GLOSSARY · Security
Business Email Compromise BEC
Targeted scam that impersonates an executive, vendor, or trusted contact to redirect wire transfers or invoice payments to attacker-controlled accounts. Among the most expensive cyber-attack categories per incident.
Detailed definition
Business Email Compromise is the most expensive cyber-attack category that doesn’t involve malware. The FBI’s Internet Crime Complaint Center has tracked tens of billions of dollars in BEC losses globally over the last decade. The mechanics are straightforward: an attacker impersonates someone the target trusts (the CEO, an outside vendor, an attorney handling a closing) and convinces the target to redirect a wire transfer, change banking details for upcoming invoices, or release sensitive data.
Why BEC is so financially devastating
BEC bypasses every technical defense you have. There’s no malware to detect, no malicious link to block, no unusual file activity on an endpoint. The attack is purely social — a convincing email from a plausible source asking for an action that’s already part of the target’s job. By the time the wire clears, the funds have moved through several intermediary accounts and are effectively unrecoverable.
The amounts are typically large because BEC targets are usually involved in legitimate large-dollar transactions — real-estate closings, vendor payments, payroll. Attackers do the reconnaissance to know the specific deals in flight.
The common patterns
- CEO fraud — fake email from the executive to a finance team member requesting an urgent wire
- Vendor impersonation — fake email from a real vendor saying “we changed banks; here are the new wire instructions for next week’s invoice”
- Attorney impersonation — particularly common in real estate closings; fake last-minute change of escrow wire instructions
- Account takeover — attacker actually compromises a real mailbox via phishing and sends fraud from a legitimate sender address
- Payroll diversion — fake “I need to update my direct deposit” message from a real employee’s spoofed account
Defense beyond technical controls
BEC is a process problem more than a technical one. Layered defense:
- Out-of-band verification — any change to wire instructions, banking details, or large transfer destination MUST be confirmed via a known phone number (not the one in the suspicious email)
- Email authentication (SPF, DKIM, DMARC) — won’t catch real account takeover but blocks domain-spoofing variants
- MFA on every mailbox — stops the account-takeover pathway
- Conditional access — block sign-ins from unfamiliar countries even with valid credentials
- Security awareness training with BEC-specific scenarios, not just generic phishing
- Email-gateway impersonation detection — flag display-name spoofing and look-alike domains
We bake out-of-band verification policies into the security awareness training programs we run for managed clients.
HOW WE HELP
Related Bytes Unlimited services
-
Security & Compliance
PCI DSS, HIPAA, and general security posture work. Endpoint protection, MFA, awareness training, audit-ready documentation.
-
Google Workspace
Google Workspace Partner. Email, Drive, Meet, and identity setup with the partner-channel pricing and support escalations.
-
Microsoft 365
Microsoft Solutions Partner. Microsoft 365 tenant setup, Exchange Online, Intune, and identity hardening.
Need help applying BEC to your business?
We've done this kind of work across New York. First conversation is free.