.webp)
Business email compromise, or BEC, has quietly become one of the most expensive cybercrime problems facing small and mid-sized businesses today. It doesn't rely on exotic malware or zero-day exploits. It works because someone gets a convincing email, trusts it, and wires money or hands over credentials to the wrong person.
According to the FBI's IC3 2024 Annual Report, BEC accounted for roughly $2.8 billion in losses in 2024 alone, the second-highest financial loss category of any cybercrime. Over three years (2022-2024), that number adds up to nearly $8.5 billion. These aren't losses at Fortune 500 companies with dedicated security teams. A significant portion are small businesses like yours.
This post walks through how BEC actually works, why it keeps succeeding despite growing awareness, and the specific steps you can take to protect your organization from it.
What Business Email Compromise Actually Looks Like
BEC is a broad category, but the mechanics are fairly consistent. An attacker either spoofs a legitimate email address, compromises a real one, or creates a lookalike domain. Then they send messages designed to trigger financial transactions or credential theft without raising suspicion.
The most common scenarios your team will encounter:
CEO or Executive Impersonation
An email appears to come from the CEO or a senior manager, asking a finance employee to wire funds quickly for an acquisition, settle an invoice, or purchase gift cards for a client appreciation event. The message often asks the recipient to keep things confidential and move fast. At small organizations, this works particularly well because the CEO plausibly does email finance staff directly, and people tend not to push back on the boss.
Vendor Email Compromise
An attacker researches your vendors, creates a near-identical spoofed email address (think billing@acm3corp.com instead of billing@acmecorp.com), and sends updated banking or payment instructions right before an invoice is due. Abnormal AI's 2026 Attack Landscape Report found that vendor or partner impersonation accounts for 61% of all BEC attacks. Vendor compromise is harder to catch than CEO impersonation because you're expecting communication from that vendor anyway.
Internal IT or HR Impersonation
Employees receive messages that look like internal IT alerts - password expiration notices, MFA re-enrollment prompts, or payroll direct deposit update requests. Finance and IT staff are disproportionately targeted here. The same Abnormal AI report found that finance and accounting roles receive generic internal impersonation attacks at a rate of 72.8%, well above the organizational average of 37%. The reason is straightforward: fake HR payroll notices and finance system alerts mirror real workflows those employees deal with every day.
Lateral BEC (Compromised Accounts)
This is the version most businesses don't see coming. An attacker gains access to a real employee's email account, quietly monitors it for weeks, learns the person's writing style, current vendor relationships, and pending deals, then sends fraudulent requests that come from a legitimate internal address and pass every spam filter. The message isn't spoofed. It's genuinely from your colleague's account. By the time anyone notices, money or data has already moved.
Why BEC Keeps Working Even After Years of Awareness Training
Most organizations have heard of BEC by now. Many have done phishing awareness training. Yet the FBI IC3 data shows essentially no decline in complaint volume year-over-year. So what's going on?
A few things contribute to this. First, AI has made attacks substantially more convincing. Research published by Hoxhunt found that 40% of BEC phishing emails were AI-generated as of mid-2024, and the quality of AI-written phishing now rivals or exceeds human-written attacks in many cases. The typos and awkward phrasing that employees were trained to spot are disappearing.
Second, attackers do real research. A sophisticated BEC group will spend time on LinkedIn, your company website, and social media profiling your org chart, understanding your vendors, and timing attacks to coincide with events like mergers, real estate transactions, or fiscal year-end. When the attacker already knows the CFO's name, the company's accounting software, and that Q2 close is underway, impersonating a familiar contact gets much easier.
Third, BEC exploits normal business pressure. The urgency and confidentiality framing that attackers use ("please process this before EOD, and keep it between us for now") maps directly onto how executives actually communicate urgent business matters. Employees trained to be efficient and responsive are put in a position where slowing down to verify feels like being unhelpful or untrusting.
Red Flags to Train Your Staff to Recognize
Good security awareness training doesn't just show examples of past attacks. It builds habits for evaluating any financial or credential request, regardless of who appears to be sending it. Here are the specific patterns to train employees to notice:
Pressure + Secrecy Combinations
Any message asking for something unusual (wire transfer, gift cards, password reset, credential sharing) that also includes urgency language and requests for confidentiality deserves immediate scrutiny. These two elements appearing together are a reliable signal. Legitimate urgent business requests don't usually require hiding them from the normal approval chain.
