What are business email compromise attacks?

Business email compromise (BEC) attacks are targeted cybercrime schemes in which attackers impersonate trusted business contacts to trick employees into transferring money, sharing sensitive data, or granting access to internal systems. According to the Federal Bureau of Investigation, BEC is “a sophisticated scam targeting both businesses and individuals performing a transfer of funds. The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques, resulting in an unauthorized transfer of funds.” Unlike many phishing attacks, BEC emails typically contain no malicious links or attachments. Instead, attackers rely on impersonation, timing, and knowledge of routine business processes to make fraudulent payment requests appear legitimate.

Understanding business email compromise attacks

BEC is a form of targeted social engineering that exploits trust in email communication systems. Attackers often impersonate executives, finance staff, legal representatives, or suppliers to persuade employees to approve payments or share confidential information. These attacks commonly begin with credential theft, phishing, or direct email account compromise. Once attackers gain access to a legitimate inbox or successfully spoof a domain, they observe normal communication patterns and identify financial approval processes inside the organization. Research published on arXiv describes BEC as a social engineering attack that exploits organizational hierarchies and decision-making processes to enable fraudulent transactions. The tactic relies on psychological pressure and familiarity rather than technical flaws in email systems, and because the messages appear to come from trusted internal contacts, they can bypass traditional security tools and avoid suspicion among employees used to routine email requests.

Read also: Why BEC is today’s biggest email threat

The impact of business email compromise

BEC remains one of the most costly forms of cybercrime. A study on malicious traffic titled BEC Defender: QR Code-Based Methodology for Prevention of Business Email Compromise (BEC) Attacks reported that “in 2022 alone, BEC attacks resulted in losses of nearly USD 2.7 billion globally, which is an escalation of approximately USD 350 million from the preceding year (2021), and a notable surge of around USD 860 million from the year 2020.” Data from the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) shows the scale of the problem, with 21,442 reported BEC incidents and about $2.77 billion in losses recorded in 2024 alone. Law enforcement estimates that more than $55 billion in global losses have been linked to BEC scams over time. BEC attacks are particularly effective because they exploit normal financial workflows. Many organizations rely on email to approve invoices, process payments, and coordinate vendor transactions, which allows attackers impersonating executives or suppliers to redirect funds before the fraud is detected.

How business email compromise works

Most BEC campaigns follow a structured process designed to exploit business communication patterns:

Reconnaissance

Attackers research their targets using publicly available information, including company websites, LinkedIn profiles, press releases, and vendor relationships. The intelligence helps them understand internal reporting structures and financial processes.

Email account compromise or impersonation

Attackers either compromise legitimate email accounts through credential theft or spoof addresses that closely resemble real company domains. Once they gain access, attackers may monitor email conversations for weeks before taking action.

Fraudulent request

The attacker sends a message impersonating a trusted person, such as a CEO, a finance manager, or a supplier. The request usually involves:

• urgent payment transfers
• changes to vendor banking details
• requests for confidential documents
• purchase orders or invoice approvals

Because the message fits normal workflows, employees may comply quickly without verifying the request.

Financial theft or data exposure

If the victim follows the instructions, funds may be transferred to attacker-controlled accounts or sensitive information may be shared. These transfers often move through multiple international bank accounts to obscure the trail.

Read more: Unpacking the real threat behind business email compromise

Types of business email compromise attacks

BEC campaigns can take several forms depending on the target and objective.

CEO fraud

CEO fraud involves attackers impersonating senior executives and sending urgent payment requests to employees in finance roles. Because the message appears to come from leadership, staff may bypass verification procedures. A widely reported case involved Austrian aerospace manufacturer FACC, which lost roughly €42 million after attackers impersonated executives and convinced employees to transfer funds as part of what appeared to be a confidential business project. The incident led to the dismissal of the company’s CEO and CFO.

Vendor or supplier fraud

Vendor fraud occurs when attackers impersonate a legitimate supplier and request that payment details be updated. Once the banking information changes, future invoices are redirected to accounts controlled by the attacker. In one major case reported in the United States, a New York property management firm handling luxury buildings lost nearly $19 million after receiving a spoofed email that appeared to come from the Battery Park City Authority, instructing the company to transfer funds to a fraudulent bank account.

Email account compromise

Email account compromise involves attackers gaining access to a legitimate employee's mailbox. Instead of sending new phishing emails, attackers monitor existing conversations and insert fraudulent payment instructions into ongoing threads. A prominent example involved U.S. networking company Ubiquiti Networks, which lost about $46 million after attackers impersonated internal staff and convinced the finance department to transfer funds to overseas accounts.

Attorney impersonation

Attorney impersonation targets transactions that involve lawyers or legal professionals, such as settlements or property purchases. Attackers pose as attorneys handling a transaction and request urgent wire transfers to escrow accounts under their control. Real estate deals are especially vulnerable because large payments are expected and timelines are tight. Law enforcement agencies have documented multiple cases where property buyers transferred large sums after receiving spoofed instructions appearing to come from the legal team managing the closing process.

