The FBI's Internet Crime Complaint Center (IC3) reports business email compromise as one of the top cybercrime categories every year by losses, with cumulative reported losses now exceeding $50 billion globally over the past decade. The average BEC loss per incident is over $125,000 — and the median victim is a small or mid-sized business.
Unlike ransomware, BEC doesn't require malware. It requires patience, research, and a convincing email. That makes it cheap to run, hard to detect, and devastating when it works.
The Six BEC Playbooks
Almost every BEC incident fits one of six patterns. Recognise them and you'll spot most attempts before they cause damage.
Vendor Invoice Redirection
Attackers compromise (or spoof) a real vendor's email account, then send a "new banking details" email to your accounts payable team just before a real invoice is paid. The wire goes to the attacker. Most common in construction, manufacturing, and dealer floor-plan payments.
CEO / Owner Impersonation
An email appears to come from the CEO, owner, or managing partner — usually claiming they're "in a meeting" or "travelling" and need an urgent wire processed. Targets the finance manager or bookkeeper. Often arrives Friday afternoon.
Payroll Diversion
An attacker emails HR or payroll posing as an employee asking to update their direct-deposit details before the next payroll cycle. The next pay run goes to the attacker's account. Hard to detect until the employee complains.
Real Estate / Closing Funds Diversion
Attackers monitor a real estate transaction (often by compromising a title agent or attorney's inbox) and send fake wire instructions to the buyer just before closing. Hundreds of thousands lost in a single message.
Lawyer / Professional Services Compromise
Attacker compromises a partner's inbox at a law firm, accounting practice, or consultancy, then sends fake invoices or fund transfer instructions to clients during an active engagement. Reputational damage compounds the financial loss.
Mailbox Rule Hijacking
After credential theft, attackers create silent mailbox rules that move all incoming messages from a target vendor or executive to a hidden folder. They impersonate the legitimate party for weeks before the victim notices.
Why BEC Works
BEC is engineered around three principles attackers learned from marketers and confidence artists:
- Authority. An email from the CEO, owner, or a major vendor short-circuits normal scrutiny. Staff want to be helpful and responsive.
- Urgency. "This needs to go today," "I'm about to board a flight," "The closing is at 3pm." Pressure suppresses verification.
- Plausibility. Attackers research your vendors, customers, accounting cycles, and even your CEO's travel calendar. The email references real deals, real people, real amounts.
You don't defeat BEC by training people to be more sceptical of obvious phishing. You defeat it by removing the human approval point on high-risk transactions.
Technical Controls That Stop BEC
Software won't catch every attempt — but the right stack catches the vast majority before a human ever sees the email.
Email & Identity Stack
- Multi-factor authentication on every email account, with phishing-resistant MFA (FIDO2 / number matching) for executives and finance
- DMARC, SPF, and DKIM published and enforced on your sending domain — and progressive enforcement (none → quarantine → reject)
- Anti-impersonation rules in your email security tool, flagging look-alike domains and CEO/finance role spoofing
- Mailbox-rule monitoring — alert on creation of any rule that auto-forwards or auto-deletes messages
- Conditional access policies blocking impossible-travel logins and unfamiliar device sign-ins
- Domain monitoring services that alert you when a look-alike of your domain is registered
Process Controls That Catch the Rest
The technical stack is necessary. It is not sufficient. The other half of BEC defence is process.
Process & People Controls
- Out-of-band verification: any change to payment details requires a phone call to a known number — not a number from the email
- A second-signature rule for all wires above a defined threshold, even from the CEO or owner
- Quarterly security awareness training tailored to the BEC patterns above — not generic phishing slides
- Monthly phishing simulations that include BEC-style impersonation scenarios, with targeted re-training for repeat clickers
- A clear, blame-free reporting channel so staff feel safe flagging "this looks weird" without fear of being wrong
If You've Just Sent the Wire
If you discover a fraudulent wire after the funds have left:
- Call your bank immediately and request a wire recall. Speed matters — funds may be reversible if caught within hours.
- File an IC3 report at ic3.gov. The FBI's Recovery Asset Team has clawed back significant sums when notified within the first 24–48 hours.
- Notify the recipient bank directly. They may freeze the account before the attacker withdraws.
- Engage forensic counsel. Determine scope of compromise. The wire is often the last act of an intrusion — your inbox may have been monitored for weeks.
- Reset all affected credentials and check mailbox rules. Attackers usually leave persistence in place.
- Notify your cyber-insurance carrier within the policy's required window. Most policies cover BEC under social-engineering riders, but only if reported promptly.
The Bottom Line
BEC will not be solved by your spam filter or your staff being more careful. It will be solved by the combination of strong identity controls, hardened email infrastructure, and ironclad out-of-band verification on any payment change. Build all three. Test them. Then test them again.
Related reading: Our how to spot a fake invoice article covers the front-line spotting techniques every employee should know.
Is your business protected against BEC?
Get a free assessment of your email security posture, identity controls, and payment-process safeguards. We'll show you exactly where the gaps are.
Get Free Assessment