What business email compromise actually is
Business email compromise is fraud conducted through email that looks legitimate. The attacker either takes over a real mailbox — yours, an employee's, or a vendor's — or registers a lookalike domain one character off from a real one. Then they use that trusted position to do something very simple: ask for money, or change where money goes.
There is usually nothing for antivirus to catch. No attachment, no malicious link, no exploit. The "payload" is a sentence like "We've updated our banking details — please use the attached account for this month's invoice." That's why businesses with a firewall, a spam filter, and endpoint protection still lose six figures to BEC: the email itself is the attack.
The FBI's Internet Crime Complaint Center logged $3.05 billion in BEC losses in 2025 across 24,768 complaints — an average of more than $122,000 per incident, with 86% of stolen funds moved by wire transfer or ACH. Year after year, BEC sits near the top of the FBI's loss tables, ahead of ransomware. For the prevention-side story of how these scams play out in a real payment, see our wire fraud guide.
How a BEC attack unfolds
BEC is patient. A typical incident has four stages, and the first three are invisible.
1. Research. The attacker maps your company from public sources: who owns it, who handles money, which vendors you brag about, what your email addresses look like. LinkedIn, your website, and state business filings provide most of this for free.
2. Access or impersonation. Either they compromise a real mailbox — usually via a phishing page that captures a password from an account without multi-factor authentication — or they register a lookalike domain (micro-lt.net for micro-it.net) and copy the real person's signature block.
3. Observation. With access to a real mailbox, attackers often wait and read. They learn how invoices flow, who approves payments, what tone people use, and when large transactions happen. Many set a hidden inbox rule that forwards or hides messages so the real owner never sees the conversation.
4. The strike. Timed to a real transaction whenever possible: a genuine invoice arrives, and a follow-up "correction" with new bank details follows from the trusted thread. Or the "CEO" emails the bookkeeper late on a Friday needing an urgent confidential wire. The request is plausible because it was built from your own email history.
The five variants the FBI tracks
- CEO fraud. An executive's identity is used to pressure an employee into an urgent transfer. Urgency and confidentiality are the tells — "I'm in meetings, just get this done quietly today."
- Vendor / invoice fraud. The costliest variant for small businesses. A real supplier's mailbox is compromised, and a real invoice arrives with criminal bank details. You paid the right amount to the right company — at the wrong bank.
- Payroll diversion. "HR" receives a request, apparently from an employee, to update direct-deposit details. The next payroll run goes to the attacker's account.
- Attorney impersonation. Pressure framed as legal urgency — escrow instructions, settlement wires, closing funds. Common around real-estate transactions.
- Data theft. Not all BEC asks for money. Requests for W-2s, payroll data, or customer lists monetize later as identity theft — and create a breach-notification problem on top.
Why small businesses are the preferred target
Attackers aren't lazy; they're economical. A 15-person company is attractive precisely because of how it runs:
- One approver. Payments often need exactly one person's say-so — the same person whose name is on the website.
- No verification procedure. Banking-detail changes get processed from email because they always have been.
- Personal relationships. "Sarah from the vendor" has emailed for years. Nobody questions Sarah's thread.
- No one watching the mailbox. Hidden forwarding rules and unusual sign-ins go unnoticed without someone — or something — monitoring for them.
None of these are fixed by buying more software alone. Which is the point: BEC defense is half process, half technology.
The controls that actually stop it
Process controls (free, and do most of the work):
- Out-of-band verification. Any new payee or change to bank details gets confirmed by phone, using a number you already had on file — never one from the email requesting the change. This single habit defeats the majority of BEC attempts.
- Dual approval over a threshold. Two humans sign off on any transfer above a limit you choose. Urgency claims don't waive it; that's what the rule is for.
- A culture where verifying is praised. If the CEO's reaction to "I called to confirm your wire request" is irritation, the control is already dead. Say the opposite, loudly.
Technical controls:
- MFA on every mailbox. Most BEC starts with a password and no second factor. MFA closes the front door.
- Email authentication. SPF, DKIM, and a DMARC policy at enforcement make your domain hard to spoof — and protect your customers and vendors from emails pretending to be you.
- Inbox-rule and sign-in monitoring. New forwarding rules and impossible-travel logins are the two loudest BEC signals. Someone needs to actually see those alerts — this is what a managed inbox layer like Managed Inbox is for.
- Advanced anti-phishing filtering. Lookalike-domain and display-name impersonation detection catches what generic spam filters don't.
And carry the right paper: many cyber policies sub-limit social-engineering losses, so check the actual number with our cyber insurance guide before you assume you're covered.
If money already moved: the first hours
- Call your bank now. Ask for a recall of the transfer and a fraud hold on the receiving account. Minutes matter; funds are typically dispersed through money mules within days.
- File at ic3.gov. The FBI's Recovery Asset Team has frozen meaningful sums when notified within roughly the first 48–72 hours. The complaint also creates the paper trail your insurer will require.
- Contain the mailbox. Reset the password, revoke active sessions, remove unknown forwarding rules, and check what else that account could reach.
- Preserve everything. Original emails with full headers, the fraudulent invoice, call logs. Don't delete the thread in frustration — it's evidence.
- Tell the people who need to know. Your insurer (notification deadlines are real), your bank's fraud team, and any vendor or customer whose thread was used in the scam.
The pattern in every post-incident review is the same: the technology gaps took a week to fix, and the verification habit would have prevented the loss outright. Build the habit before the email arrives.