Payment or Banking Detail Changes
Any request to update banking information for a vendor should trigger a required out-of-band verification call to a phone number you already have on file - not one provided in the email. This single control catches the vast majority of vendor BEC attempts.
Domain Lookalikes
Train employees to check the actual sender email address, not just the display name. Attackers frequently use display name spoofing (where the email shows "John Smith - CEO" but the actual address is john.smith@gmail.com or a lookalike domain). Hoxhunt's research found that display name spoofing is used in 36% of BEC emails.
Requests That Skip Normal Process
If someone in authority is asking you to bypass standard approval procedures, that's worth pausing on. Legitimate exceptions do happen, but they should be verifiable through a quick phone call or walk-down-the-hall conversation.
Technical Controls That Meaningfully Reduce BEC Risk
Employee training is necessary but not sufficient. The technical layer matters a lot, and several controls have a direct impact on BEC specifically.
Email Authentication: DMARC, DKIM, and SPF
These three protocols work together to verify that emails claiming to come from your domain actually originate from your mail servers. Properly configured DMARC with a "reject" or "quarantine" policy stops attackers from spoofing your domain when targeting your vendors, partners, or customers. Getting DMARC to enforcement is a multi-step process - many organizations have it set to "none" (monitor only) for years without ever moving to enforcement. That monitoring-only configuration provides zero protection against spoofing.
Note that DMARC protects outbound spoofing of your domain by others, but doesn't prevent attackers from spoofing other domains to reach your employees. That's where inbound email filtering and user training pick up.
Multi-Factor Authentication on Email
Compromised email accounts - the lateral BEC vector - require the attacker to first obtain credentials. MFA on Microsoft 365 or Google Workspace substantially raises the bar for account takeover. It's not foolproof (device code phishing and adversary-in-the-middle attacks can bypass certain MFA methods), but it eliminates the vast majority of credential-stuffing and password spray attacks that feed BEC account compromise. If you haven't deployed MFA on email yet, that's the single highest-leverage control to implement first.
For a deeper look at how certain MFA methods can be bypassed and what to use instead, see our post on device code phishing attacks against Microsoft 365.
Privileged Account Separation
Finance staff and IT administrators should have separate regular-use and privileged accounts. If someone's day-to-day email account is compromised, it shouldn't provide direct access to wire transfer capabilities or admin credentials. This separation limits what an attacker can do with a single compromised account.
Conditional Access and Login Anomaly Detection
Modern cloud identity platforms (Microsoft Entra ID, Okta) can flag and block logins from unusual locations, new devices, or impossible travel scenarios. Enabling these policies and routing alerts to someone who actually reviews them is an important layer for catching account compromise early, before the attacker has time to study communications patterns and launch a BEC attack from inside the account.
Email Security Gateways
Native Microsoft 365 Defender and Google Workspace protection catch a lot, but third-party email security platforms (Proofpoint, Mimecast, or AI-based tools like Abnormal) add detection layers specifically tuned for social engineering patterns that rule-based filters miss. If your business handles significant wire transfers or sensitive data, the incremental cost is usually worth it.
Financial Process Controls That Stop Losses Even When Attacks Succeed
No technical or training control is 100% effective. Smart organizations layer process controls into their financial workflows so that even a successful BEC attack can't easily result in an irreversible loss.
- Dual approval for wire transfers: Any wire above a threshold (typically $5,000-$10,000 for SMBs) requires two authorized individuals to approve through your financial system, not email. The approvals should be logged in your accounting software, not just confirmed via reply email.
- Callback verification for payment changes: Any request to update vendor payment details triggers a mandatory callback to a number from your existing vendor records. Written policy, enforced consistently.
- Transaction limits on accounts used for day-to-day operations: Accounts your team uses regularly shouldn't have unlimited wire transfer authority. Keep higher-limit accounts for large transactions that go through a higher approval bar.
