Business Email Compromise (BEC): How to Protect Your Organization

Reviewed by the Fully Compliance editorial team. Last updated March 2026.

Short answer: Business email compromise is fraud that uses email to trick employees into sending wire transfers, changing vendor payment details, or disclosing sensitive data. BEC caused $2.9 billion in reported losses in 2023 according to the FBI IC3, making it the costliest cybercrime category. Defense depends on process controls, not technology.

BEC Costs More Than Ransomware and Targets Human Judgment, Not Systems

Business email compromise costs organizations more money than ransomware. The FBI's Internet Crime Complaint Center reported BEC losses of $2.9 billion in 2023 alone, dwarfing ransomware payouts by a factor of roughly ten. It is sophisticated fraud that targets finance and leadership with high success rates. A wire transfer diversion attack averages around $50,000 per successful case, but victims often have multiple successful cases. BEC does not require hacking sophisticated systems or breaking encryption. It requires convincing a human that a fraudulent request is legitimate. Your best email security does nothing if someone who thinks they are following normal business procedure authorizes a fraudulent payment.

The critical insight about BEC is that it exploits legitimacy. Normal business communication includes requests for payments, transfers of funds, changes to vendor information, and requests for sensitive data. Most of these requests are legitimate. An attacker's job is to make a fraudulent request look like the legitimate ones everyone processes every day. The success depends on creating enough credibility that normal verification procedures are skipped or insufficient.

How BEC Attacks Actually Work

BEC attacks are not technical attacks in the sense that they do not require breaking into systems or discovering vulnerabilities. They are fraud schemes that use email as the delivery mechanism. The attacker wants you to either send money, change account information so future payments go elsewhere, or reveal sensitive data. The success depends on the request looking legitimate enough that people process it without excessive questioning.

The basic attack pattern starts with email compromise or spoofing. The attacker either compromises a real email account through phishing or other means, or sends an email that looks like it came from someone important, such as the CEO, CFO, or head of procurement. From there, the attacker sends a request designed to look like something that person would normally ask for. A CEO might ask the CFO to authorize an emergency wire transfer. The head of procurement might ask accounts payable to change a vendor's payment information. HR might ask for employee data to support a "confidential" HR situation.

The credibility of the request depends on timing and context. An email claiming to be from the CEO saying "I'm traveling and need you to wire $50,000 immediately, don't tell anyone about this, reply to this email" succeeds when the CEO actually is traveling, the person receiving the email handles urgent requests regularly, and urgency prevents careful verification. The confidentiality claim provides a reason why normal procedures are not being followed.

Attackers research targets and organizations before sending requests. They look for organizational structures, identify people in procurement and finance roles, and determine who has authority to approve payments. A request that says "I need you to process the wire transfer for the vendor we're using for the facility renovation" is more credible than a generic wire transfer request because it references a real, ongoing business activity. According to the Verizon 2024 Data Breach Investigations Report, pretexting attacks, which include BEC, account for a growing share of social engineering incidents, with the median transaction in BEC cases reaching $50,000.

The request does not always involve immediate payment. Sometimes it is a request to change vendor payment information, with the actual payment happening in the next normal cycle. This gives the attacker time to execute the change before the fraud is discovered. Sometimes it is a request for employee data, including social security numbers, tax information, and personal information that can be used for identity theft or sold. Sometimes it is a request for access credentials or information about systems and architecture that can be used for future attacks.

What makes BEC devastating is that wire transfers, once sent, are extremely difficult to reverse. Money that goes to a US account may be recoverable if the receiving bank cooperates and the fraud is reported immediately. Money that is wired internationally becomes nearly impossible to recover. The attacker is usually gone before the fraud is discovered, and by the time law enforcement gets involved, the money has been moved multiple times.

CEO Fraud, Wire Transfer Diversion, and Data Theft

CEO fraud is a specific category of BEC where someone impersonates the organization's CEO or other high-authority figure to request an urgent wire transfer. The attack relies on authority leverage and urgency. A CEO asking for something creates an instinct to comply. The request is urgent, which creates pressure to act without going through normal procedures. The request is confidential, which prevents the person from verifying with others who might catch the fraud.

The specific mechanics look like this: "I'm in a confidential meeting about an acquisition. I need you to wire $500,000 to this account. This is sensitive so don't mention it to anyone, not even the normal approvers. I'll follow up with details once we've signed the NDA." That email creates enough credibility that an executive who handles financial matters wires the money without verification because the request references something that actually happens in business. Acquisitions are real, confidentiality is real, NDAs exist. Successful CEO fraud cases often involve six-figure wire transfers. Some involve millions. The damage is immediate and often goes undetected for days or weeks because normal financial reconciliation processes do not catch the fraud immediately.

Wire transfer diversion takes a different form. An attacker researches a legitimate vendor your organization regularly pays, compromises the vendor's email account or sends an email that looks like it is from the vendor, and says: "Our banking information has changed due to a recent merger. Please update your records." The organization updates the vendor information in their accounting system, and the next invoice payment goes to the attacker's account. The vendor eventually notices they are not receiving payment, maybe days or weeks later, and contacts the organization. By that time, the money has been moved.

Not all BEC is about financial theft. Some BEC targets data. An attacker might impersonate HR asking a facilities manager for employee roster information, impersonate someone from finance asking HR for employee tax information, or impersonate IT asking for system credentials. Data theft is harder to detect than financial fraud because the theft often goes unnoticed until employees report fraudulent credit accounts opened in their names or stolen customer data appears elsewhere. The timeline between the theft and the discovery can stretch weeks or months.

