Cybersecurity

What is business email compromise (BEC) and why is it the costliest cybercrime?

BEC caused $2.7 billion in losses in 2024 alone. Learn how these attacks work, why they bypass technical defenses, and how to protect your business.

centrexIT Team 8 min read

Key Takeaways

  • BEC caused $2.7 billion in adjusted losses in 2024 and $55 billion over the past decade according to the FBI
  • 63% of organizations experienced BEC last year - it's not just a big-company problem
  • BEC bypasses most technical defenses because the emails come from real, compromised accounts
  • The most common BEC scenarios involve fake invoices, payroll diversions, and CEO impersonation
  • Prevention requires a combination of email authentication, payment verification procedures, and employee training

Ransomware gets the headlines. But the cybercrime that costs businesses the most money? It’s business email compromise - and it’s not even close.

The Numbers Are Staggering

According to the FBI’s Internet Crime Complaint Center (IC3), BEC attacks resulted in $2.7 billion in adjusted losses in 2024 alone. Over the past decade, the cumulative total has reached $55 billion globally.

To put that in perspective: BEC consistently causes more financial damage than ransomware, data breaches, and identity theft combined.

And the problem is accelerating. BEC attacks are up 15% in 2025, with attackers using increasingly sophisticated techniques that are harder to detect.

What Is BEC, Exactly?

Business email compromise is a type of fraud where an attacker gains access to or impersonates a business email account to trick employees, customers, or vendors into sending money or sensitive information.

Unlike traditional phishing - which casts a wide net with obvious spam - BEC is a targeted, researched, and patient attack. The attacker studies your organization, learns who handles payments, understands your vendor relationships, and strikes at exactly the right moment.

How It Typically Works

  1. Research - The attacker studies your company through LinkedIn, your website, and social media. They identify the CEO, CFO, accounting staff, and key vendors.

  2. Compromise or Impersonation - Either they hack into a real email account (via phishing or credential stuffing) or they create a look-alike email address (like john@company.co instead of john@company.com).

  3. Setup - From the compromised account, they may monitor email traffic for weeks, learning communication patterns, payment schedules, and approval processes.

  4. The Ask - At the perfect moment, they send an email requesting a wire transfer, invoice payment, or sensitive information. The email looks legitimate because it IS from a real account, or perfectly mimics one.

  5. Extraction - Money is wired to a fraudulent account and quickly moved through multiple transfers, often internationally, making recovery extremely difficult.

The 5 Most Common BEC Scenarios

1. CEO Impersonation (“CEO Fraud”)

The attacker poses as the CEO or another executive, emailing someone in finance with an urgent payment request. The email might read:

“I need you to process a wire transfer of $47,000 to this account immediately. This is for a confidential acquisition we’re working on. Don’t discuss this with anyone else until the deal closes.”

The urgency, secrecy, and authority make employees reluctant to question it.

2. Vendor Invoice Fraud

The attacker compromises a vendor’s email account (or impersonates one) and sends a legitimate-looking invoice with updated banking details. Your accounts payable team pays the invoice to the new account - which belongs to the attacker.

This is particularly dangerous because the invoice may reference real purchase orders and projects.

3. Payroll Diversion

An attacker impersonates an employee and emails HR or payroll requesting a direct deposit change. The next paycheck goes to the attacker’s account. By the time the real employee notices, the money is gone.

4. Attorney Impersonation

The attacker poses as a lawyer handling a time-sensitive deal, pressuring an employee to make a quick, confidential payment. This often happens around mergers, acquisitions, or real estate closings.

5. Data Theft

Not all BEC is about money. Some attacks target W-2 forms, customer lists, or other sensitive data that can be used for identity theft or sold on the dark web.

Why BEC Is So Effective

It Bypasses Technical Defenses

Most email security tools look for malicious links, suspicious attachments, or known spam patterns. BEC emails often contain none of these. They’re just text - a normal-sounding request from what appears to be a trusted sender.

When the email comes from an actually compromised account, even sophisticated email security may not flag it because the sending address is legitimate.

