets the press coverage. It’s dramatic: files encrypted, countdown timers, ransom demands in cryptocurrency. Business email compromise is quieter, harder to detect, and by the FBI’s own accounting, has caused significantly more financial damage globally than ransomware every year for the past several years. The difference is that BEC losses often don’t make the news — they make the bank reconciliation.
Business email compromise is an attack where criminals impersonate a trusted party — an executive, a vendor, a client, a law firm, a bank — to manipulate someone into sending money or sensitive information to the wrong place. No encryption. No malware (usually). Just a convincing email and a moment of rushed decision-making.
The FBI’s Internet Crime Complaint Center reported over $2.9 billion in BEC losses in a single recent year in the United States alone. The real number is higher, because most BEC losses go unreported. A wire transfer sent to the wrong account is often unrecoverable. Banks have limited obligation to reverse transactions that the account holder authorized — even if that authorization was obtained through fraud.
CEO fraud / executive impersonation. An email appears to come from the CEO, CFO, or another senior executive — often with a spoofed address that looks nearly identical to the real one — asking an employee to wire funds urgently, purchase gift cards, or change payment account details. The urgency is deliberate: it bypasses the mental process that would otherwise trigger a verification call.
Vendor invoice fraud. An attacker compromises or impersonates a vendor’s email account and sends an invoice with updated banking details. The business pays what looks like a legitimate invoice to an account controlled by the attacker. This one often goes undetected for weeks — until the real vendor calls asking why their payment is overdue.
Payroll diversion. An employee — or someone impersonating one — submits a request to HR or payroll to update direct deposit information. The next payroll cycle sends the employee’s wages to the attacker’s account. The employee often doesn’t notice until payday.
Attorney / legal impersonation. An email impersonating a law firm or legal representative requests wire transfers related to a transaction, acquisition, or settlement. The legal framing creates urgency and discourages verification.
Account compromise BEC. Unlike the above patterns, which often use spoofed emails, this variant involves actually compromising a legitimate email account and using it to conduct the fraud. The emails come from the real account, pass all authentication checks, and are nearly impossible to detect without behavioral monitoring. This is why MFA on email accounts is so critical — it’s the primary control that prevents account compromise.
BEC exploits human psychology more than technical vulnerabilities. The attacks are designed around:
Modern BEC emails are increasingly written with AI assistance — which means the grammatical errors and awkward phrasing that used to signal fraud are disappearing. A BEC email today can be indistinguishable from a legitimate one without technical controls to verify it.
Email authentication (SPF, DKIM, DMARC). These standards verify that an email actually came from the domain it claims to be from. Properly configured, they block the spoofed-domain attacks that represent the majority of CEO fraud and vendor impersonation. Many businesses — and more vendors — still don’t have these configured correctly. We audit and configure them as part of our Microsoft 365 security hardening.
Multi-factor authentication on all email accounts. Account compromise BEC requires access to a legitimate email account. MFA is the primary barrier. Microsoft’s own data shows MFA blocks over 99% of automated credential-based account takeover attacks. An account protected by MFA is not impossible to compromise, but it’s dramatically harder.
Email filtering with impersonation detection. Modern email security platforms can detect near-domain spoofs (nerds-quad.net vs nerdsquad.net), display name spoofs (an email from "Jeff Martin" that actually originates from a Gmail account), and behavioral anomalies like an executive’s account suddenly emailing finance about a wire transfer at 11 PM.
Endpoint detection. When account compromise is the attack vector, EDR on the compromised device and behavioral monitoring on the account can catch the attacker’s activity — unusual login locations, abnormal email access patterns, mail forwarding rules created during the compromise — before the fraud is executed.
Security awareness training. The human layer matters enormously for BEC specifically. Training employees to verify wire transfer requests by phone (not by replying to the email), to recognize display name spoofs, and to be suspicious of any urgent payment request that bypasses normal process reduces the success rate of attacks that get past technical controls. See Security Awareness Training: The Compliance Requirement That Actually Works.
Speed is everything. If funds have been wired to a fraudulent account, contact your bank immediately — within hours, not days. Many banks can initiate a recall process if contacted quickly enough. The FBI’s Internet Crime Complaint Center (IC3) has a financial fraud kill chain process for BEC incidents that has recovered funds in some cases when reported fast enough. After 72 hours, recovery probability drops sharply.
Report the incident to law enforcement, notify your cyber insurance carrier, and preserve all emails related to the fraud for the investigation. Do not delete anything.
BEC protection is part of the email security and Zero Trust Cybersecurity stack we deploy for managed IT clients. Email authentication configuration, MFA enforcement, impersonation detection, and security awareness training are standard. For financial services clients with elevated wire transfer exposure, we work with firms to implement additional verification procedures for payment instructions that fall outside normal patterns.
For regulated industries, BEC incidents that compromise client financial data or account credentials may trigger notification requirements under GLBA, SEC/FINRA, or state breach notification laws. Our incident response process covers this documentation automatically.