Let’s name the threat plainly: the most expensive cyberattack hitting businesses today usually involves no malware, no virus, and no obvious “hack” — just a convincing email that tricks a real person into sending money to a criminal. It’s called business email compromise, or BEC, and the FBI consistently ranks it among the costliest forms of cybercrime, with losses measured in the billions of dollars a year. It works because it doesn’t attack your computers — it attacks your trust and your everyday business habits. Let’s break down exactly how the scam unfolds, why it slips past your security tools, and the simple habit that stops most of it cold.
What business email compromise actually is
Most people picture cybercrime as code and malware. BEC is different, and that difference is the whole point. A BEC attacker isn’t trying to break your software — they’re trying to impersonate someone you trust and exploit a normal business process. The goal is almost always to redirect money: a wire transfer, an invoice payment, a payroll deposit, sent willingly by an employee who believes they’re doing their job.
Here’s what makes it so insidious. There’s frequently nothing technically “malicious” in the email at all. No infected attachment. No dangerous link. No malware for your antivirus to detect. It’s just a well-crafted message that looks like it came from your CEO, your vendor, or your bookkeeper, asking for something that seems entirely reasonable in context. Your security software sees a plain email and lets it through, because by every technical measure, it is a plain email. The weapon is the words, not the code.
That’s why BEC defeats businesses that have invested in firewalls and antivirus. Those tools guard against technical attacks. BEC is a confidence trick wearing the costume of a routine work email.
How the scam unfolds, step by step
BEC isn’t a smash-and-grab; it’s a patient con. Understanding the sequence shows you exactly where it can be stopped.
- Research. The attacker studies your business. They scour your website, LinkedIn, and social media to learn who your executives are, who handles money, who your vendors are, and how your business talks. This reconnaissance is what makes the eventual email so believable.
- Access or impersonation. They get in position one of two ways. Either they compromise a real email account — often through a phished password — so they can send messages from a genuine inbox. Or they spoof an address, creating a look-alike that’s a character or two off from the real one (think
@company-invoices.cominstead of@company.com). - The setup. They watch and wait, sometimes for weeks, especially when they’re inside a real inbox. They learn how invoices get paid, who approves what, the tone people use, and when a big payment is due. They’re studying your process so their request fits right in.
- The strike. At the right moment, they send the request: update a vendor’s bank details, wire funds for an urgent deal, change an employee’s direct deposit. It’s timed and worded to feel normal and, crucially, to discourage double-checking.
- The payout. The money moves to an account the attacker controls, then gets rapidly transferred away and laundered. By the time anyone realizes, the funds are often gone — which is why prevention matters so much more than cleanup.
Notice how human every step is. There’s no exotic technology here. There’s research, patience, impersonation, and a well-timed request — a con artist’s playbook delivered by email.
The common flavors of BEC
BEC comes in several recognizable varieties. Knowing them by name makes them easier to spot.
| Scam type | How it works |
|---|---|
| Invoice / vendor fraud | Impersonates a real supplier to change the bank account on file, so your legitimate payment goes to the attacker |
| CEO / executive fraud | Poses as a senior leader demanding an urgent, confidential wire transfer |
| Payroll diversion | Impersonates an employee to reroute their direct deposit to a new account |
| Attorney impersonation | Pretends to be a lawyer handling a sensitive, time-pressured matter requiring immediate payment |
| Data theft | Targets HR or finance to steal tax forms or employee data for further fraud |
The most common and costly by far is invoice and vendor fraud, and it’s worth understanding why it’s so effective. You genuinely do business with the vendor. You genuinely owe them money. The payment is genuinely expected. All the attacker changes is the destination account — and because everything else is legitimate, the request raises no alarm. You’re not being tricked into a fake transaction; you’re being tricked into misdirecting a real one.
Why BEC is so effective
BEC works because it’s engineered around human psychology, not technical weakness. Attackers lean on a handful of reliable pressure levers:
- Authority. A request that appears to come from the CEO or a senior executive feels like something you shouldn’t question. Most people are reluctant to challenge the boss.
- Urgency. “This needs to happen before end of day” or “the deal closes in an hour” rushes people past their normal caution. Hurry is the enemy of verification.
- Routine. The request fits a process you do all the time — paying an invoice, updating vendor details. Familiar tasks get less scrutiny.
- Confidentiality. “Keep this between us until it’s done” is designed to stop you from asking a colleague who might spot the fraud.
- Plausibility. Thanks to the research phase, the email references real people, real projects, and real amounts. It doesn’t feel like a scam because it’s tailored to your actual world.
Stack those together and you have an attack that turns your own good instincts — responsiveness, helpfulness, deference to leadership, efficiency — against you. That’s why smart, careful people fall for BEC. It’s not a failure of intelligence; it’s a well-designed exploitation of normal human behavior.