Detection and Prevention: Process Controls Matter Most

This is where BEC defense is fundamentally different from other cybersecurity defenses. Technical controls matter less than process controls. Email filtering and authentication reduce obvious spoofing, but they do not prevent fraud that uses compromised accounts or credible-looking requests.

Email authentication through SPF, DKIM, and DMARC prevents simple spoofing where an attacker claims to be from your domain. But BEC often involves compromised legitimate email accounts from your organization or from trusted partners, or spoofed domains that look similar. Multi-factor authentication on email accounts reduces the probability that an attacker can compromise the account through phishing, but attackers can still compromise accounts through other means or impersonate without compromising the actual account.

The real defense against BEC is process controls: the procedures around financial approvals, vendor account changes, and sensitive data release. A process that requires verification of wire transfers above a certain amount, calling the requester using a known phone number, catches many BEC attacks. A process that requires notification of account changes to be independently verified before being implemented prevents vendor fraud. A process that requires multiple approvals for sensitive data release prevents data theft by limiting who can authorize it.

The organization with strong process controls around financial transactions, with procedures that ensure two people are involved in high-value wire transfers, that vendor account changes are independently verified, and that large data releases require approval from multiple departments, is far more resistant to BEC than the organization that relies on email as the sole authorization channel.

Recovery When It Happens

If a wire transfer has been authorized and sent fraudulently, the first step is immediate notification to your bank. Most banks have procedures for fraud recovery, but they have strict timelines. Notification within 24 hours gives the bank a much better chance of stopping the transfer or recovering the funds. Notification a week later is typically too late.

Law enforcement should be notified immediately. In the United States, you report to the FBI's Internet Crime Complaint Center (IC3). Wire transfer fraud is a federal crime, and law enforcement can coordinate with international partners if the money has been moved internationally. Your cyber insurance carrier should be notified immediately if you have cyber insurance that covers fraud. Many cyber policies include coverage for BEC and social engineering fraud.

The reality of wire transfer recovery is sobering. Money transferred to accounts controlled by the attacker is extremely difficult to recover, especially if the account is in another country. The FBI IC3's Recovery Asset Team reported a 73% success rate in freezing funds when notified within 48 hours, but international transfers, particularly to countries with limited cooperation with US law enforcement, are essentially unrecoverable. This is why prevention is so much better than recovery.

The Bigger Picture

BEC is a business process attack, not a technology attack. No amount of email filtering prevents it entirely. The attacker's goal is to look legitimate enough that normal business procedures result in money being sent or data being disclosed. The defense is strengthening the business procedures themselves, making them less vulnerable to fraud while still enabling the legitimate business to operate.

The organizations that successfully defend against BEC are not the ones with the best email security. They are the ones with strong process controls around financial transactions, with clear verification procedures that are actually followed, and with cultures where people feel comfortable questioning requests when something seems unusual. A CFO who receives an urgent wire transfer request from the CEO and asks a verification question might sound rude or presumptuous, but that question prevents six-figure fraud. Organizations that empower employees to question and verify before proceeding prevent fraud that compliance-by-authority cultures do not.

BEC is a business fraud scheme that uses email as the delivery mechanism. Email technology is limited in preventing it because BEC often uses compromised accounts or credible impersonation. The defense relies on process controls, verification procedures before wire transfers and account changes, multi-approval requirements for sensitive transactions, and a culture where verification questions are welcomed rather than discouraged.

Frequently Asked Questions

What is the most common type of BEC attack? Wire transfer diversion and CEO impersonation fraud account for the largest share of BEC losses. The FBI IC3's 2023 report shows that BEC was responsible for $2.9 billion in reported losses, with wire transfer fraud being the predominant mechanism. Vendor payment redirection is increasingly common because it exploits existing payment cycles rather than requiring an unusual urgent request.

Can email security tools prevent BEC? Email authentication (SPF, DKIM, DMARC) prevents direct domain spoofing, but most BEC attacks use compromised legitimate accounts or lookalike domains that bypass these controls. Technical tools reduce exposure but do not eliminate BEC risk. Process controls, specifically requiring out-of-band verification for wire transfers and account changes, are the primary defense.

What should I do immediately if I suspect a BEC attack succeeded? Contact your bank immediately. The FBI IC3's Recovery Asset Team has demonstrated that notification within 48 hours significantly increases the chances of freezing fraudulent transfers. File a report with the FBI IC3, notify your cyber insurance carrier, and freeze or restrict any accounts that may have been compromised. Speed is the decisive factor in recovery.

How do attackers choose their targets for BEC? Attackers research organizations using public information, including LinkedIn profiles, corporate websites, SEC filings, and press releases. They identify individuals in finance and procurement roles, determine reporting structures, and time attacks to coincide with executive travel or organizational events that make urgent requests plausible.

Does cyber insurance cover BEC losses? Many cyber insurance policies cover BEC and social engineering fraud, though coverage terms vary significantly. Some policies require specific process controls to be in place, such as dual-authorization for wire transfers, as a condition of coverage. Review your policy language carefully and confirm with your carrier what verification procedures are required to maintain coverage eligibility.

What process controls are most effective against BEC? Dual authorization for wire transfers above a defined threshold, mandatory out-of-band verification (phone call to a known number) for any change to vendor payment information, multi-person approval for bulk data releases, and a culture that treats verification questions as standard practice rather than insubordination. These controls address the specific mechanisms BEC exploits.