Payroll diversion

Payroll diversion scams target HR or payroll departments rather than finance teams. Attackers impersonate employees and request updates to direct deposit information. Once the change is processed, the employee’s salary is routed to the attacker’s bank account. Government agencies and school districts in the United States have reported multiple payroll diversion incidents where attackers collected several employee paychecks before the fraud was detected.

Data-theft BEC (W-2 scams)

Some BEC attacks focus on stealing sensitive information rather than money. Attackers impersonate executives and request employee tax records or personnel files from HR departments. U.S. authorities have investigated several cases where companies mistakenly sent large batches of employee W-2 tax forms, exposing Social Security numbers and financial data that could later be used for identity theft.

Why are BEC attacks difficult to detect

BEC attacks are difficult to detect because they often contain none of the indicators traditionally associated with phishing. Many BEC emails include no links, malware, or suspicious attachments. Instead, attackers rely on deception and timing. Messages may arrive during ongoing projects, reference real invoices, or appear within existing email threads. Researchers from arXiv note that BEC attacks “blend into normal business communication,” which makes them harder for both employees and automated filters to identify. Attackers may also register lookalike domains that differ from legitimate domains by only a single character, further increasing the credibility of fraudulent messages.

Recognizing business email compromise attempts

Identifying BEC attempts often depends on noticing unusual context rather than technical warning signs. Suspicious indicators can include unexpected wire transfer requests, sudden changes to supplier banking details, urgent payment instructions from executives, requests to bypass normal approval procedures, or subtle differences in email addresses or domains. Independent verification remains one of the most effective safeguards. Employees should confirm payment instructions through trusted channels such as phone calls or internal messaging systems instead of replying directly to the email. Guidance from the Federal Bureau of Investigation’s Internet Crime Complaint Center advises organizations to verify account changes through secondary channels or two-factor authentication, carefully check sender email addresses, ensure full email extensions are visible on devices, and monitor financial accounts for irregular activity. Security practices that help reduce BEC risk include enabling multi-factor authentication for email, enforcing authentication standards such as SPF, DKIM, and DMARC, verifying payment changes through secondary communication channels, monitoring login activity and suspicious email forwarding rules, and training employees to recognize impersonation tactics.

Learn more: Understanding email authentication

In the news

Recent business email compromise activity has also involved major infrastructure takedowns and sophisticated phishing campaigns. Microsoft announced that it worked with international law enforcement partners to dismantle infrastructure used for large-scale BEC operations linked to a service known as RedVDS. According to Microsoft, RedVDS provided low-cost virtual machines that criminals used to send phishing emails, host credential harvesting pages, and run payment diversion schemes across multiple industries. Investigators found that attackers used these disposable virtual machines to launch phishing campaigns targeting Microsoft 365 and other email platforms. Once credentials were stolen, attackers monitored compromised inboxes and waited for legitimate payment conversations before inserting fraudulent replies that changed bank details while reusing authentic signatures and prior message context. In a separate case, Microsoft Defender Security Research identified an adversary in a phishing campaign targeting energy sector organizations. The attack used SharePoint links sent from already compromised accounts to lure victims into fake sign-in pages that captured session tokens and allowed attackers to hijack active accounts. Microsoft said the campaign was detected and disrupted using Defender telemetry after attackers used the stolen access to create inbox rules, suppress warning messages, and send additional phishing emails internally and externally to expand the compromise across multiple organizations.

What actually stops BEC

Generative AI improves phishing detection by analyzing language patterns, message context, and sender behavior rather than relying only on traditional filters that scan headers or attachments. The healthcare study Phishing in healthcare organisations: threats, mitigation and approaches explains that “phishing is a method of attempting to gain potentially valuable details…for malicious reasons, using targeted communications such as email or messaging in which the attacking party encourages recipients to click links to websites running malicious code or to download or install malware.” Stopping business email compromise requires more than basic spam filtering because many of these messages appear legitimate and pass through standard defenses. Paubox’s new inbound email security analyzes context, sender behavior, and domain signals to detect impersonation and account takeover attempts before they reach users. The study also found that during one month, “the organisation received 858,200 email messages…[and] 18,871 (2.2%) identified as potential threats,” demonstrating the scale of phishing activity and why automated analysis is needed. AI systems can assess signals such as email metadata, historical communication patterns, and login behavior to identify suspicious activity earlier, reducing the chance that routine-looking emails lead to costly business email compromise attacks.

FAQs

What is the difference between phishing and Business Email Compromise?

Phishing usually involves sending generic messages to large numbers of recipients. Business Email Compromise targets specific organizations or individuals and impersonates trusted contacts to manipulate financial or operational decisions.

Why are BEC attacks so financially damaging?

BEC attacks exploit legitimate payment processes. Once an employee authorizes a wire transfer or payment change, funds may move through multiple accounts quickly, making recovery difficult.

Do BEC attacks always involve hacked email accounts?

No. Some attacks rely on spoofed email addresses that resemble legitimate domains, while others involve fully compromised accounts where attackers monitor real conversations.

Which employees are most commonly targeted in BEC attacks?

Finance teams, executives, HR departments, and procurement staff are frequent targets because they often handle payments, payroll, and sensitive documents.

Can security tools alone stop BEC attacks?

Technology helps detect suspicious activity, however verification procedures and employee awareness are equally important, given BEC's reliance on social engineering.