The one habit that stops most BEC
Here’s the genuinely good news, and it’s worth tattooing on the wall of every finance department: almost every BEC scam is defeated by a single habit — verifying any payment or banking change through a separate, trusted channel before acting.
Security people call this “out-of-band verification,” which just means: confirm the request using a different method than the one it arrived through. If you get an email asking to change a vendor’s bank account or wire a large sum, you do not reply to that email or call a number it provides. Instead, you pick up the phone and call the person or vendor at a number you already know — one from your records, not from the suspicious message — and confirm it’s real.
This one step collapses the entire scam, because the attacker controls the email but not the phone line to the real person. The moment you call the actual vendor and ask, “Did you just request a change to your bank details?”, the con falls apart. It costs two minutes. It has saved businesses millions.
The trick is making it a non-negotiable rule, not a judgment call. When verification is mandatory for every payment change and every wire over a certain amount, no employee has to decide whether a given request “feels” suspicious — they just follow the rule, every time, even when the request seems to come from the CEO. Especially then.
Building a full defense against BEC
The verification habit is the heart of it, but a complete defense layers several controls so that no single failure leads to loss.
- Mandatory out-of-band verification. Confirm every payment or banking-detail change by calling a known number. This is the most important control.
- Multi-factor authentication everywhere. Much BEC starts with a compromised inbox. MFA stops the account takeover that lets attackers send from a real address and read your payment conversations.
- Dual approval for transfers. Require two people to approve any wire or payment over a set threshold. Two sets of eyes catch what one might miss.
- Email authentication. Set up SPF, DKIM, and DMARC — technical standards that make it much harder for attackers to spoof your domain and impersonate your own staff.
- Advanced email security. Modern filtering can flag look-alike domains, display-name tricks, and suspicious patterns that basic spam filters miss.
- Staff awareness training. Your people are the target, so they’re also your best sensor. Security awareness training teaches them the pressure tactics and the verification habit until it’s second nature.
Notice the pattern: technology reduces the number of malicious emails that reach people and stops the account takeovers that fuel the worst attacks, while process and training catch what slips through. Because BEC targets people and procedures, your defense has to cover both — and the human layer is the one too many businesses neglect.
A tale of two finance departments
Two companies receive an almost identical email: their long-time supplier writes that they’ve switched banks, with new account details for the next invoice. The email looks perfect — right logo, right contact name, right tone, referencing a real outstanding invoice.
At the first company, the bookkeeper sees a routine request from a known vendor, updates the account, and pays the invoice on schedule. Six weeks later the real vendor calls asking where their payment is. The money — a five-figure sum — went to a criminal and is long gone. The cleanup, the strained vendor relationship, and the gut-punch of realizing it was avoidable drag on for months.
At the second company, the bookkeeper sees the same convincing email and follows the rule: any banking change gets verified by phone, no exceptions. She calls the vendor at the number in her records — not the one in the email — and asks if they changed banks. They didn’t. The scam unravels in a ninety-second phone call. She reports the spoofed email, and the company is never out a dime.
Same bait, same polish, completely different ending. The only difference was a verification habit that cost two minutes and was treated as a rule rather than a choice.
What to do if it happens to you
If a fraudulent payment slips through, speed is everything, because the money can sometimes still be frozen if you move fast:
- Call your bank immediately and request a recall of the wire or payment. Hours matter.
- Report it to the FBI’s Internet Crime Complaint Center (IC3) right away. They run a recovery process for fraudulent transfers and the sooner they’re involved, the better the odds.
- Secure the accounts — change passwords, enable MFA, and check whether an inbox was compromised and what the attacker may have seen.
- Review and fix your process so the gap that let it happen gets closed for good.
The faster you act, the better your chance of recovering funds. This is exactly why having a plan before anything goes wrong matters — panic and delay are the attacker’s allies.
How this fits the bigger picture
BEC sits at the intersection of email security, identity protection, and human awareness, which is why no single tool solves it. It’s closely related to the broader world of phishing and email security, it depends on the account protection that MFA provides, and it’s blunted by the same security awareness training that hardens your team against every social-engineering attack. Pulling those layers together is exactly what managed cybersecurity services are for — combining advanced email security, identity controls, and ongoing training into a defense built for the way these attacks actually work.
The bottom line
Business email compromise is the costliest cyber threat most businesses face, and it succeeds precisely because it doesn’t look like an attack. There’s often no malware to catch — just a believable email exploiting trust, authority, and urgency to redirect real money into a criminal’s hands. The defense isn’t a single product; it’s a combination of strong identity controls, smart email security, and above all a simple, mandatory habit: verify every payment change through a trusted channel before you act.
If you’re not sure whether your business has the controls and habits to stop a BEC scam, we can help you find the gaps before an attacker does. Reach out for a free security review and we’ll walk through your email security and payment processes and show you exactly where you stand — in plain English, with no scare tactics.
Frequently Asked Questions
