Business Email Compromise (BEC): How to Protect Your Organization

This article is for educational purposes only and does not constitute professional cybersecurity advice or legal counsel. If your organization is experiencing or suspects a BEC attack, contact your bank immediately, notify law enforcement, and consult with incident response professionals.

Business Email Compromise costs organizations more money than ransomware. It's sophisticated fraud that targets finance and leadership with surprisingly high success rates. A wire transfer diversion attack might average 50,000 per successful case, but the victims often have multiple successful cases. BEC doesn't require hacking sophisticated systems or breaking encryption. It requires convincing a human that a fraudulent request is legitimate. Understanding what BEC is, how it actually works, and what process controls prevent it is different from understanding most other cybersecurity threats because BEC is a business process attack, not a technical attack. Your best email security in the world doesn't help if someone who thinks they're following normal business procedure authorizes a fraudulent payment.

The critical insight about BEC is that it exploits legitimacy. Normal business communication includes requests for payments, transfers of funds, changes to vendor information, and requests for sensitive data. Most of these requests are legitimate. An attacker's job is to make a fraudulent request look like the legitimate ones everyone processes every day. The success depends on creating enough credibility that normal verification procedures are skipped or insufficient.

How BEC Attacks Actually Work

BEC attacks are not technical attacks in the sense that they don't require breaking into systems or discovering vulnerabilities. They're fraud schemes that use email as the delivery mechanism. The attacker wants you to either send money, change account information so future payments go elsewhere, or reveal sensitive data. The success depends on the request looking legitimate enough that people process it without excessive questioning.

The basic attack pattern starts with email compromise or spoofing. The attacker either compromises a real email account through phishing or other means, or sends an email that looks like it came from someone important—the CEO, the CFO, the head of procurement. From there, the attacker sends a request. The request is designed to look like something that person might normally ask for. A CEO might ask the CFO to authorize an emergency wire transfer. The head of procurement might ask accounts payable to change a vendor's payment information. HR might ask for employee data to support a "confidential" HR situation.

The credibility of the request depends on timing and context. An email claiming to be from the CEO saying "I'm traveling and need you to wire $50,000 immediately, don't tell anyone about this, reply to this email" might succeed if the CEO actually is traveling, if the person receiving the email handles urgent requests regularly, and if urgency prevents careful verification. The confidentiality claim provides a reason why normal procedures aren't being followed.

Attackers research targets and organizations before sending requests. They look for organizational structures, identify people in procurement and finance roles, determine who has authority to approve payments. They use this information to craft requests that are more credible because they reference real people and real organizational structures. A request that says "I need you to process the wire transfer for the vendor we're using for the facility renovation" is more credible than a generic wire transfer request because it references a real, ongoing business activity.

The request doesn't always involve immediate payment. Sometimes it's a request to change vendor payment information, with the actual payment happening in the next normal cycle. This gives the attacker time to execute the change before the fraud is discovered. Sometimes it's a request for employee data—social security numbers, tax information, personal information that can be used for identity theft or sold. Sometimes it's a request for access credentials or information about systems and architecture that can be used for future attacks.

What makes BEC devastating is that wire transfers, once sent, are extremely difficult to reverse. Money that goes to a US account might be recoverable if the receiving bank cooperates and the fraud is reported immediately. Money that's wired internationally or to an account in a foreign country becomes nearly impossible to recover. The attacker is usually gone before the fraud is discovered, and by the time law enforcement gets involved, the money has been moved multiple times.

CEO Fraud and Impersonation

CEO fraud is a specific category of BEC where someone impersonates the organization's CEO or other high-authority figure to request an urgent wire transfer.

The attack relies on authority leverage and urgency. A CEO asking for something creates an instinct to comply because the CEO has authority over the organization. The request is urgent—"I need this done today"—which creates pressure to act without going through normal procedures. The request is confidential—"I don't want anyone else involved"—which prevents the person from verifying with others who might catch the fraud.

