Business Email Compromise: A $50 Billion Problem
In December 2025, a multinational corporation's accounts payable department received an email from their largest supplier requesting a change in bank account details for future payments. The email came from the supplier's actual email address — the supplier's email system had been compromised. The AP team updated the bank details and processed the next three payments, totaling $2.3 million, to the attacker's account. By the time the real supplier called asking about missing payments, the money had been laundered through accounts in four countries.
This is Business Email Compromise (BEC), and the FBI's Internet Crime Complaint Center says it has caused over $55 billion in global losses since 2013. It's not the most technically sophisticated cyberattack. It's the most financially devastating one.
What Makes BEC Different from Phishing
Traditional phishing casts a wide net — millions of generic emails hoping someone clicks. BEC is targeted, researched, and patient. The attacker studies the target organization for weeks or months, learns who handles payments, who approves transactions, and what the internal communication patterns look like. Then they strike with a single, carefully crafted request that fits seamlessly into the target's normal workflow.
BEC emails rarely contain malware, suspicious links, or obviously fake sender addresses. They're plain text emails that look exactly like normal business correspondence. This is why they bypass spam filters, email security gateways, and even AI-powered threat detection — there's nothing technically malicious to detect.
The Five Types of BEC Attacks
1. CEO fraud. The attacker impersonates a senior executive and emails an employee with financial authority, requesting an urgent wire transfer. The email appears to come from the CEO's address (spoofed or compromised) and the request is framed as confidential and time-sensitive.
2. Vendor email compromise. The attacker compromises a vendor's email account and sends fake invoices or bank detail changes to the vendor's customers. Because the email comes from the vendor's real address, there's no sender-side indicator of fraud.
Got a suspicious email?
Paste it here for an instant analysis.
Free · No signup required · Cmd+Enter to scan
3. Account compromise. An employee's email account is compromised through phishing or credential stuffing. The attacker uses the compromised account to send payment requests to customers, directing payments to attacker-controlled accounts.
4. Attorney impersonation. The attacker poses as a lawyer or legal representative handling a confidential transaction. The "attorney" contacts a finance employee and requests a wire transfer for a closing, settlement, or retainer. The confidential nature of legal matters makes employees less likely to verify through other channels.
5. Data theft. Instead of requesting money, the attacker requests sensitive data — employee W-2 forms, customer lists, intellectual property, or financial records. HR departments are frequently targeted with requests for "all employee W-2s for a tax audit" appearing to come from the CEO.
Why BEC Losses Are So High
BEC targets the largest transactions a business makes. A single compromised vendor payment can exceed $1 million. Wire transfers, once sent, are extremely difficult to recover — especially international wires that cross multiple jurisdictions. And because BEC emails contain no malware or malicious links, they're invisible to most security tools until the money is gone.
The median BEC loss is $50,000 per incident, but large enterprises regularly lose seven or eight figures. Small and mid-size businesses are disproportionately impacted because they often lack the multi-layered approval processes that catch these attacks.
How Attackers Get In
Email account compromise. The most common entry point. Attackers use phishing, credential stuffing (using passwords from previous breaches), or password spraying to gain access to a business email account. Once inside, they read email history to understand payment patterns, vendor relationships, and communication styles.
Domain spoofing. Attackers register domains that look like the target or vendor's domain — companycorp.com becomes company-corp.com or companycorp.co. Emails from these lookalike domains pass casual inspection.
Email forwarding rules. After compromising an account, attackers set up forwarding rules that copy all incoming email to an external address. This gives them ongoing intelligence even after the password is changed — many organizations don't check email rules during incident response.
How to Defend Your Organization
Implement payment verification procedures. Every payment over a defined threshold — and every change to vendor bank details — must be verified through a phone call to a known contact at the vendor, using a phone number already on file. This single control prevents the majority of BEC losses.
Deploy email authentication. Implement DMARC, DKIM, and SPF for your domain to prevent spoofing. Require these standards from your vendors and partners.
Enable MFA on all email accounts. Multi-factor authentication prevents the initial account compromise that enables most BEC attacks. Use phishing-resistant MFA methods (security keys, authenticator apps) rather than SMS.
Monitor email rules. Regularly audit mailbox rules, auto-forwarding settings, and delegated access. Attackers who compromise accounts almost always set up forwarding rules — detecting these rules catches the compromise early.
Segregate financial processes. The person who receives payment requests should not be the same person who approves and executes payments. Multi-person approval workflows create checkpoints where BEC requests get caught.
Train continuously. Annual security training isn't enough. Run regular BEC simulations — send realistic fake payment requests and measure how employees respond. Provide immediate, specific feedback. Organizations that run monthly simulations see a 75% reduction in BEC susceptibility within six months.
When BEC Strikes
If you discover a BEC payment has been made, contact your bank immediately and request a wire recall. Time is critical — recovery rates drop sharply after 24 hours. File a complaint with the FBI's IC3 at ic3.gov. If the amount is significant and the wire is domestic, request activation of the Financial Fraud Kill Chain. Preserve all email communications as evidence, and engage your cybersecurity team to identify and close the point of compromise.
BEC isn't a technology problem with a technology solution. It's a process problem that requires process solutions — verification procedures, approval workflows, and a culture where questioning payment requests is expected rather than discouraged.
Received something suspicious? Check it now for free →