Business Email Compromise (BEC): The Complete Guide for IT Security Teams

Business email compromise is not a technical exploit. There is no malware. There are no malicious attachments. There are no weaponized links. BEC is a social engineering attack delivered through email - and it is the single most expensive category of cybercrime tracked by the FBI.

The FBI Internet Crime Complaint Center (IC3) reported $2.9 billion in adjusted losses from BEC in 2023 alone. That figure only counts reported incidents. The actual number is almost certainly higher, because many organizations never report BEC losses due to reputational concerns.

This guide covers what BEC is, how it works, the major variants you need to defend against, real-world examples, and the technical and procedural controls that actually prevent these attacks. If you are responsible for email security at your organization, this is the reference document your team needs.

For a shorter overview of BEC fundamentals, see our Business Email Compromise page.

What Is Business Email Compromise?

Business email compromise is a form of targeted email fraud where an attacker impersonates a trusted party - typically a senior executive, a vendor, or a business partner - to manipulate an employee into taking a specific action. That action is usually a wire transfer, a change to payment details, or the disclosure of sensitive information like employee tax records.

BEC attacks succeed because they exploit trust and authority rather than technical vulnerabilities. An employee who receives an urgent email from their CEO requesting an immediate wire transfer faces a psychological conflict between following security procedures and complying with a direct request from leadership. Attackers deliberately engineer this conflict.

How BEC Differs from Standard Phishing

Standard phishing attacks cast a wide net. They send thousands of emails hoping a small percentage of recipients click a malicious link or download an infected attachment. BEC is fundamentally different:

No malicious payload. BEC emails typically contain no links, no attachments, and no malware. They are plain text messages that pass every content scanner.
Highly targeted. Attackers research specific individuals, organizational structures, and business relationships before launching an attack.
Financially motivated. The goal is almost always a direct financial transfer or access to data that enables financial fraud.
Low volume, high value. A single BEC attack can steal hundreds of thousands or millions of dollars in one transaction.

This is why traditional anti-phishing tools alone are not sufficient. BEC defense requires identity verification, behavioral analysis, and process controls that go beyond content scanning.

The Five Types of BEC Attacks

The FBI categorizes BEC into five primary schemes. Understanding each type is essential for building layered defenses.

1. CEO Fraud (Executive Impersonation)

The attacker impersonates a CEO, CFO, or other senior executive and sends an urgent email to an employee in finance or accounting, requesting an immediate wire transfer. The email typically emphasizes urgency and confidentiality - “This needs to happen today” and “Don’t discuss this with anyone else.”

CEO fraud exploits authority bias - the tendency for employees to comply with requests from leadership without questioning them. Our CEO Fraud Protection page covers the mechanics of this attack in detail.

Common characteristics:

Sent from a spoofed or lookalike domain (e.g., ceo@companv.com instead of ceo@company.com)
References a confidential deal, acquisition, or legal matter
Requests a wire transfer to a new account
Explicitly asks the recipient not to verify through other channels

2. Whaling Attacks

While CEO fraud impersonates an executive to target lower-level employees, whaling attacks target the executives themselves. Attackers send highly personalized emails to C-suite members, often referencing specific business activities, recent news, or personal details gathered through open-source intelligence.

Whaling emails may impersonate board members, legal counsel, regulators, or major clients. The goal is to trick the executive into authorizing a payment, sharing credentials, or clicking a link that installs surveillance malware.

Why whaling is particularly dangerous:

Executives often have the authority to approve large transactions without additional oversight
They receive high volumes of email and may process messages quickly
Their email addresses and business activities are often publicly visible
They may use personal devices with weaker security controls

3. Vendor Impersonation (Supply Chain BEC)

The attacker impersonates a legitimate vendor or supplier and sends a fraudulent invoice or payment redirect notice. This variant is especially effective because it leverages an existing business relationship with established billing patterns.

In sophisticated vendor impersonation attacks, the attacker first compromises the vendor’s email account (or a look-alike domain), monitors communication patterns, and then injects a fraudulent payment redirect at the right moment in the billing cycle.

