Most security conversations centre on malware and phishing links. But the scam that costs businesses the most money doesn't use either. Business email compromise, or BEC, works through trust and forgery. An attacker impersonates your CEO, a vendor, or a trusted partner and convinces your staff to wire money or hand over sensitive information. Losses from BEC are rarely recovered once a transfer is completed.
How Business Email Compromise Works
BEC attacks follow a pattern. The attacker either compromises a real email account or spoofs an email address that looks nearly identical to one your business trusts. They've done their homework. They know who your executives are, which vendors you work with, and how your payment approval process works. An email arrives from the "CEO" asking your accounting team to wire funds to a new vendor account right away. Another attack might spoof a real vendor's email with an invoice that includes updated banking details for payment.
These emails work because they contain no malware, no suspicious links, and no obvious red flags. They read like normal business correspondence. The attacker's leverage is urgency and authority. By the time someone questions the request, the wire has already been sent. In other cases, the attacker has compromised an actual mailbox and spent weeks learning your organization's rhythm before making their move.
Why They Succeed
Unlike phishing attacks that rely on a user clicking a malicious link, BEC succeeds by exploiting normal business processes. Your accounting staff are trained to process payment requests. Your IT staff are trained to help with account access issues. The attacker gives them a request that fits perfectly into their daily routine. Without a verification process that goes beyond email, there's nothing to catch the fraud.
The stakes are enormous. A single BEC email can result in losses of tens of thousands of dollars or more. Large organizations have lost millions. The FBI estimates BEC costs businesses billions annually. The scam works because your email system is designed to trust.
How To Defend Against BEC
The first line of defence is process, not technology. Any request to change payment details, redirect a wire, or access sensitive data should trigger a verification call to a known phone number. Not a number in the email. Not a number you Google. A number you have on file from previous dealings. This single step stops most BEC attacks cold because the attacker can't impersonate a voice call.
Email authentication matters. DMARC, DKIM, and SPF are technical standards that make it harder for attackers to spoof your domain or your vendors' domains. They're not perfect, but they raise the bar. Monitoring for compromised accounts helps you spot when an attacker has actually broken into someone's mailbox before they launch their attack. Regular security awareness training reminds your staff that even requests from trusted sources should follow your verification procedures.
Your email security system should flag suspicious activity: emails from external addresses that look like internal ones, unusual sending patterns, emails with unusual attachment types. These signals aren't perfect, but they give you a chance to catch BEC before it costs you money.
Protect Your Business
BEC is one of the costliest threats to businesses today. It doesn't require sophisticated technology to defend against, but it does require discipline and clear procedures. Every business should have a documented process for payment verification and account changes. If you're unsure whether your organization is protected, managed cybersecurity includes monitoring and response capabilities designed to catch these attacks early. The investment is far smaller than the risk.