What is Business Email Compromise?
Business email compromise (BEC) is a scam that impersonates a trusted person — a boss, vendor, or colleague — to trick your company into wiring money to an attacker.
A con aimed straight at your bank account
Business email compromise is a targeted form of social engineering in which an attacker uses email to impersonate someone your business trusts and then manipulates a person into sending money or sensitive information. Unlike a smash-and-grab malware attack, BEC is quiet and precise: there's often no virus, no malicious link, and nothing for a security tool to catch — just a believable email asking for a payment.
That subtlety is exactly what makes BEC so dangerous and so costly. The FBI consistently ranks it among the highest-loss categories of cybercrime, with billions of dollars stolen every year — and small businesses are squarely in the crosshairs because they often lack the payment controls larger companies have. A single successful BEC can drain a payroll account or a quarter's profit in one wire transfer.
How a BEC scam plays out
BEC usually begins with research. The attacker studies your company — who handles finance, who your vendors are, how invoices flow — using your website, LinkedIn, and sometimes a previously breached mailbox. Armed with that context, they craft a request that fits naturally into your day-to-day operations. Two approaches dominate: impersonation, where the attacker spoofs or closely mimics a trusted email address ("ceo@yourcompany.com" vs. a look-alike domain), and account takeover, where they've actually gained access to a real mailbox — often via phishing — and send from inside it.
The hook is almost always money and urgency: a wire that must go out today, an invoice with "updated" bank details, a confidential acquisition that can't be discussed with anyone. When the attacker controls a real mailbox, they may lurk for weeks, reading threads to learn the company's tone and timing, then quietly insert fraudulent payment instructions into a genuine, ongoing conversation. By the time anyone notices, the money has been wired, moved through several accounts, and is effectively gone.
The flavors of BEC to watch for
CEO fraud
A fake message from the boss pressures a finance employee to make an urgent, confidential wire transfer — "I'm in a meeting, just handle it."
Vendor / invoice fraud
An attacker posing as a real supplier sends "updated banking details," redirecting your next legitimate payment to their account.
Payroll diversion
A fake "employee" emails HR to change their direct-deposit account, quietly stealing the next paycheck.
Attorney / acquisition pretext
The attacker poses as a lawyer handling a sensitive, time-pressured deal to justify secrecy and a fast payment.
Gift-card scam
A lower-stakes but common variant: a "manager" urgently asks staff to buy gift cards and send over the codes.
Data-request BEC
Instead of money, the attacker asks for employee tax forms or customer records to fuel further fraud.
Process beats technology here
Because BEC often carries no malware, your strongest defenses are payment processes and verification habits — backed by a few technical controls:
- Verify every payment change by phone. Any new or changed bank details get confirmed by calling a number you already have on file — never one supplied in the email.
- Require dual approval for wires. Make any wire over a set threshold need two people. One compromised mailbox shouldn't be able to move money alone.
- Lock down email with MFA. Most account takeovers start with a stolen password — multi-factor authentication stops the majority of them.
- Configure SPF, DKIM, and DMARC. These email-authentication settings make it far harder for attackers to spoof your domain and help flag impersonators.
- Train urgency as a red flag. Teach finance and HR that "urgent + confidential + wire transfer" should trigger verification, not speed.
If a fraudulent transfer does go through, act within hours: contact your bank to attempt a recall, file a report with the FBI's IC3, and check whether a mailbox was compromised. Red Hound can help you build the payment controls and email defenses that stop BEC before it starts — start with a 30-minute call.
Common questions about BEC
What is business email compromise in simple terms?
Business email compromise (BEC) is a scam where an attacker impersonates a trusted person — an executive, vendor, or colleague — over email to trick your business into wiring money or sharing sensitive data. There's often no malware involved, just deception.
How is BEC different from regular phishing?
Most phishing tries to steal passwords or spread malware at scale. BEC is highly targeted and focused on money or data: a tailored, often urgent request that impersonates someone you trust, frequently with no malicious link at all — which is why filters miss it.
What does a BEC attack look like?
Common forms include a fake "CEO" urgently requesting a wire transfer, a vendor sending updated bank details for an invoice, a payroll-redirect request, or a compromised mailbox quietly altering payment instructions on real invoices.
How can a small business prevent BEC?
Verify all payment and bank-detail changes by phone using a known number, require dual approval for wire transfers, turn on multi-factor authentication for email, configure SPF/DKIM/DMARC, and train finance staff to treat urgency as a warning sign rather than a reason to rush.
Get the free SMB Security Baseline Checklist
A short, plain-English checklist covering the email and payment controls that stop BEC fraud cold. Built for small and mid-sized businesses.
Or get plain-English security tips by email: