A finance manager gets an email from the CEO. The tone feels familiar. The subject line references a deal that’s been in the pipeline for weeks. The ask is simple: wire funds to a new partner account before end of day. Nothing seems off. The transfer goes through.
The next morning, she mentions it to the CEO in passing. He has no idea what she’s talking about. He never sent that email.
This isn’t a rare edge case. The FBI’s Internet Crime Complaint Center recorded over $2.9 billion in losses attributed to Business Email Compromise in 2023 alone, making it the costliest form of cybercrime globally. No malware was deployed. No systems were breached. Just an email that looked completely normal.
That’s the point. BEC doesn’t attack your infrastructure. It attacks your trust.
What Is Business Email Compromise?
Business Email Compromise is a social engineering attack where someone impersonates a trusted party; an executive, a vendor, a legal counsel to manipulate employees into wiring money or handing over sensitive data. No malicious links. No infected attachments. Just an email that looks legitimate.
Picture this: you receive a message that appears to come from your regular supplier. It references the project you’re both working on, uses the right terminology, and asks you to update your payment details because of “a bank processing issue.”
Nothing raises a flag. Until the payment clears and you call the actual supplier.
Is BEC the Same as Phishing?
They’re related, but they work very differently. Standard phishing casts a wide net. One message goes to thousands of recipients, carrying a malicious link or attachment, and succeeds on volume alone.
BEC is the opposite: one organization is studied in depth before a single message is sent. No links. No attachments. No technical fingerprint that security tools can catch.
| Standard Phishing | BEC | |
|---|---|---|
| Targeting | Mass, undifferentiated | Specific individual or organization |
| Method | Malicious links or attachments | Social engineering only |
| Goal | Steal credentials, spread malware | Wire fraud, sensitive data |
| Technical indicators | Yes (URLs, file hashes) | Essentially none |
| Average loss per incident | Relatively low | Tens of thousands to millions |
How BEC Works
BEC isn’t improvised. There’s a sequence attackers follow before they ever hit send, and understanding it matters because every stage is also an opportunity to stop them.
Stage 1 -Reconnaissance: Learning Everything About You
Before the attack begins, attackers collect as much information as possible. LinkedIn tells them who the CFO is and who reports directly to her. The company website names the executive team. Press releases mention ongoing deals. Job postings reveal internal tooling. A patient attacker can build a detailed picture of your org from entirely public sources.
Example: just from a company’s LinkedIn page, an attacker can identify the finance director, learn which vendors the company works with, and figure out which employees have payment authorization. That’s enough to write an email that feels deeply personal.
Stage 2 – Impersonation: Building a Convincing Identity
Once they have enough context, attackers build a credible identity. This usually means registering a domain that looks nearly identical to the real one (think company-corp.com instead of company.com), or, in more serious cases, compromising a real account whose credentials were leaked somewhere else.
Example: an attacker registers invoicing-vendorname.co because the real vendor uses invoicing-vendorname.com. One character difference. Most people don’t check the full domain when they’re reading quickly.
Stage 3 – Execution: Striking at the Right Moment
Attackers don’t send messages at random. They pick moments when vigilance is lowest: late Friday afternoon, when the executive “making the request” is listed as traveling, or right when a vendor payment deadline is coming up.
Example: a request to “wire before COB today” that arrives on the exact day a vendor invoice is due is far more likely to get acted on without a second look.
Stage 4 – Monetization: The Money Moves Fast
This is the part most people don’t think about, and it’s why recovery is so rare. The moment a transfer goes through, attackers move the funds immediately through a chain of intermediary accounts, often across multiple countries. By the time the victim contacts their bank, the money is already three accounts removed.
Example: funds wired at 2 PM can pass through accounts in two different countries before business closes that day. Calling the bank the next morning, even if you act fast, often comes too late.
Types of BEC Attacks
The goal is always the same. The approach changes depending on what the attacker learned about the target. These are the four variants that appear most often in FBI reporting.
CEO Fraud
An attacker poses as a senior executive and contacts someone in finance with an urgent request to transfer funds. The message usually comes with a plausible business reason and a note asking the recipient not to discuss it with others yet.
Example: a finance team member receives an email “from the CEO” who is reportedly traveling, requesting a $150,000 wire to a new partner to close a deal that needs to happen today.
Vendor Impersonation
The attacker poses as an existing vendor and sends updated banking details, usually framed as a routine account change. Because the vendor relationship already exists, nothing about the request feels suspicious.
Example: a supplier who invoices $40,000 monthly sends an email with “updated payment instructions.” Without a quick phone verification, the next payment goes straight to the attacker’s account.
Email Account Compromise (EAC)
This is the most dangerous variant. Rather than building a fake identity, attackers access a real compromised account. Every message comes from a legitimate address, so there’s nothing technically suspicious for security tools to flag.
Example: a CFO’s credentials leaked in a third-party data breach. The attacker logs in, monitors communication patterns for two weeks, then sends wire instructions from the real CFO account.
Employee Data Theft
Attackers target HR with requests for sensitive employee records — payroll data, tax information, social security numbers. The data is either sold or used for follow-on identity fraud.
If records like payroll data, tax filings, or employee IDs are exposed, the company can face legal liability, mandatory breach notification, and reputational damage under applicable Indonesia’s data protection regulations (UU PDP).
Example: someone posing as a senior executive emails HR requesting a spreadsheet of employee compensation and tax data, citing an urgent compliance audit.
Why BEC Is So Hard to Detect
Most cyber threats leave something behind that can be analyzed: a suspicious file, a link to a flagged domain, a sender on a blocklist. Conventional email security tools work by matching those technical signals. BEC doesn’t produce them.
BEC Emails Contain No Malware or Malicious Links
Most BEC messages are plain text. No attachment to scan. No URL to run through a reputation checker. No code executing in the background. There’s simply nothing for a security system to inspect.
Think of it this way: a security guard can stop someone carrying a weapon. They can’t stop someone who walks in wearing a visitor badge, greets the receptionist by name, and heads straight to the right floor. A BEC email is that second person.
Attackers Use Business Context You’d Recognize
Automated filters flag unusual patterns: unknown senders, suspicious keywords, unfamiliar formatting. BEC inverts all of those assumptions. Attackers use names you know, reference projects that are real, and mirror the communication style your org already uses.
Real example: an attacker who spent three weeks monitoring internal email threads knew a company was finalizing a contract with a specific vendor. They sent a message claiming to be that vendor, requesting a payment account change “due to an internal audit.”
Every contextual detail was accurate. Nothing looked wrong.
The Email Reads Like Your Colleague Actually Wrote It
Context alone isn’t always enough to fool someone. What makes BEC particularly convincing is when attackers replicate the writing style of the person they’re impersonating: how formal they are, whether they sign off with their full name or just initials, whether they use full sentences or short bursts.
Example: after monitoring an executive’s inbox for two weeks, an attacker knows she writes in short sentences, rarely uses a greeting, and often sends instructions without explanation. When the fake request arrives, it reads exactly like her. Nobody’s instincts fire.
Can a Secure Email Gateway (SEG) Block BEC?
Secure Email Gateway tools like Proofpoint, Mimecast, or Microsoft Defender for Office 365 are built to filter malicious email based on domain reputation, malware signatures, and suspicious URL patterns. Against BEC, their effectiveness has real limits.
A well-configured SEG can catch some signals: domains that look similar but aren’t identical, inconsistent email headers, or senders not in the internal directory.
But when attackers use aged domains with clean reputations, or worse, when they’ve already taken over a legitimate account, the gateway has nothing to act on.
That’s not a product failure. It’s an architectural one. SEGs analyze technical signals. BEC operates at the layer of human trust. Those two things don’t meet in the same place.
How to Spot a BEC Email Before It’s Too Late
Detection depends more on trained human instinct than automated systems. Certain patterns show up consistently in BEC attempts, and the people handling financial transactions or sensitive data need to recognize them reflexively.
Here are the most common signs found in BEC emails:
- Manufactured urgency: “Wire before COB today” with no verification step is a classic setup. Urgency is engineered to bypass normal procedure.
- Sudden payment instruction changes: A vendor suddenly wants payment sent to a new account, citing “a bank issue” or “account update.”
- Requests arriving through unusual channels: An executive who normally uses Slack is now sending wire instructions via personal email.
- Domains that are almost right: One transposed letter, or .co instead of .com, easily missed in a quick scan.
- Requests for secrecy: Any email asking you “not to mention this to anyone yet” is a clear warning sign.
How to Prevent BEC in Your Organization
Preventing BEC requires layered controls. No single measure is enough because the attack operates across two surfaces at once: technical and human. Here’s what organizations can put in place.
1. Enable Multi-Factor Authentication on all email accounts
EAC, the variant where attackers use real compromised accounts, is the most damaging form of BEC. MFA (Multifactor Authentication) stops unauthorized access even when credentials have been stolen.
Even if an attacker obtains the CFO’s password through a data breach, they still can’t get in without the verification code on her device.
2. Require two-channel verification for transfers above a set threshold
Confirmation should happen via a phone call to a number already on file, not a number listed in the request email.
Example: any wire request over $5,000 gets a callback to a registered contact before it’s processed, regardless of how convincing the email is.
3. Run regular simulated BEC attacks
Theory-based training doesn’t build real instincts. Sending fake BEC emails to employees and tracking who acts on them without verifying creates direct, memorable learning.
Example: the IT team sends a message mimicking the CEO asking for an urgent wire. Employees who respond without checking get targeted follow-up coaching; those who flag it have demonstrated real awareness.
4. Configure DMARC, DKIM, and SPF on your domain
These protocols make it much harder for attackers to spoof your domain in emails to external parties. Without them, someone can send a message that appears to come from your company’s real domain to your vendors or partners.
Example: an attacker tries to send invoice@yourcompany.com to a vendor requesting a payment redirect. With DMARC active, the vendor’s mail server rejects or quarantines the message before it’s read.
5. Create a clear escalation procedure for unusual requests
Employees need to know that questioning a suspicious instruction is expected behavior, not insubordination.
Example: any request to change a vendor’s payment details requires sign-off from two separate people, whatever the dollar amount.
6. Monitor email login activity for anomalies
Logins from unknown devices or unusual locations should trigger an automatic alert, especially for executive and finance accounts.
Example: if the CFO’s account logs in from a city she’s not visiting, that session should require verification before the account can send anything.
7. Make employees your last line of defense, not just an audience for training
Technical controls protect systems. Employees are the ones who actually read the emails.
Give them a simple, memorable rule they can actually use: any payment request or account change that arrives via email requires confirmation through one separate channel before anything is processed. No exceptions, no matter how convincing the message is.
BEC is just one form of modern cyber threat that exploits human vulnerabilities and access. The following eBook can serve as a reference for understanding more comprehensive business protection strategies.
Digital Defense Fortress: A Robust and Integrated Access Security Architecture
Eliminate the vulnerabilities of fragmented and high-risk operational systems in the hybrid work era. Discover how Unified Identity Management (IAM) orchestration can simplify credential governance, reduce IT operational burden, and proactively neutralize internal and external cyber threats.
Credential Visibility and Adaptive Authentication
Learn how cyberattacks target employee identity vulnerabilities and explore strategies like user lifecycle automation, centralized Single Sign-On (SSO), and Multi-Factor Authentication (MFA) to prevent data breaches.
Conclusion
BEC is a reminder that security isn’t purely a technology problem. The best-configured systems can still be bypassed when the attack targets people, not software.
What makes this threat hard to address with any single control is that it adapts. Attackers impersonate the CEO today, a vendor tomorrow, and use a compromised real account the day after. Every iteration is designed to get past whatever defense was put up last time.
An effective response has to cover all four layers: strict verification policies, ongoing employee training, proactive access monitoring, and solid email authentication configuration. Not as separate initiatives, but as one connected posture.
Most BEC victims aren’t caught off guard because they didn’t know the threat existed. They knew. What they didn’t have was a procedure strong enough to survive one moment of distraction. That’s the gap between a company that almost got hit and one that wired the funds.
If you’re evaluating your organization’s readiness against social engineering threats like BEC, Adaptist Prime is a good place to start that conversation.
Ready to Manage Digital Identities as a Business Security Strategy?
Request a demo today and discover how IAM solutions centralize user logins through Single Sign-On (SSO), automate employee onboarding, and protect company data from unauthorized access without disrupting productivity with repeated logins.
FAQ
Phishing targets large groups with generic messages, relying on volume. BEC targets a specific organization after attackers research its structure and processes, which is why it’s far harder to recognize.
No. Mid-size and small businesses are often more vulnerable precisely because their internal controls are less formal and financial verification procedures are less strict.
Contact your bank immediately to request a wire recall, the recovery window is usually under 72 hours. In parallel, report the incident to the FBI’s IC3 (ic3.gov) and document every piece of communication involved for the investigation.
No. BEC doesn’t intercept existing messages, it creates new ones designed to look legitimate. Encryption protects data in transit; it does nothing against manipulation built on trust.
Often enough to matter. The EAC variant, where attackers send messages from a genuine account they’ve taken over, accounts for the largest financial losses in the BEC category according to FBI data, precisely because it leaves no technical indicators behind.