Real-world pattern: An attacker monitors email between a company and its IT service provider. When a legitimate $45,000 invoice is due, the attacker sends an email - apparently from the vendor - stating that the company has changed banks and providing new wire instructions. The payment goes to the attacker’s account.

For more on vendor-based attack chains, see our blog post on the multiplying effect of vendor email compromise.

4. Attorney Impersonation

Attackers pose as lawyers or legal representatives handling confidential matters. They contact employees - typically those in finance or executive roles - and pressure them to transfer funds or provide information, citing legal deadlines, court orders, or regulatory requirements.

Attorney impersonation exploits both authority bias and fear of legal consequences. Employees who might question a request from a colleague will often comply without hesitation when they believe they are dealing with legal counsel.

5. Data Theft (W-2 and PII Schemes)

Rather than requesting a wire transfer, the attacker requests employee data - typically W-2 tax forms, Social Security numbers, or other personally identifiable information. These requests usually impersonate HR leadership or executives and target HR or payroll departments.

Data theft BEC is particularly damaging because:

The stolen data enables tax fraud, identity theft, and secondary attacks
The damage affects every employee whose data is exposed
Detection often takes weeks or months
Remediation costs include credit monitoring, identity protection, and potential regulatory fines

How BEC Attacks Work: The Kill Chain

Understanding the BEC attack lifecycle helps identify where defenses can intervene.

Phase 1: Reconnaissance

Attackers research the target organization using:

LinkedIn profiles to map organizational structure and identify who reports to whom
Corporate websites for executive names, titles, and contact information
SEC filings, press releases, and news articles for business activity intelligence
Social media for personal details that add credibility to impersonation emails
Dark web data from previous breaches for email addresses and credentials

Phase 2: Infrastructure Setup

Before sending the attack email, the attacker prepares:

Lookalike domains - Registering domains that visually resemble the target or impersonated organization (e.g., swapping lowercase L for uppercase I, adding or removing a letter)
Email account compromise - In some cases, the attacker compromises the actual email account of the person they plan to impersonate, making detection far more difficult
Email forwarding rules - After compromising an account, attackers often create mail forwarding rules to monitor communications without the account owner’s knowledge

Phase 3: The Attack Email

The attacker sends a carefully crafted email designed to:

Appear to come from a trusted source
Create urgency that discourages verification
Request a specific, actionable response (usually a financial transaction)
Preemptively address potential objections

Phase 4: The Follow-Up

Unlike mass phishing, BEC attackers often engage in back-and-forth email conversation. If the target asks questions, the attacker responds with plausible answers. This conversational element is what makes BEC so convincing and so difficult to detect with automated tools.

Phase 5: Extraction

Once the target initiates a wire transfer, the funds typically move through multiple accounts across several countries within hours. Recovery is possible but difficult - the FBI estimates only about 20% of BEC wire fraud losses are recovered even when reported quickly.

Real-World BEC Statistics

The scale of BEC is difficult to overstate:

$2.9 billion in reported losses in 2023 (FBI IC3 2024 report)
$125,000 average loss per BEC incident
21,489 complaints filed with the FBI in 2023
BEC accounts for roughly 27% of all financially motivated cybercrime losses
Small and midsize businesses are disproportionately targeted because they typically have fewer verification controls

The 2024 Verizon Data Breach Investigations Report identified BEC as a top action variety in social engineering incidents, with pretexting (the foundation of BEC) now more common than phishing with malicious payloads.

Technical Controls for BEC Defense

Email Authentication: SPF, DKIM, and DMARC

Email authentication is the foundation of BEC defense. Without it, anyone can send email that appears to come from your domain.

SPF (Sender Policy Framework) - Specifies which mail servers are authorized to send email for your domain
DKIM (DomainKeys Identified Mail) - Adds a cryptographic signature to outgoing email that recipients can verify
DMARC (Domain-based Message Authentication, Reporting, and Conformance) - Tells receiving servers what to do with email that fails SPF or DKIM checks

Implementing DMARC at enforcement (p=reject) prevents attackers from spoofing your exact domain. However, DMARC does not prevent lookalike domain attacks - that requires additional detection capabilities.

