Skip to main content

GLOSSARY · Security

Business Email Compromise BEC

Targeted scam that impersonates an executive, vendor, or trusted contact to redirect wire transfers or invoice payments to attacker-controlled accounts. Among the most expensive cyber-attack categories per incident.

Detailed definition

Business Email Compromise is the most expensive cyber-attack category that doesn’t involve malware. The FBI’s Internet Crime Complaint Center has tracked tens of billions of dollars in BEC losses globally over the last decade. The mechanics are straightforward: an attacker impersonates someone the target trusts (the CEO, an outside vendor, an attorney handling a closing) and convinces the target to redirect a wire transfer, change banking details for upcoming invoices, or release sensitive data.

Why BEC is so financially devastating

BEC bypasses every technical defense you have. There’s no malware to detect, no malicious link to block, no unusual file activity on an endpoint. The attack is purely social — a convincing email from a plausible source asking for an action that’s already part of the target’s job. By the time the wire clears, the funds have moved through several intermediary accounts and are effectively unrecoverable.

The amounts are typically large because BEC targets are usually involved in legitimate large-dollar transactions — real-estate closings, vendor payments, payroll. Attackers do the reconnaissance to know the specific deals in flight.

The common patterns

  • CEO fraud — fake email from the executive to a finance team member requesting an urgent wire
  • Vendor impersonation — fake email from a real vendor saying “we changed banks; here are the new wire instructions for next week’s invoice”
  • Attorney impersonation — particularly common in real estate closings; fake last-minute change of escrow wire instructions
  • Account takeover — attacker actually compromises a real mailbox via phishing and sends fraud from a legitimate sender address
  • Payroll diversion — fake “I need to update my direct deposit” message from a real employee’s spoofed account

Defense beyond technical controls

BEC is a process problem more than a technical one. Layered defense:

  • Out-of-band verification — any change to wire instructions, banking details, or large transfer destination MUST be confirmed via a known phone number (not the one in the suspicious email)
  • Email authentication (SPF, DKIM, DMARC) — won’t catch real account takeover but blocks domain-spoofing variants
  • MFA on every mailbox — stops the account-takeover pathway
  • Conditional access — block sign-ins from unfamiliar countries even with valid credentials
  • Security awareness training with BEC-specific scenarios, not just generic phishing
  • Email-gateway impersonation detection — flag display-name spoofing and look-alike domains

We bake out-of-band verification policies into the security awareness training programs we run for managed clients.

RELATED TERMS

AUTHORITATIVE SOURCES

External references

Need help applying BEC to your business?

We've done this kind of work across New York. First conversation is free.