Business Email Compromise (BEC)

What it is

Business Email Compromise is a category of fraud that uses email impersonation to manipulate someone with payment authority into sending money to an attacker-controlled account or sharing sensitive data with the attacker.

The distinction between BEC and ordinary phishing matters. Phishing typically aims at credential theft or malware delivery, with monetisation happening downstream. BEC aims directly at money. The end of a successful BEC attack is a wire transfer landing in an attacker's account, an updated direct deposit form pointing payroll at a money mule, or an invoice paid to the wrong bank.

Four main patterns cover most real-world BEC cases:

CEO fraud (also called executive impersonation). An attacker impersonates the CEO, CFO, or another senior executive and emails finance staff requesting an urgent wire transfer. The pretext is usually an acquisition under NDA, a supplier needing immediate payment, or some other reason the request must be handled quickly and quietly. Because the request appears to come from someone with authority, employees often comply without normal verification.

Vendor invoice fraud. Either by compromising a supplier's email account or by impersonating the supplier from a lookalike domain, the attacker sends an updated invoice with new banking details. The buyer's accounts payable team pays the legitimate amount to the attacker's account. By the time the supplier asks where their money is, the attacker has moved it through several accounts and out of reach. This is the fastest-growing BEC category and the one that produces the largest losses per incident.

Account compromise. The attacker takes over a real internal account, usually through phishing or stealer log credentials, and operates from inside the victim's email. They watch ongoing payment conversations, then insert themselves at the right moment with new banking details. Because the email genuinely comes from the legitimate account, every authentication check passes. The defender signal is behavioural rather than technical.

Attorney impersonation. A pretext that combines authority and urgency. An email purporting to be from an attorney handling a confidential matter (often an acquisition or litigation) requests a wire transfer that "the CEO has already approved." Variants impersonate accountants, regulators, or other authority figures the recipient is unlikely to call back to verify.

Why it matters

The numbers are stark. The FBI's Internet Crime Complaint Center (IC3) reports BEC as the single highest-loss cybercrime category, year after year. Cumulative reported losses exceeded $50 billion globally by the end of 2024, and the actual figure is higher because most incidents are never reported.

Specific cases give a sense of scale:

• Toyota Boshoku (2019). A European subsidiary lost $37 million in a single fraudulent transfer triggered by a vendor invoice impersonation.
• Mattel (2015). Lost over $3 million to a CEO fraud scheme, recovered through coordination with Chinese authorities. Most victims do not recover their money.
• Pathe (2018). The Dutch arm of the cinema chain lost €19 million to a series of fraudulent CEO emails. The attackers impersonated the parent company's leadership.
• Crelan Bank (2016). The Belgian bank lost €70 million to BEC fraud. The CEO ultimately resigned.
• Hong Kong deepfake CFO (2024). A finance worker at a multinational was tricked into transferring $25 million after participating in what appeared to be a video conference with the CFO and several colleagues. Every other person on the call was a deepfake. The attack combined live video, real-time voice synthesis, and BEC pretexting in a single incident.

Several characteristics make BEC particularly dangerous compared to other cybercrime categories:

The attacker often does not need to compromise anything technical. A lookalike domain, a credible pretext, and a hurried recipient are enough. There is no malware to detect, no exploit to patch, no anomalous network traffic to flag.

MFA does not help in many BEC scenarios. The attacker is not trying to log into anything. They are sending an email from their own infrastructure that looks like it came from yours.

Recovery is rare. Once a wire transfer settles into the attacker's account, the funds are typically moved within minutes through a chain of mule accounts, often crossing jurisdictions. International wire reversal requires cooperation that rarely arrives in time.

The signal-to-noise ratio is awful. A finance team processes hundreds of legitimate vendor payment changes per year. Spotting the one that is fraud requires controls that work even when the recipient genuinely believes the request is real.

How attackers exploit it

A typical BEC operation follows a predictable shape.

1. Reconnaissance. Attackers identify the target organisation and map out its finance team, executive structure, ongoing supplier relationships, and payment patterns. LinkedIn, public filings, and breached email archives all provide this information cheaply.
2. Infrastructure. Either a typosquat of the target's domain, a typosquat of a key supplier's domain, or compromise of a real email account through phishing or stealer logs. Free-tier email services (Gmail, Outlook.com) are also used in less sophisticated variants.
3. Pretexting. A plausible reason for the payment request. Vendor invoices reference real ongoing projects. CEO fraud lures match the executive's actual writing style. Attorney impersonations use the language and timing of real legal matters.
4. Insertion. The fraudulent email arrives at exactly the moment when it will look least suspicious. For invoice fraud, that is during an active payment cycle. For CEO fraud, that is often Friday afternoon when the executive is unreachable. For account-compromised BEC, the attacker has been monitoring for days and waits for a real conversation about a real payment.
5. Execution. The recipient processes the payment. Funds land in a money mule account.
6. Extraction. Funds are moved through layered accounts, crypto exchanges, or cash-out networks within minutes to hours of receipt.