- Rapid freeze procedures: If a fraudulent transfer is discovered quickly, funds can sometimes be recovered via the FBI's IC3 Financial Fraud Kill Chain. The window is short - typically 24-48 hours. Having a clear escalation procedure for suspected BEC losses can make the difference between recovering funds and absorbing the loss.
What to Do If You Think You've Been Hit
Speed matters more than almost anything else in BEC recovery. Here's the sequence:
- Immediately contact your bank and request a wire recall. Reference the SWIFT system if the transfer was international.
- File a complaint with the FBI's Internet Crime Complaint Center at ic3.gov and specifically request the Financial Fraud Kill Chain process for wire recovery.
- Contact local FBI field office if the amount is significant.
- Preserve all email headers and original messages - do not delete anything. The full headers are needed by investigators.
- Notify your cyber insurance carrier immediately if you have one - many policies have reporting timeframes that affect coverage.
- If an internal account was compromised, immediately contain it: disable the account, force password resets for connected systems, and preserve logs for forensics.
The FBI IC3's Financial Fraud Kill Chain has recovered stolen funds in cases reported within the right window. Not all funds come back, but quick action gives you the best chance.
How to Build a BEC-Resistant Organization
Preventing BEC isn't a one-time project. It's an ongoing combination of technical controls, process discipline, and staff awareness that get regularly refreshed as attack tactics evolve. The organizations that fare best treat it as a standard operating practice rather than a periodic security audit.
Start with these three foundational steps if you haven't done them already:
- Audit your DMARC configuration and get it to enforcement. Use a tool like MXToolbox to check your current policy.
- Enforce MFA on all email accounts using phishing-resistant methods where possible (hardware keys or passkeys rather than SMS codes).
- Implement dual-approval for wire transfers through your accounting system, not through email confirmations.
After those three, work through the deeper technical controls - conditional access policies, email security gateways, privileged account separation - in order of your organization's risk profile.
If you're not sure where your current gaps are, a network security audit and email security review can give you a prioritized picture. Burgi Technologies works with small and mid-sized businesses across Southern California to assess and address exactly these kinds of controls as part of managed cybersecurity services. If you'd like a hand evaluating your current BEC exposure, we're happy to take a look.
Frequently Asked Questions About Business Email Compromise
What's the difference between BEC and regular phishing?
Standard phishing casts a wide net - millions of generic emails trying to capture credentials from anyone who clicks. BEC is targeted and financially motivated. Attackers research your organization specifically, craft messages that fit your business context, and the goal is typically a wire transfer or invoice fraud rather than just stealing a password. BEC attacks involve significantly more effort per target and result in much higher average losses - the FBI IC3 average for 2024 was $123,005 per BEC incident.
Can BEC attacks be fully blocked by email filters?
Not entirely, no. Because many BEC attacks come from real compromised accounts or well-crafted spoofed domains, they can pass standard spam filters. Advanced AI-based email security tools do better at detecting behavioral anomalies and social engineering patterns, but the most reliable defense is combining technical filters with trained employees and financial process controls. Filters reduce volume; the other layers handle what gets through.
Does cyber insurance cover BEC losses?
It depends heavily on your specific policy. Many standard cyber insurance policies exclude BEC losses or require a separate "social engineering fraud" endorsement. Insurers have also tightened requirements - most now require documented evidence of MFA deployment, DMARC configuration, and employee security training as conditions for coverage. Review your policy language and verify what's actually covered before you need to file a claim.
What's the most common BEC attack target in a small business?
Finance, accounting, and office managers who handle vendor payments are the most frequent targets. Hoxhunt's research found that organizations with fewer than 1,000 employees face a 70% weekly probability of a BEC attempt. At small organizations, attacks disproportionately impersonate the CEO or owner because that impersonation is most credible in a flat organizational structure where executives do communicate directly with finance staff.
How do attackers know enough about my business to target us convincingly?
Mostly through publicly available information. LinkedIn profiles reveal your org chart and job titles. Your company website describes what you do and sometimes lists partners or clients. Press releases, court filings, and business registry data can surface details about vendors and transactions. Attackers also use data from previous breaches - if employee email addresses and job titles appeared in a prior data breach, that information gets aggregated into lists sold on dark web forums. It doesn't take long for a motivated attacker to build a credible picture of your organization from open sources.
