What Is Business Email Compromise (BEC) and How to Stop It

The Scam That Costs Small Businesses More Than Any Other Cyberattack

Business Email Compromise — BEC — is the highest-loss cybercrime category tracked by the FBI. In 2024, BEC attacks caused over $2.9 billion in verified losses in the United States alone, and the actual figure is believed to be significantly higher due to underreporting. Unlike ransomware or data breaches, BEC attacks often leave no malware trace, require no technical sophistication to execute, and target human judgment rather than technical vulnerabilities.

The mechanics are straightforward: an attacker impersonates a trusted party — the CEO, a vendor, an attorney, a bank — via email and convinces someone in your organization to wire money, change payment details, or share sensitive information. By the time the fraud is discovered, the money is gone. Wire transfers to overseas accounts are rarely recoverable.

Small businesses are disproportionately targeted because they lack the financial controls, verification procedures, and security awareness training of larger organizations. A two-person accounting team processing payments without a secondary approval step is exactly the target profile attackers seek.

The Four Most Common BEC Attack Types

1. CEO Fraud (Executive Impersonation)

An attacker impersonates the CEO or another senior executive via email, targeting someone in finance or accounting. The email typically creates urgency — a time-sensitive acquisition, a confidential vendor payment, a board matter that cannot wait for normal procedures. The target is pressured to wire funds quickly without following standard approval processes.

Red flags: email from CEO with urgency to bypass normal procedures, request for secrecy (“do not discuss this with anyone”), wire to an unfamiliar account, email sent from a slightly different domain than the real executive’s address.

2. Vendor Invoice Fraud

An attacker compromises a vendor’s email account — or creates a convincing fake — and sends modified invoices directing payment to a different bank account. The invoice looks legitimate because the vendor relationship is real and the invoice details match previous transactions. Only the payment routing information is changed.

This attack is particularly effective because it exploits an established trust relationship and does not require social engineering to create urgency — paying invoices is a normal business activity.

3. Account Compromise

An attacker gains access to a real employee’s email account — through phishing, credential theft, or password reuse — and uses it to send fraudulent requests to colleagues, vendors, or customers. Because the emails come from a legitimate account, traditional email security filters do not flag them.

4. Attorney or Legal Impersonation

An attacker impersonates an attorney or legal representative, typically during a merger, acquisition, or legal settlement. The target is told the payment is confidential and time-sensitive for legal reasons. The perceived authority and urgency of a legal matter bypasses normal skepticism.

Why BEC Attacks Succeed: The Psychology

BEC attacks succeed because they exploit psychological principles that override careful thinking:

• Authority: Requests from the CEO or an attorney carry implied authority that discourages questioning.
• Urgency: Time pressure prevents careful verification — if payment must happen in the next two hours, there is no time to confirm through normal channels.
• Secrecy: Instructions not to discuss the transaction with others prevent the informal verification that catches many scams.
• Familiarity: A modified vendor invoice or an executive’s familiar name on the email creates a false sense of legitimacy.

How to Protect Your Business From BEC Attacks

Establish a Voice Verification Requirement for Wire Transfers

The single most effective BEC prevention measure is a policy requiring voice verification for any wire transfer request, any change to vendor banking information, and any payment above a defined threshold. Call the requestor back using a phone number on file — not the number provided in the email. A two-minute phone call eliminates virtually all BEC attempts because the attacker cannot impersonate the voice of someone they are not.

This policy must be enforced without exceptions — including when the “CEO” insists the call is unnecessary due to time pressure. Urgency is a manipulation tactic. Legitimate urgent transactions can wait for a two-minute verification call.

Implement Dual Authorization for Payments

Require two separate employees to authorize any wire transfer or ACH payment above a minimum threshold. This removes the single point of failure that BEC attacks exploit — one person cannot be manipulated into completing a fraudulent transaction alone.

Enable Email Authentication Protocols

Configure SPF, DKIM, and DMARC on your email domain. These protocols prevent attackers from sending emails that appear to come from your domain — significantly reducing the success rate of attacks that impersonate your executives to external parties. Your email provider or IT support can configure these — they are not complex to implement and most business email platforms support them natively.

Train Employees to Recognize the Red Flags

BEC awareness training should specifically cover:

• Checking the actual sender email address — not just the display name
• Recognizing domain lookalikes — “companynamee.com” vs “companyname.com”
• Treating urgency and secrecy in payment requests as red flags, not reasons to comply faster
• Never changing vendor payment information based on an email alone — always verify by phone
• Understanding that it is always acceptable to slow down and verify, regardless of how senior the requestor appears to be

Monitor for Email Account Compromise

Because account compromise BEC uses legitimate email accounts, detecting it requires monitoring for unusual behavior — emails sent from unusual locations or devices, forwarding rules set up to copy emails to external addresses, login attempts from unknown locations. Microsoft 365 and Google Workspace both include alerts for these behaviors in their security dashboards.

What to Do If You Suspect a BEC Attack

1. Contact your bank immediately if a fraudulent wire has been initiated — they can sometimes recall or freeze the transfer before it is processed.
2. File a complaint with the FBI’s Internet Crime Complaint Center (IC3) at ic3.gov — BEC losses are tracked and some recoveries have been made through FBI coordination with financial institutions.
3. Notify your cyber insurer — BEC losses are covered under many cyber insurance policies under social engineering or funds transfer fraud coverage.
4. Preserve all email records — do not delete anything, even if the emails are embarrassing. They are evidence.

Bottom Line

Business Email Compromise is the most financially damaging cyberattack category targeting small businesses — and it requires no technical sophistication to execute or prevent. A mandatory voice verification policy for wire transfers and payment changes, dual authorization requirements, and focused employee training on BEC red flags eliminate the vast majority of BEC risk at effectively zero cost. Implement these controls before the next invoice email arrives.