CyberPedia

Business Email Compromise (BEC)

Overview

Business Email Compromise (BEC) is a type of scam where criminals break into or imitate business email accounts to trick people into sending money or sensitive information to the wrong place. It usually looks like a totally normal business request—from a CEO, vendor, or coworker—but with dangerous details, such as a changed bank account number or a request for secrecy.

Instead of using viruses or loud “you’ve been hacked” messages, BEC relies on trust, urgency, and realistic‑looking emails to quietly redirect payments or steal data.

What It Looks Like

BEC attacks are designed to blend in with everyday business email. Common patterns include:

• “CEO” or executive fraud

  • An email appears to come from the CEO, owner, or other senior leader.

  • It asks you to urgently send a wire transfer, buy gift cards, or pay a vendor.

  • It may say things like “I’m in a meeting, just handle this quickly” or “This is confidential, don’t loop anyone else in.”

• Vendor or supplier invoice change

  • You receive what looks like a normal invoice from a trusted vendor.

  • The only real difference: the bank account or payment details have changed.

  • The message might say the vendor “switched banks” or “updated payment processes.”

• Payroll or HR changes

  • An email supposedly from an employee asks HR to change their direct deposit details.

  • The new account actually belongs to the attacker.

• Legal, finance, or closing‑related pressure

  • Messages from fake attorneys, bankers, or “closing agents” tied to deals, contracts, or real‑estate transactions.

  • They stress that funds must be sent today to avoid penalties or delays.

How BEC Works (Typical Steps)

Although every case is different, most BEC scams follow a pattern:

1. Research and preparation

   • Attackers study the company: website, LinkedIn, social media, news, and sometimes stolen email data.

   • They learn who the executives are, who handles payments, and which vendors the business uses.

2. Email access or impersonation

   • In some cases, criminals actually break into a real business email account (for example, after a successful phishing login).

   • In other cases, they spoof (fake) the sender address or register look‑alike domains such as:

     • john.smith@argus‑cyber.com vs john.smith@argu5‑cyber.com

3. Observation (if they have real access)

   • If they’re inside a mailbox, they quietly read message threads to understand how people write, what invoices look like, and when payments are sent.

   • They may create mail rules to hide their messages or forward copies to themselves.

4. Launch the fake request

   • At the right moment—usually near a real invoice or payment date—they send a carefully crafted email that looks like part of an existing conversation.

   • The email includes changed bank details, new payment instructions, or an urgent money request.

5. Money or data is sent

   • If the target doesn’t double‑check by phone or another channel, the funds or sensitive data go straight to the attacker.

   • The discovery often happens days or weeks later, when the real vendor asks why they weren’t paid.

What Attackers Want

The main goals of Business Email Compromise are:

• Steal large payments

  • Redirect wire transfers, ACH payments, or other large transactions to accounts controlled by the attacker.

• Divert ongoing revenue

  • Change bank details so that future invoices or subscriptions are paid to the attacker instead of the real vendor.

• Harvest sensitive information

  • Get payroll data, tax forms, or internal financial details that can be reused for identity theft or further fraud.

• Expand access

  • Use one compromised mailbox to move sideways in the organization, targeting partners, customers, or other internal staff.

Why BEC Is So Dangerous

BEC is especially damaging for businesses because:

• The emails look routine and professional

  • They often match the company’s style, signatures, logos, and writing patterns.

• There is often no obvious “technical” sign of attack

  • No pop‑ups, no broken systems, and sometimes no malware at all—just emails and people following instructions.

• It exploits trust and company habits

  • Most businesses are used to paying invoices and handling urgent leadership requests; BEC twists those normal processes.

• Money can be hard or impossible to recover

  • Once a wire transfer leaves the account and is moved through multiple banks, recovery is often limited or time‑sensitive.

How to Recognize a Possible BEC Email

Treat an email as suspicious if it includes any of the following:

• Urgent money movement

  • “I need you to process this right away,” “before the end of day,” or “we’ll lose the deal if this isn’t paid now.”

  • Especially if this kind of request is unusual from that person.

• Changes to payment details

  • New bank account or routing number, especially for a vendor who’s been paid the same way for months or years.

  • Instructions to not use your normal payment process “just this once.”

• Requests for secrecy

  • “Don’t loop in finance,” “don’t call me, I’m in meetings all day,” or “this is confidential—don’t tell anyone.”

• Odd email address details

  • Slight misspellings, extra characters, or different domains (for example, .net instead of .com).

  • The display name may look right, but the underlying address is off if you look closely.

• Out‑of‑character language

  • A usually informal boss suddenly writing very stiff, formal emails—or the opposite.

  • Strange grammar or phrasing that doesn’t sound like the real person.

Business Impact

A successful BEC attack can result in:

• Immediate financial loss from stolen payments or payroll.

• Disruption of operations if vendors stop services due to non‑payment.

• Damage to relationships with customers and partners who were also tricked or affected.

• Regulatory and legal exposure if client funds or personal data are involved.

• Reputational harm, especially if the incident becomes public or reaches the media.

Key Prevention Tips (Plain‑Language)

For everyday staff and leaders, the best defenses are process and habits, not just technology:

1. Always verify payment changes out‑of‑band

   • If bank account details or payment instructions change, call a known phone number (not from the email) to confirm.

   • For large or unusual payments, require a second person to approve.

2. Slow down urgent money requests

   • Treat “urgent” and “secret” as warning signs, not reasons to rush.

   • It’s better to annoy the sender with a quick phone call than to send money to a criminal.

3. Check the email address carefully

   • Click or hover over the sender address and any reply‑to address.

   • Look for misspellings, extra characters, or wrong domains.

4. Use clear internal rules

   • Set written policies:

     • No bank changes without voice verification.

     • No large wires or gift card purchases based only on email.

     • No bypassing normal finance processes “just this once.”

5. Train staff regularly

   • Walk employees through real‑world examples.

   • Show them how convincing these emails can be and practice how to respond.

6. Encourage speaking up

   • Make it safe for employees to question emails, even from executives.

   • Reward people who catch and report suspicious messages.

What To Do If You Suspect BEC

If you think you may have received or responded to a BEC email:

1. Do not reply to the email or click any links.

2. Contact your IT/security team or service provider immediately.

3. If money was sent, call your bank right away and explain that it may be fraud—time matters.

4. Notify the real person or vendor (using trusted contact info) so they know what happened.

5. Preserve the emails (do not delete them); they may be needed for investigation or law enforcement.