The specific mechanics might be: "I'm in a confidential meeting about an acquisition. I need you to wire $500,000 to this account. This is sensitive so don't mention it to anyone, not even the normal approvers. I'll follow up with details once we've signed the NDA. Do you have any questions?" That email creates enough credibility that an executive who handles financial matters might wire the money without verification because:

The request references something that actually happens in business—acquisitions are real, confidentiality is real, NDAs exist. The urgency and confidentiality provide a reason why normal procedures aren't being followed. The person is being asked to keep it confidential, which prevents them from asking normal questions. If the email came from someone who looks like the CEO (because their email was either compromised or spoofed), the authority makes the request seem legitimate.

The person receiving the request might verify by calling the CEO at the number listed on the company website. But the attacker might have also compromised the CEO's assistant's email account, sending instructions that say "The CEO is in meetings all day, here are the wire transfer instructions, I'll have them call you when they're free." Or the verification call might go to a compromised phone line. Or the person simply doesn't verify—they're used to handling urgent requests and they comply.

Successful CEO fraud cases often involve six-figure wire transfers. Some involve millions. The damage is immediate and often goes undetected for days or weeks because the normal financial reconciliation processes don't catch the fraud immediately. A wire transfer to an unusual account might not be questioned if it's small enough or if the person who authorized it doesn't mention it to accounting.

Wire Transfer Diversion and Account Changes

Wire transfer fraud doesn't always involve the attacker impersonating the CEO directly. Sometimes it involves impersonating vendors or partners and requesting changes to payment information.

An attacker might research a legitimate vendor that your organization regularly pays. They compromise the vendor's email account or send an email that looks like it's from the vendor. The email says: "Our banking information has changed due to a recent merger. Please update your records to reflect our new account information. Please use this account for future payments." The email includes fraudulent account information that's actually controlled by the attacker.

The organization receives the request, updates the vendor information in their accounting system, and continues processing payments normally. The next invoice payment goes to the attacker's account instead of the legitimate vendor's account. The vendor eventually notices they're not receiving payment—maybe days or weeks later—and contacts the organization to ask why. By that time, the money has been moved or converted.

The success of this attack depends on the organization not verifying account changes. Many organizations do have verification procedures—they call the vendor using a number from prior records to confirm the account change. But not all organizations follow these procedures consistently, and the procedures take time. An attacker who sends the request and then immediately sends a follow-up saying "Please process our invoice immediately, we need payment before month-end" creates pressure to process quickly, potentially before the account change has been properly verified.

The financial impact is significant. If an organization regularly pays a vendor $20,000 per month and the payment is redirected to an attacker's account, the attacker gets the money and the vendor doesn't, creating a three-way problem: the organization thinks they've paid, the vendor thinks they haven't been paid, and the attacker has the funds. Resolution requires identifying the fraud, recovering the funds (if possible), compensating the vendor or pursuing the fraudulent transfer, and fixing the account information.

Data Theft Attacks

Not all BEC is about financial theft. Some BEC targets data.

An attacker might impersonate HR asking a facilities manager for employee roster information to support a "confidential reorganization." They might impersonate someone from finance asking HR for employee tax information for a payroll audit. They might impersonate a client asking for pricing information or customer lists. They might impersonate IT asking for system credentials for a security audit.

The attacker's goal might be identity theft (using stolen employee information to open fraudulent accounts or apply for credit), competitive intelligence (using stolen pricing or customer information to undercut you with customers), or preparation for a more serious attack (using stolen system credentials to gain access to your systems).

Data theft is harder to detect than financial fraud because the theft often goes unnoticed. You don't know your customer list was stolen until you see it for sale on a dark web marketplace or a competitor uses information they shouldn't have. You don't know employee information was compromised until employees report fraudulent credit accounts opened in their names. The timeline between the theft and the discovery might be weeks or months.

The prevention for data theft BEC is similar to the prevention for financial BEC: verification procedures and process controls that prevent sensitive data from being released based on a single email request. But the implementation is sometimes different because financial data is often centralized and controlled, while data theft might target information that's distributed across departments and systems.

Detection and Prevention: Process Controls Matter Most

This is where BEC defense is fundamentally different from other cybersecurity defenses. Technical controls matter less than process controls. Email filtering and authentication can reduce obvious spoofing, but they can't prevent fraud that uses compromised accounts or credible-looking requests.