It Exploits Human Nature

BEC attacks leverage:

  • Authority - requests appear to come from the boss
  • Urgency - “this needs to happen today”
  • Secrecy - “keep this between us”
  • Trust - it’s from a known contact or vendor
  • Routine - it looks like a normal business transaction

The Damage Is Immediate and Often Irreversible

Unlike ransomware, where you have time to negotiate or recover from backups, BEC losses happen in minutes. Once a wire transfer clears, the money is typically routed through multiple accounts and overseas. The FBI’s IC3 Recovery Asset Team has a 66% success rate in freezing fraudulent transfers - but only if the victim reports quickly.

Who Gets Targeted?

Everyone. The Association for Financial Professionals found that 63% of organizations experienced BEC attempts last year.

Small businesses are actually at higher risk because they’re less likely to have formal payment verification procedures, dedicated security teams, or advanced email security tools.

BEC has been reported in all 50 states and 186 countries, with fraudulent transfers reaching over 140 countries.

How to Protect Your Business

Payment Verification Procedures

This is your most important defense. Implement mandatory verification for:

ScenarioRequired Verification
Wire transfers over $5,000Phone call to requester using a known number (not the one in the email)
New vendor bank detailsWritten confirmation via a separate communication channel
Changes to payroll direct depositIn-person or video verification with the employee
Urgent payment requests from executivesPhone confirmation - no exceptions
Any “confidential” or “time-sensitive” paymentAutomatic escalation to a second approver

The key: Never verify a payment request using contact information from the suspicious email itself. Always use a phone number you already have on file or look up independently.

Email Security and Authentication

  • Deploy DMARC, SPF, and DKIM on your email domain to prevent spoofing
  • Use advanced email security that analyzes communication patterns and flags anomalies
  • Enable alerts for look-alike domains (your-company.co, yourcompany.net, etc.)
  • Monitor for mail forwarding rules that attackers set up to intercept replies

Employee Training

Train your team to recognize BEC red flags:

  • Unusual urgency or secrecy around a payment
  • Requests that bypass normal approval processes
  • Slight changes in email addresses or domain names
  • “Reply-to” addresses that differ from the “From” address
  • Pressure not to verify through other channels

Access Controls

  • Enable MFA on all email accounts - this prevents account compromise in the first place
  • Implement conditional access policies to block logins from unusual locations
  • Conduct regular mailbox audits to check for suspicious forwarding rules or delegates

What to Do If You’ve Been Hit

Time is critical. Follow these steps immediately:

  1. Contact your bank within minutes to request a recall or freeze on the wire transfer
  2. File a complaint with the FBI’s IC3 at www.ic3.gov - include all transaction details
  3. Contact your cyber insurance carrier if you have coverage
  4. Preserve evidence - don’t delete the emails or modify the compromised account
  5. Engage your IT provider to investigate the compromised account and check for additional exposure
  6. Notify affected parties if sensitive data was shared

The FBI’s IC3 Recovery Asset Team can sometimes freeze fraudulent transfers, but success rates drop dramatically after 24-48 hours.

The Bottom Line

BEC is the most financially damaging cybercrime because it doesn’t need malware, doesn’t trigger antivirus alerts, and exploits the one thing technology can’t fully protect: human trust.

The defense isn’t a product you can buy. It’s a combination of verification procedures, email authentication, employee awareness, and a culture where questioning a payment request is expected - even when it comes from the CEO.

If your business processes payments, handles invoices, or manages payroll - and every business does - BEC is a threat you need to take seriously.

Want to evaluate your business’s exposure to BEC and other email-based threats? Contact us for a security assessment.

Have More Questions?

Our team is here to help. Whether you're evaluating IT services or have a specific question about your technology, we're happy to have a conversation.

Contact Us Browse More Questions

Related Questions

How do I protect my business from phishing attacks?

Phishing Protection

Is security awareness training really worth it for my employees?

Security Training ROI

What is DMARC and why is email authentication critical for my business?

DMARC Email Authentication