For DMARC monitoring, see DMARC Report. For SPF record management, see AutoSPF.

Display Name and Domain Impersonation Detection

Since DMARC only protects your own domain, you also need detection for:

Display name spoofing - Using a legitimate name (e.g., “John Smith, CEO”) with a different email address
Lookalike domains - Domains that visually resemble your domain or your partners’ domains
Free email impersonation - Using Gmail, Yahoo, or Outlook accounts with executive display names

Phish Protection maintains customized impersonation detection lists for each customer, blocking emails from domains that resemble the organization’s domain or key contacts.

AI-Powered Behavioral Analysis

Modern BEC defense uses machine learning to establish baselines for:

Normal communication patterns between individuals
Typical financial request workflows
Writing style and tone for key executives
Geographic and temporal sending patterns

When an email deviates from established patterns - for example, a CEO who never emails the accounting team directly suddenly requesting an urgent wire transfer - the system flags it for review.

Pre-Delivery Scanning

BEC defense is most effective when it operates at the mail transport layer, before messages reach the inbox. Post-delivery detection creates a window where employees can act on fraudulent requests before the system catches them.

Phish Protection scans every inbound email before delivery, applying impersonation detection, domain analysis, and behavioral signals in real-time with sub-second latency.

Process Controls: The Human Layer

Technical controls alone cannot stop BEC. Organizations need procedural safeguards:

Financial Transaction Verification

Dual authorization for all wire transfers above a defined threshold
Out-of-band verification - Confirm all payment changes and new wire instructions by phone using a known number (not a number from the email)
Cooling-off period - No same-day wire transfers for new payment instructions
Vendor payment change protocol - Formal process for updating vendor banking details that includes verification with a known contact

Employee Training

Train employees to recognize BEC red flags: urgency, secrecy, unusual requests, new payment instructions
Run simulated BEC exercises targeting finance and HR teams
Establish a no-penalty reporting culture where employees are rewarded for flagging suspicious requests even if they turn out to be legitimate

Executive Protection

Implement email authentication for all executive email accounts
Monitor for lookalike domains targeting your organization
Limit the amount of executive personal and business information that is publicly available

How Phish Protection Defends Against BEC

Phish Protection provides multi-layered BEC defense specifically designed for small and midsize businesses:

5 concurrent detection engines cross-reference every inbound email against multiple threat intelligence databases simultaneously
Custom impersonation detection creates a blocked list of domains that could be used to spoof your executives and key contacts
Pre-delivery scanning ensures BEC emails never reach the inbox
Time-of-click URL protection catches delayed-weaponization attacks where clean links in BEC follow-up emails are swapped to credential harvesting pages
Real-time alerts notify administrators when impersonation attempts are detected

For a broader view of how these capabilities fit into a complete email security strategy, see our Email Fraud Protection page and our guide to anti-phishing software.

BEC Incident Response

If your organization falls victim to a BEC attack:

Contact your bank immediately. Request a wire recall. Speed is critical - funds often move within hours.
Report to the FBI IC3. File a complaint at ic3.gov. For transfers to domestic accounts, request the Financial Fraud Kill Chain (FFKC) process.
Preserve evidence. Do not delete the fraudulent emails. Save full headers and any related correspondence.
Investigate the scope. Determine whether the attacker has ongoing access to any email accounts. Check for forwarding rules, delegate access, and OAuth app grants.
Notify affected parties. If employee data was exposed, follow your organization’s breach notification procedures.

For a comprehensive incident response framework, see our Phishing Incident Response Guide.

Enterprise-Class Email Protection Without the Enterprise Price

Phish Protection’s integrated email security solution protects your employees from business email compromise and many other email threats. 24x7. On any device. With features you would expect in more expensive solutions:

Stops business email compromise (BEC) and CEO fraud
Pre-delivery scanning blocks threats before they reach the inbox
5 concurrent detection engines for maximum coverage
Time-of-click URL protection catches delayed attacks
Real-time alerts to users and administrators
Setup in under 5 minutes with no hardware or software to install

Start your 60-day free trial - no credit card required.