Business Email Compromise (BEC) Prevention

Business email compromise is the most financially destructive category of cybercrime. The FBI IC3 reported $2.77 billion in BEC losses in 2024, and cumulative BEC losses over the past decade have exceeded $55.5 billion. In 2025, wire transfer BEC attacks surged 136% in Q4 compared to Q3 according to APWG data. The AFP’s 2025 Fraud Survey found that 63% of organizations experienced BEC in the prior year.

BEC is not a technical exploit — it is social engineering that manipulates business processes. Attackers impersonate executives, vendors, or business partners to redirect financial transactions, steal sensitive data, or manipulate payment workflows.

The Five BEC Attack Types

The FBI IC3 categorizes BEC into five primary schemes:

1. CEO Fraud

The attacker impersonates the CEO or another executive and emails the CFO, controller, or accounting staff requesting an urgent wire transfer. These requests emphasize confidentiality (“Don’t discuss this with anyone yet”) and urgency (“Must be completed today”). See our whaling guide for executive impersonation defense.

2. Invoice Manipulation

Attackers compromise or impersonate a vendor’s email account and send modified invoices with updated payment routing. The invoice looks legitimate because it references real purchase orders, contract numbers, and amounts — only the bank account details have changed.

3. Account Compromise

An employee’s email account is compromised through phishing, and the attacker uses it to send payment requests to the company’s vendors or customers. Because the email comes from a legitimate account, recipients have no reason to suspect fraud.

4. Attorney Impersonation

Attackers impersonate lawyers or legal representatives involved in confidential business matters (M&A, litigation settlements, contract closings). The confidential nature of legal work provides cover for urgency and secrecy demands.

5. Data Theft

Instead of money, BEC targets HR and payroll departments for employee W-2 data, tax records, or PII. This data enables identity theft and tax fraud at scale. Educational institutions and healthcare organizations are frequent targets.

BEC Attack Chain

Reconnaissance: Research target organization’s payment processes, vendors, and key personnel
Email compromise: Gain access through phishing, credential stuffing, or domain spoofing
Monitoring: Observe email patterns, payment schedules, and communication styles (sometimes for weeks)
Execution: Send the fraudulent request at the optimal moment (end of quarter, during executive travel)
Money movement: Redirect funds through intermediary accounts, often converting to cryptocurrency within hours

Detection Red Flags

Train financial and accounting staff to recognize these BEC indicators:

Payment instruction changes via email, especially for established vendors
Unusual urgency on wire transfers, particularly from executives
Confidentiality requests (“Handle this personally, don’t involve others”)
Slight email discrepancies (e.g., sender domain off by one character)
New payment destinations — domestic BEC increasingly routes through US accounts before international transfers
Requests bypassing normal approval processes

Apply the social engineering red flags framework to evaluate all financial requests.

Prevention Controls

Process Controls (Highest Impact)

Control	Implementation
Dual authorization	Require two approvers for all wire transfers above threshold
Callback verification	Verify payment changes by phone using pre-registered numbers
Payment change cooling period	24-48 hour hold on all new or changed payment instructions
Vendor verification database	Maintain verified payment details; any change requires out-of-band confirmation
Invoice matching	Automated three-way match (PO, receipt, invoice) before payment

Technical Controls

DMARC at p=reject on all organizational domains — prevents impersonation of your executives and staff
Advanced email filtering with BEC-specific detection (anomalous sender behavior, payment keyword analysis)
Phishing-resistant MFA to prevent account compromise (the entry point for many BEC campaigns)
Email forwarding rule monitoring — attackers add forwarding rules to maintain access after password resets
Zero trust architecture that limits what a compromised account can access

Training Controls

Phishing simulations using BEC-specific scenarios for finance staff
Quarterly updates on current BEC tactics
Clear escalation path for suspicious financial requests
Role-based training for C-suite, finance, HR, and procurement

When BEC Succeeds: Response

Time is the critical variable in BEC recovery. The FBI IC3 Recovery Asset Team’s success rate drops dramatically after 72 hours.

Immediate actions (within hours):

Contact your bank and request a wire recall or hold
File a complaint at ic3.gov — reference “BEC” in the complaint
If the transfer was international, request your bank to contact the intermediary financial institution
Preserve all email evidence (headers, attachments, full message chain)

Follow-up actions: 5. Engage your incident response team 6. Determine how the compromise occurred (email account takeover vs. domain spoofing) 7. Check for credential compromise across the organization 8. File reports with FTC, CISA, and local law enforcement 9. Notify affected business partners

See our IC3/FTC reporting guide for detailed reporting procedures.

Key Takeaways

BEC caused $2.77 billion in reported losses in 2024 and $55.5 billion over the past decade
The five BEC types (CEO fraud, invoice manipulation, account compromise, attorney impersonation, data theft) each require specific countermeasures
Dual authorization, callback verification, and payment change cooling periods are the most effective defenses
Time is critical for recovery — report to IC3 and your bank within hours, not days
DMARC at reject prevents attackers from spoofing your domain to partners and customers

For the complete phishing defense framework, see our phishing recognition and reporting guide.

Sources

Security education disclaimer: This article discusses BEC attack techniques for educational purposes only. Understanding how these attacks work helps organizations build effective defenses. Do not use this information for unauthorized or fraudulent purposes.