What is business email compromise (BEC)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine your CFO gets an email. It looks like it's from the CEO, sent from a mobile device, asking to wire $87,000 to a new supplier before end of day. The tone is urgent. The email address is almost right. The CFO sends the wire. The money is gone.
That's Business Email Compromise (BEC) in action. No malware. No hacked systems. Just a convincing email and a bit of pressure.
BEC is a type of fraud where attackers impersonate someone trusted inside or connected to your organization. The goal is almost always money, employee data, or both. The FBI consistently ranks it as the most financially damaging category of cybercrime. We're talking about billions in losses every year, with individual attacks often reaching six or seven figures.
How a BEC attack actually unfolds
It doesn't start with the attack email. It starts with reconnaissance. The attacker researches your company, often through LinkedIn, your website, and publicly available emails. They learn who the CEO is, who handles payments, which vendors you work with, and when your finance team is most stretched (like end of quarter).
Then they set up an impersonation. This might be a lookalike domain (yourcompany-billing.com instead of yourcompany.com), a display name spoof where the name looks right but the actual address doesn't, or in more sophisticated cases, a genuinely compromised email account inside your organization.
But the attack email lands with urgency built in. "I'm traveling and need this done quietly." "Don't call me, I'm in back-to-back meetings." "This is time-sensitive, don't loop in anyone else." These phrases are deliberate. They're designed to short-circuit the normal verification steps your team would otherwise follow.
The three most common BEC scenarios
- CEO fraud. A fake executive requests an urgent wire transfer or gift card purchase. Targets are usually finance or accounts payable.
- Vendor impersonation. An attacker poses as a known supplier and sends a "change of banking details" notice. Your team updates the payment info. Your next invoice payment goes to a fraudulent account.
- HR data theft. A fake executive requests W-2 forms or a full employee roster from HR. The stolen data is used for tax fraud or sold.
Red flags your team should know
BEC attacks work because they exploit trust and urgency. Slowing down breaks the spell. Train your finance and HR teams to treat these as automatic triggers for a phone verification call (using a number already on file, not one provided in the email itself):
- Any request to change payment or banking details, regardless of who it appears to come from
- Urgent wire transfer requests, especially ones asking to skip normal approval steps
- Requests that explicitly say "don't tell anyone" or "handle this personally"
- Emails from a known contact but coming from a slightly different address
- Any request for employee data sent by email with no other verification
What makes organizations vulnerable
Missing email authentication is a major factor. Without DMARC enforcement on your domain, attackers can send emails that appear to come from your exact domain with almost no effort. SPF and DKIM alone aren't enough if DMARC isn't set to reject or quarantine. That's often the technical entry point that makes brand impersonation so easy.
Beyond authentication, single-person payment approval is a systemic vulnerability. Any organization where one employee can wire money without a second confirmation is one convincing email away from a loss.
If you want to check whether your domain can be spoofed right now, our free DMARC generator can help you build a proper record. Or if something looks actively wrong and you need a human to walk through it with you, our SOS hotline is free.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.