Email authentication—SPF, DKIM, DMARC—can prevent simple spoofing where an attacker claims to be from your domain. But BEC often involves compromised legitimate email accounts (from your organization or from trusted partners) or spoofed domains that look similar. A spoofed email from fakecorp.com when you normally see email from corp.com might still look legitimate to someone in a hurry.

Multi-factor authentication on email accounts reduces the probability that an attacker can compromise the account through phishing. If the CEO's email account requires multi-factor authentication, an attacker can't simply phish their password and then use the account. But attackers can still compromise accounts through other means, or they can impersonate without compromising the actual account.

The real defense against BEC is process controls—the procedures around financial approvals, vendor account changes, and sensitive data release. A process that requires verification of wire transfers above a certain amount (calling the requester using a known phone number, using a known process) catches many BEC attacks. A process that requires notification of account changes to be independently verified before being implemented prevents vendor fraud. A process that requires multiple approvals for sensitive data release prevents data theft by limiting who can authorize it.

The organization that has strong process controls around financial transactions—procedures that ensure two people are involved in high-value wire transfers, that vendor account changes are independently verified, that large data releases require approval from multiple departments—is much more resistant to BEC than the organization that relies on email as the sole authorization channel.

Recovery When It Happens

If a wire transfer has been authorized and sent fraudulently, the first step is immediate notification to your bank. Most banks have procedures for fraud recovery, but they have strict timelines. Notification within 24 hours gives the bank a much better chance of stopping the transfer or recovering the funds. Notification a week later might be too late if the money has already been moved.

Law enforcement should be notified immediately. In the United States, you can report to the FBI's Internet Crime Complaint Center. Wire transfer fraud is a federal crime, and law enforcement can coordinate with international partners if the money has been moved internationally. Law enforcement involvement doesn't guarantee recovery, but it creates an official record and might result in investigation that leads to recovery or prosecution.

Your cyber insurance carrier should be notified immediately if you have cyber insurance that covers fraud. Many cyber policies include coverage for BEC and social engineering fraud. The insurance company has relationships with incident response firms and might have resources for investigation and recovery. They'll also be involved in any settlement discussions.

Account review and temporary freeze might prevent additional fraud. If one account has been compromised, others might be at risk. Temporarily restricting account access, changing credentials, and reviewing recent transactions can prevent follow-on fraud while investigation is ongoing.

The reality of wire transfer recovery is sobering. Money that's transferred to accounts controlled by the attacker is extremely difficult to recover, especially if the account is in another country. Some percentage of fraudulently transferred funds might be recoverable if the receiving bank cooperates and freezes the account. But international transfers, particularly to countries with limited cooperation with US law enforcement, are essentially unrecoverable. This is why prevention is so much better than recovery.

The Bigger Picture

BEC is a business process attack, not a technology attack. No amount of email filtering prevents it entirely. The attacker's goal is to look legitimate enough that normal business procedures result in money being sent or data being disclosed. The defense is strengthening the business procedures themselves—making them less vulnerable to fraud while still enabling the legitimate business to operate.

The organizations that successfully defend against BEC aren't the ones with the best email security. They're the ones with strong process controls around financial transactions, with clear verification procedures that are actually followed, and with cultures where people feel comfortable questioning requests when something seems unusual. A CFO who receives an urgent wire transfer request from the CEO might ask a question that sounds rude or presumptuous—but that question might prevent a six-figure fraud. Organizations that empower employees to ask questions and to verify before proceeding prevent fraud that organizations that create an environment of "just do what the CEO asks" don't prevent.

Bringing it together, BEC is a business fraud scheme that uses email as the delivery mechanism. Email technology is limited in preventing it because BEC often uses compromised accounts or credible impersonation. The defense relies on process controls—verification procedures before wire transfers and account changes, multi-approval requirements for sensitive transactions, and a culture where verification questions are welcomed rather than discouraged. The organizations that avoid BEC aren't the ones with perfect email filtering. They're the ones with clear business procedures and the discipline to follow them even when requests appear urgent and from authority figures.

Fully Compliance provides educational content about IT compliance and cybersecurity. This article reflects general information about business email compromise threats and prevention as of its publication date. BEC attack methods evolve constantly. For threat assessment and specific guidance on protecting your organization, consult qualified cybersecurity professionals and your financial institution's fraud prevention resources.