The sophistication varies enormously. Low-end BEC is a foreign operator with rough English impersonating a CEO from a Gmail account. High-end BEC involves months of access to a real corporate mailbox, deepfake video calls, and multiple coordinated attackers playing different roles.

How to detect it

Detection has to combine technical signals with process signals, because purely technical detection misses the most dangerous variants.

Technical signals worth monitoring:

• Lookalike domains targeting your brand and your key suppliers. New typosquats, especially those with TLS certificates issued for them, are an early warning that an operation is being staged.
• Email authentication failures. SPF, DKIM, and DMARC failures on inbound messages claiming to be from your domain or your suppliers. Strict DMARC enforcement (p=reject) prevents simple spoofing of your own domain.
• Mailbox rule changes. Attackers who compromise an account commonly add rules to auto-forward or auto-delete messages so the legitimate user does not see incoming replies. Sudden creation of "move all from CFO to RSS subscriptions" type rules is a high-fidelity indicator.
• Anomalous login patterns. Logins to executive or finance accounts from unusual countries, devices, or impossible-travel patterns.
• Unusual reply chains. Email threads where the reply-to address differs subtly from the from address (a common attacker trick to redirect responses without compromising the original mailbox).

Process signals matter just as much:

• Last-minute payment changes. Any vendor request to update banking details for a long-standing relationship is BEC until proven otherwise.
• Urgency combined with secrecy. "Wire this immediately, don't loop in anyone else" is the textbook pretext.
• Channel mismatches. A request that should normally come through procurement arriving instead through a personal email, a WhatsApp message, or a text.

The Snowflake incidents in 2024, which started with stealer logs but escalated through coordinated BEC follow-on activity, illustrated how technical and process signals together produce earlier detection than either alone.

How to remediate

When BEC is confirmed:

1. Stop the payment if possible. Banking partners can sometimes recall or freeze a wire if contacted within hours. Speed is everything.
2. File an IC3 report immediately if in the US, or contact equivalent national fraud authorities elsewhere. The Financial Fraud Kill Chain process can sometimes recover funds, but only with fast notification.
3. Notify the bank receiving the funds. Many banks will freeze accounts on credible fraud notification.
4. Investigate the compromise scope. If an internal account was used, what else did the attacker access? What other payments are in flight?
5. Reset credentials and invalidate sessions on any compromised accounts. Check for persistence (mailbox rules, OAuth grants, MFA device changes).
6. Notify suppliers if their accounts or domains were impersonated. They may have other customers being targeted.
7. Conduct a post-incident review. What process failed? What controls did not catch this? Update playbooks before the next attempt.

Recovery rates for BEC fraud are poor. The FBI's Recovery Asset Team reports successful recovery in roughly half of cases reported within 72 hours, and far less for cases reported later.

Best practices

• Out-of-band callback verification for any payment change. This is the single highest-value control. Any new banking details, any urgent wire request, any unusual change to a payment instruction must be verified by calling a known number for the requester. Not the number in the email. A number on file from before the request arrived.
• Multi-person approval for wire transfers above a threshold. Two-person rules add friction but make BEC much harder to execute against, because the attacker has to fool two independent people.
• DMARC enforcement at p=reject. This blocks simple spoofing of your own domain. It does not stop lookalike domains, but it removes one entire attack class.
• Train finance staff specifically on BEC patterns. Generic phishing training is not enough. Finance teams need to see real BEC examples and rehearse the verification process.
• Monitor your brand for typosquats and your suppliers for theirs. A typosquat of a key vendor is often the first sign of an attack staged against you.
• Establish a clear escalation channel. Anyone receiving an unusual request from an executive should have a clear, fast way to verify it without feeling they are insulting the executive's authority.
• Restrict who can change vendor banking details in your ERP. A small number of authorised people, with strong authentication and a verification process, is far safer than allowing anyone in AP to update them on the basis of an email.

The Hong Kong deepfake case showed that even video calls cannot be fully trusted as verification. The pattern that still works is voice contact at a known number on a known device, ideally combined with an out-of-band confirmation through a different system.

What MFA does and does not do

MFA is part of any reasonable security posture, but its limits in BEC scenarios are worth being explicit about. MFA stops account takeover by external attackers in many phishing scenarios. It does not stop:

• BEC attacks that use lookalike domains and never touch your accounts at all.
• AitM phishing kits that capture session cookies along with the password.
• Insider-led BEC where the attacker has legitimate access.
• Payment process failures where the recipient never authenticated to anything.

The takeaway is that BEC is a process problem as much as a technical one. Strong technical controls reduce the surface. Strong process controls (callback verification, dual approval, channel discipline) close the residual gap. Neither alone is sufficient.