Business email compromise (BEC) is a targeted cyberattack where criminals impersonate executives, vendors, or employees to steal money or data. The FBI’s 2024 Internet Crime Report shows BEC caused over $2.7 billion in losses last year.
We’ve prepped this guide exploring:
- How is BEC different from mass phishing
- Response steps when you suspect an attack
- Why BEC scams bypass email authentication
- Five attack variants targeting finance and HR teams
- Protection strategies across training, process, and technology
The financial damage extends beyond stolen funds — companies face investigation costs, regulatory penalties, and customer trust erosion. Let’s explore this in more detail,
TLDR: Business email compromise
Here is a quick rundown of our article:
| Concept | Key details |
| What is BEC? | Targeted email attacks impersonating trusted contacts to manipulate wire transfers or steal sensitive data |
| How it works | Criminals research your organization, spoof domains or compromise accounts, then send urgent requests exploiting authority |
| Primary targets | Finance staff, HR departments, executives, and new hires in manufacturing, healthcare, real estate, and retail |
| Detection difficulty | Plain text emails with no links or attachments, passing authentication checks with perfect grammar |
| Financial impact | Average data breach costs hit $4.88M (IBM); BEC-specific losses typically range $100K–$300K per incident |
| Best protection | Multi-factor authentication, out-of-band verification for financial requests, regular BEC training, DMARC enforcement |
What is business email compromise (BEC)?
Business email compromise is social engineering targeting organizations through impersonation of trusted contacts. Unlike mass phishing blasting thousands of generic emails, BEC attackers invest weeks researching company structure, payment processes, and key personnel.
The goal is money. Attackers manipulate wire transfers, redirect payroll deposits, or trick finance teams into paying fraudulent invoices.
Gen Digital’s Q1 2025 Threat Report documented a 466% surge in phishing scams (many involving AI-generated content), making these attacks linguistically flawless.
BEC exploits basic psychology. When your CFO — or someone impersonating them — sends an urgent request marked confidential, most employees comply without questioning. IBM’s 2024 Cost of a Data Breach Report pegs the average breach at $4.88 million when factoring in investigation expenses and legal fees.
How does BEC differ from traditional phishing?
Three factors distinguish BEC from mass phishing: targeting precision, sophistication level, and financial impact.
| Factor | Business Email Compromise | Traditional Phishing |
| Target selection | Specific finance, HR, or executive roles | Mass distribution to random addresses |
| Research investment | Weeks studying organizational structure | Minimal or none |
| Email volume | One to five crafted messages | Thousands to millions sent simultaneously |
| Detection rate | Extremely low (no malicious links/attachments) | Higher due to bulk patterns |
| Average financial loss | Typically $100K–$300K per incident | $500 to $5,000 per victim |
| Success mechanism | Authority exploitation and urgency | Fear, curiosity, or technical vulnerabilities |
BEC attackers study LinkedIn profiles to understand reporting structures, monitor out-of-office replies and timing attacks, and analyze public financial filings to understand payment cycles.
What are the most common BEC attack types?
BEC manifests in distinct variants, each targeting different vulnerabilities.
CEO fraud and executive impersonation
Attackers impersonate your CEO, CFO, or C-level executive, sending urgent requests to finance staff or executive assistants. Studies show executive impersonation appears in roughly 40% of BEC attempts within certain datasets.
The psychology is straightforward — employees rarely question direct leadership requests, especially when marked urgent or confidential.
FACC, an Austrian aerospace manufacturer, lost approximately €42 million in 2016 when attackers impersonated their CEO. Ubiquiti Networks lost $46.7 million the same year to a nearly identical scheme.
Invoice scams and vendor fraud
Attackers pose as suppliers that your company regularly pays and sends invoices with “updated” banking details. Finance departments process these routinely because the vendor name, invoice format, and amounts match historical patterns.
Facebook and Google both fell victim between 2013 and 2015, losing over $100 million combined to a Lithuanian scammer who sent fake invoices mimicking legitimate vendors.
Account compromise (email account takeover)
Attackers compromise real email accounts through stolen credentials or malware.
Once inside, they monitor email threads for weeks, learning communication patterns and waiting to inject fraudulent requests into ongoing conversations.
This is particularly dangerous because emails come from legitimate addresses that pass all authentication checks.
Attorney and legal impersonation
Scammers impersonate lawyers or legal advisors, pressuring employees into urgent payments related to settlements, acquisitions, or regulatory matters. The legal jargon and implied consequences create fea,r overriding normal verification procedures.
Payroll diversion and data theft
Some attacks target HR departments to redirect employee paychecks or steal W-2 forms and personal information. Snapchat lost payroll data for 700 employees in 2016 when a phishing email impersonating the CEO tricked an HR employee.
How do BEC attacks work?
BEC attacks follow a predictable lifecycle. Understanding this progression helps you spot attacks early.
Attackers begin with reconnaissance — studying your company website, employee LinkedIn profiles, and publicly available financial information. They’re hunting organizational structure, payment processes, and individual details, making their impersonation believable.
