Cybersecurity Knowledge Base
CyberPedia
Your essential guide to cybersecurity threats, attacks, and defenses.
Understand the risks. Protect your business.
Business Email Compromise (BEC)
Reading time: 6 min · Updated May 2026
IN SHORT
Business Email Compromise, usually called BEC, is a scam where someone uses email to trick a person into sending money, changing payment details, sharing sensitive information, or taking some other action they would not normally take. Unlike loud attacks such as ransomware, BEC usually looks ordinary: a normal email, a familiar name, and a believable request that arrives at the worst possible moment.
BEC is one of the costliest forms of cyber-enabled crime reported to the FBI. In the FBI’s 2024 IC3 Annual Report, BEC accounted for 21,442 complaints and more than $2.77 billion in reported losses, making it one of the highest-loss cybercrime categories in the report.
What BEC actually is
At its core, BEC is a trust attack. The attacker does not usually need to break systems in a dramatic way; instead, they try to look believable enough that a real person approves a payment, updates bank information, sends payroll data, or shares documents they should have verified first. Sometimes the email is simply spoofed or sent from a look-alike address. In other cases, the attacker has already gained access to a real mailbox and is sending messages from the genuine account, which can make the scam much harder to detect.
BEC is not limited to wire fraud. It can also involve payroll redirection, fake invoice updates, requests for tax documents, theft of account credentials, or fraud aimed at customers and vendors who trust the sender.
Done well, a BEC email looks completely unremarkable until the money is gone.
A typical BEC message blends into a normal inbox — only the request itself, not the format, gives it away.
The four shapes BEC usually takes
BEC can show up in several common patterns. Different stories, same goal: get money or data moved before anyone double-checks.
A message appears to come from the owner, CEO, CFO, or another leader asking for a payment, gift cards, urgent help, or sensitive files.
A supplier or contractor suddenly says future payments should go to a new bank account.
An employee asks HR or payroll to change their direct-deposit information.
Thread hijacking
An attacker joins or imitates a real email conversation and drops in updated payment instructions or a new request at the right moment.
Data request fraud
Someone asks for W-2s, employee records, customer information, or other internal data under the guise of a legitimate business need.
The common thread is not the exact message.
It is the attempt to use familiarity, timing, and trust to bypass normal verification.
How a BEC attack unfolds
Cases vary, but the pattern is remarkably consistent.
01 - Research
A BEC attack often starts with research. Attackers study company websites, LinkedIn pages, email signatures, press releases, invoices, and public records to learn who approves payments, who works in finance, which vendors are real, and what kind of language the business uses.
02 - Access or impersonation
Next comes impersonation or access. Some attackers register a look-alike domain or create a convincing free email account, while others compromise a legitimate mailbox through phishing, password reuse, or other account-takeover methods.
03 - Quiet observation
If they gain access to a real email account, they may quietly watch for days or weeks. They often wait for the right moment, such as an invoice cycle, a real estate closing, a payroll change, a tax deadline, or an executive traveling and harder to reach.
04 - The request
Then comes the request. It is usually short, ordinary, and businesslike: “I need this handled before 4 PM,” or “Send me the employee tax file when you can.” The damage happens when the request is treated as routine and completed before anyone verifies it through a second channel.
05 - The payout
The money or data goes out. The fraud is usually discovered days or weeks later, when the real vendor asks why they weren't paid.
The trick is often small
Many BEC messages do not contain obvious malware, scary wording, or broken grammar. Instead, they rely on details that are easy to miss when someone is busy.
example@rnicrosoft.com
A single substituted character — registered hours before the email was sent.
A fake address may differ by one letter, one number, or a slightly altered domain. A display name may be correct even when the real address is not. A real account may also be compromised, which means the sender address can be technically correct while the request is still fraudulent. That is why “Does the name look familiar?” is not a safe test by itself. The better question is, “Does this request fit our normal process, and has it been verified another way?”
Why BEC is so damaging
BEC works because it targets people, process, and timing rather than just technology. It often reaches the exact person who has authority to act, and it asks for something that seems plausible in normal business operations.
The financial damage can be severe. Beyond the direct loss, organizations may also spend significant time on incident response, legal review, insurance questions, vendor communication, account cleanup, and rebuilding trust with customers or partners.
BEC also scales across organizations of every size. The FBI states that BEC has been reported in all 50 states and 186 countries, with more than 140 countries receiving fraudulent transfers tied to these scams.
