Security Awareness
What is Business Email Compromise?
How cybercriminals impersonate trusted contacts to steal money and sensitive information — and how to stop them before a single wire goes out.
The Basics
What is Business Email Compromise?
Business Email Compromise (BEC) is a targeted cyberattack where criminals impersonate someone you trust — a CEO, a vendor, a coworker, or an attorney — to trick you into sending money, changing payment details, or handing over sensitive data.
Unlike traditional phishing, BEC messages often contain no malicious links or attachments. They’re just words — carefully crafted to feel authentic, and sometimes sent from a real, compromised mailbox. That’s why they bypass traditional spam filters and continue to fool even experienced professionals.
Why it matters
The FBI consistently ranks BEC as the #1 most financially damaging cybercrime in the United States, with reported losses totaling billions of dollars every year. Small and mid-sized businesses are hit the hardest — a single successful BEC attack averages over $125,000 in losses, and many smaller firms don’t survive it.
Types of BEC
Not all BEC looks the same
Attackers use several different approaches depending on who they’re targeting and what they want:
CEO / Executive Fraud
Attacker impersonates a company executive and pressures finance staff to wire funds urgently, often while claiming to be in meetings or traveling.
Vendor Fraud
Attacker poses as a real vendor and sends updated banking details, redirecting future invoice payments to a fraudulent account.
Account Takeover
Attacker gains access to a real mailbox and sends requests from a legitimate address — no spoofing, no lookalike domain.
Payroll Diversion
Attacker impersonates an employee and asks HR to update direct deposit info, redirecting paychecks to an attacker-controlled account.
Attorney Impersonation & W-2 Scams
Professional services firms face two additional variants: attackers pose as outside counsel demanding an urgent confidential wire, or impersonate executives at tax time to request every employee’s W-2 for tax-return fraud. Both prey on urgency and authority.
Spot the Signs
A real BEC email — annotated
Here’s what a typical CEO-fraud attempt looks like, and the red flags to watch for:
The red flags in this example: the sender’s domain has a subtle misspelling (megabyt3 with a zero), the subject creates artificial urgency, and the body combines pressure, secrecy, and a wire request — three tactics designed to short-circuit your normal approval process.
Warning Signs
How to spot a BEC attempt
No single flag is proof — but any two of these in one email should make you stop and verify before acting:
-
Urgency or pressure — “Must be done today,” “before my flight,” “do not delay.”
-
Request for secrecy — “Don’t CC anyone,” “keep this confidential,” “I’ll explain later.”
-
Changed banking or payment details — Any email requesting an update to wire, ACH, or account info.
-
Slight domain differences — Hover over the sender. A zero instead of “o,” a missing letter, or a wrong domain entirely.
-
Reply-To doesn’t match From — Replies would go to a different address than the sender.
-
Request bypasses your normal process — Skipping PO approval, callback verification, or dual-sign-off.
-
Unusual timing — Late Friday afternoons, holiday weeks, or right before executive travel.
-
Writing style feels slightly off — Different greeting, sign-off, or phrasing than the sender normally uses.
-
Gift card requests — Any executive asking staff to buy gift cards for “client gifts” is a scam. Period.
The Golden Rule
If an email requests money, sensitive data, or a change to payment information — verify it out-of-band. Pick up the phone and call the sender at a number you already know. Never use a number from the suspicious email. Thirty seconds on the phone can save your business six figures.
What To Do
If you suspect a BEC attempt
KB-SEC-004 · Security Awareness