Next comes the technical setup. Attackers either:
- Spoof email headers forging sender addresses
- Deploy malware compromising legitimate accounts
- Register lookalike domains (replacing one letter, like “rn” to mimic “m”)
Domain registration costs under $20, making this accessible worldwide.
The actual launch requires patience. Criminals wait for opportune moments — when your CEO is traveling overseas, when major deals are closing, or right before long weekends.
Let us show you an example. Let’s imagine your finance director receives an email from what appears to be the CEO’s address requesting urgent wire transfer for vendor payment.
The email references a real project, uses your CEO’s typical sign-off, and includes plausible details.
The finance director initiates the transfer. By the time anyone realizes the CEO never sent that email, money has moved through multiple accounts across countries.
Money movement happens fast. Attackers use networks of “money mules” to layer transactions across jurisdictions. Within hours, your wire transfer gets split, converted to cryptocurrency, or moved to countries with weak financial enforcement. Verizon’s 2024 Data Breach Investigations Report found 68% of breaches involve a human element.
Why is BEC so difficult to detect?
Traditional email security fails against BEC because these attacks don’t look like attacks. They contain no malicious code, no suspicious links, no infected attachments — just text reading exactly like legitimate business correspondence.
Consider what spam filters detect:
- Bulk sending patterns
- Known malicious URLs
- Suspicious attachments
- Keyword combinations associated with scams
BEC emails trigger none of these alerts. Attackers send one or two messages, include no URLs or attachments, and use business language rather than spam keywords.
Authentication protocols like SPF, DKIM, and DMARC help prevent domain spoofing, but many successful BEC attacks don’t bypass these. When attackers compromise legitimate accounts or use lookalike domains that don’t claim to be your domain, authentication checks pass.
Generative AI eliminated the last reliable detection method — bad grammar. For years, security training taught employees to watch for linguistic mistakes. Gen Digital’s research documented a 466% increase in phishing scams during Q1 2025, with AI driving much of this surge.
These AI-crafted emails are linguistically flawless, matching tone, vocabulary, and individual writing quirks.
What does BEC cost businesses?
The FBI’s Internet Crime Complaint Center reports BEC caused over $2.7 billion in losses during 2024. Since 2013, cumulative losses exceed $50 billion globally. Individual incident costs vary:
| Category | Typical financial impact |
| Small businesses | $50,000–$150,000 per incident |
| Enterprises | Millions per incident |
| Crelan Bank (2016 whaling attack) | €70 million |
| Toyota Boshoku (2019 BEC fraud) | $37 million |
Beyond stolen funds, companies face investigation expenses, legal fees, and regulatory fines. IBM’s 2024 Cost of a Data Breach Report found that the average breach costs organizations $4.88 million across all breach types.
Recovery rates prove disappointing. If you act within hours and your bank freezes the receiving account before funds move, you might recover 60–80% of stolen money (approximate benchmarks from recovery teams). If you wait 24 hours, recovery drops significantly. After three days, recovery becomes nearly impossible.
Certain industries face disproportionate targeting:
- Financial services (massive potential payoffs)
- Real estate and construction (large sums for property transactions)
- Healthcare (patient data and significant accounts payable volumes)
- Nonprofits and education (limited security budgets, access to donor funds)
- Manufacturing and supply chain (large vendor payments, complex supplier networks)
Who do attackers target in BEC campaigns?
According to Abnormal Security research, organizations with 50,000+ employees face nearly 100% weekly probability of encountering BEC attempts.
While companies with fewer than 1,000 employees still have approximately 70% weekly probability (these percentages come from specific vendor research datasets). Smaller organizations suffer disproportionate damage because they typically lack dedicated security teams and formal verification protocols.
BEC attacks focus on specific roles controlling money or sensitive data. Here are some high-risk roles:
Finance departments
Finance departments — accounts payable staff, controllers, and finance directors — have authorization to initiate wire transfers. New hires in finance roles face especially high risk during their first 90 days.
HR departments
HR departments hold valuable personal data: Social Security numbers, bank account details, and W-2 forms. During tax season, attacks spike as criminals seek W-2 information for fraudulent tax returns.
Executives
Executives and assistants get targeted both directly and through impersonation. Executive assistants often have discretionary spending authority and handle confidential matters.
IT administrators
IT administrators face targeting because compromising their accounts provides elevated access to email systems, allowing attackers to monitor communications and modify security settings.
Entry-level employees
Entry-level employees and contractors are vulnerable because they may not know company procedures well enough to recognize when something’s off.
How do you protect your organization from BEC?
Effective BEC defense requires coordinated effort across training, process, and technology.
Security awareness training
Generic annual security training fails against BEC. You need ongoing, role-specific training focusing on psychological manipulation techniques.
Start with BEC-specific simulations:
- Fake HR requests for employee information
- Fake CEO fraud emails requesting gift cards
- Fake vendor invoices with updated banking details
Train employees to recognize specific red flags:
- Grammar or tone feels slightly off
- Unusual urgency or demands for secrecy
- Emails sent outside normal business hours
- Requests bypassing normal approval processes
- Payment instructions differ from established procedures
- Requests for gift cards or wire transfers to unfamiliar accounts
Create a positive reporting culture where employees feel comfortable flagging suspicious emails without fear.