WHAT MAKES IT WORK
- Emails match the company's tone, signatures, and style
- Often no technical sign of an attack at all
- It exploits trust and routine, not software
- Wire transfers are hard to claw back once they leave
- Discovery is usually delayed by days or weeks
Warning signs to slow down for
These signs do not prove fraud on their own, but they should trigger a pause and a separate verification step:
Changed payment details
A vendor suddenly wants a new bank account or updated remittance process.
Urgent money movement
The sender wants money moved or information sent right away.
Requests for secrecy
The message says to keep the request quiet or bypass usual approvals.
Odd sender details
The reply-to address, full email address, or domain does not quite match.
Out-of-character language
The wording feels flatter, more abrupt, or less natural than the sender’s usual style.
Process pressure
The message tries to make normal checks feel inconvenient, slow, or unnecessary.
On phones and tablets, these signs are even easier to miss because full sender details are often hidden unless someone expands them.
When in doubt, pick up the phone. Annoying the sender for thirty seconds is always cheaper than a wire to a criminal.
Where the damage shows up
The most obvious damage is financial loss. In 2024, BEC generated more than $2.77 billion in reported losses in IC3 complaint data.
Direct financial loss
Stolen wires, redirected payroll, fraudulent vendor payments. Often well into six or seven figures.
Operational disruption
Vendors stop services for unpaid invoices; teams burn weeks reconciling accounts and rebuilding processes.
Damaged relationships
Customers and partners caught up in the same scheme lose trust, even when they weren't the original target.
Legal & reputational
Regulatory exposure when client funds or personal data are involved — and headlines that outlast the incident.
Even when some money is recovered, the business still absorbs time, friction, and trust damage.
How to make BEC much harder
No single control stops every case, but a few practical measures can block a large share of attempts.
Verify changes out-of-band
Verify payment changes out of band. Use a known phone number, secure portal, or separate communication path, never the contact information provided in the email that made the request.
Two-person approval for money
Require approval for money movement. Use dual approval or a second reviewer for wire transfers, ACH changes, and updates to vendor banking details.
Slow down urgency
Treat "urgent" and "secret" as warning signs, not reasons to rush. Real emergencies survive a five-minute pause.
Train with real examples
Train with realistic examples. Short, relevant examples are more effective than vague warnings because BEC usually looks normal, not dramatic.
Harden the mailboxes themselves
Phishing-resistant MFA, alerts for new inbox rules, and DMARC/SPF/DKIM on your own domain to make spoofing harder. Watch for suspicious sign-ins, new inbox forwarding rules, strange reply-to behavior, and unusual mailbox activity.
Written internal rules
Keep a written process. Staff should know exactly how bank-detail changes, invoice changes, payroll updates, and urgent payment requests must be verified.
The best defense is a combination of simple process controls and basic email-account security.
If you think it just happened
Act quickly. Fast action can make the difference between a contained incident and a permanent loss. The FBI specifically notes that if a fraudulent transfer is discovered, time is critical, and immediate contact with the financial institution may help with recall or freezing efforts.
01
Stop the transaction if it has not been completed yet.
Contact the bank or payment provider immediately and ask whether the funds can be recalled or frozen.
02
Report the incident internally to IT, security, finance leadership, or the outside security provider handling your response.
03
If an email account may be compromised, reset credentials, revoke active sessions, review forwarding rules, and enforce MFA.
04
Notify the affected vendor, customer, payroll provider, or partner using a trusted contact method.
05
Preserve the emails, headers, payment details, and timestamps for investigation.
06
File a complaint with the FBI’s Internet Crime Complaint Center at ic3.gov as soon as possible. Check with legal counsel first.
07
THE BOTTOM LINE
BEC works because it never feels like an attack. The strongest defense isn't a single tool — it's a culture where calling to double-check a payment is normal, and where nobody is in trouble for slowing down a wire transfer.
Want a bit more detail?
Optional reading for anyone who wants to go a step deeper.
Phishing often tries to get a click, a password, or a malware download. BEC is usually more focused and more personal: it aims to get someone to complete a real business action, often without using any malicious link or attachment at all.
MFA helps a lot, especially against email account takeover, but it does not stop every kind of BEC. If the attacker is simply impersonating someone from a look-alike domain, the most important protection is still a strong verification process around payments and sensitive requests.
Sometimes, yes. The chance of recovery is usually better when the fraud is reported immediately to the bank and to IC3. Be wary of recovery scams, though.
Yes. BEC affects both small businesses and large organizations because the scam relies on everyday business communication, not just enterprise-scale infrastructure.
Treat unexpected requests involving money, bank changes, payroll details, tax records, or sensitive files as verification events. A short call to a trusted number can prevent a very expensive mistake.