Verification protocols
Implement mandatory out-of-band verification for all financial requests deviating from normal patterns. If someone emails a wire transfer request, pick up the phone and call them using a number you already have on file (never use contact information from the email).
Establish clear thresholds triggering multi-person approval. Any wire transfer above $10,000 should require a sign-off from two people in different departments. Any change to vendor payment details should require verification through multiple channels.
Create a mandatory waiting period for urgent requests when an email demands immediate action; that urgency itself should trigger heightened scrutiny. Institute a policy that all “urgent” financial requests require a 2–4 hour cooling-off period.
Technical controls
Here are some technical controls that you must have in place:
Multi-factor authentication (MFA)
Multi-factor authentication (MFA) on all email accounts is non-negotiable. When attackers compromise credentials, MFA prevents them from accessing the account using just the password.
Email authentication protocols
Email authentication protocols (SPF, DKIM, DMARC) prevent attackers from spoofing your domain. Microsoft’s 2025 authentication mandate requires high-volume senders to implement these protocols — non-compliant emails get rejected or junked.
Secure email gateways (SEGs)
Secure email gateways (SEGs) use machine learning to analyze email behavior, flagging anomalies such as emails sent from unusual locations or requests that deviate from historical patterns.
User and entity behavior analytics (UEBA)
User and entity behavior analytics (UEBA) monitors email activity for unusual patterns. If your CFO suddenly starts sending wire transfer requests at 2 AM from a foreign IP address, UEBA tools flag this as suspicious.
Endpoint detection and response (EDR)
Endpoint detection and response (EDR) monitors for malware and unauthorized access attempts. Since many BEC attacks begin with credential theft through malware, EDR provides early warning.
Zero-trust architecture limits what compromised accounts can access, requiring continuous verification and restricting access to only what that user needs.
What should you do if you suspect a BEC attack?
Time is critical — every hour you wait decreases recovery probability.
Stop the money movement first. If a wire transfer has been initiated, contact your bank immediately, requesting that they freeze the transaction. Call your bank’s fraud department using a number you know is legitimate.
Alert your IT team immediately to investigate the email’s origin, check for account compromise signs, and block further communications. They should:
- Examine email headers
- Check authentication records
- Review recent account activity
- Force password resets if needed
- Check for suspicious forwarding rules
Contact law enforcement through the FBI’s Internet Crime Complaint Center (IC3). Reporting increases the chances that authorities can track and freeze stolen funds.
Notify relevant stakeholders based on attack type. If customer data was compromised, you may have legal notification requirements.
Conduct a post-incident review even if the attack failed. Analyze how the attack bypassed existing controls and what processes need strengthening.
Stop BEC before it costs millions
BEC attacks succeed because they exploit trust rather than technical vulnerabilities. Your best defense combines human vigilance with technical safeguards and clear verification procedures.
Strong email authentication and maintained sender reputation create an environment where suspicious emails stand out — and are caught in their tracks. Talk to an email deliverability consultant at EmailWarmup.com for free to help them sort out your email authentication (DKIM, SPF, DMARC) and ensure everything is secure and sound.
Frequently asked questions about BEC
Here are some commonly asked questions about business email compromise:
Ransomware encrypts your data and demands payment for decryption, while BEC tricks you into voluntarily sending money to attackers. Ransomware uses malware – BEC uses social engineering.
Yes, they often face a higher relative risk because they have fewer security controls and less formal verification procedures. Financial impact can be devastating enough to force business closure.
Stop immediately and contact your IT security team. If you provided credentials, change your password. If you initiated a transfer, contact your bank to freeze or reverse it.
Initial response and fund recovery attempts happen within hours to days. Complete investigations, including forensics, can take months to years.
Some policies cover social engineering fraud, including BEC, but coverage varies. Many have specific sublimits for social engineering losses ($100,000–$500,000), far below potential BEC losses.
Initial comprehensive training for all employees handling financial transactions, followed by quarterly refreshers. Run simulated BEC attempts every 4–6 weeks to keep awareness high.
References
- Gen Digital. (2025). Q1/2025 Gen Threat Report.
- Microsoft. (2024). What is business email compromise?
- IBM Security. (2024). Cost of a data breach report 2024.
- Hoxhunt. (2025). Business email compromise statistics 2025.
- Darktrace. (2024). What is a business email compromise attack?
- Palo Alto Networks. (2024). What is BEC? Tactics and prevention.
- Verizon Business. (2024). Data breach investigations report 2024.
- Federal Bureau of Investigation. (2024). Business email compromise.
- Internet Crime Complaint Center. (2024). 2024 Internet Crime Report.
- Abnormal Security. (2023). Key takeaways from the 2023 FBI IC3 report.
- U.S. Department of Justice. (2017). Man pleads guilty to wire fraud scheme.
