Business Email Compromise: How It Works and How to Block It
There is a particular kind of sinking feeling that hits when you realize the wire transfer you just approved was not for your real supplier. It went to a criminal who had been quietly reading your emails for weeks, waiting for the perfect moment. That moment is called Business Email Compromise, or BEC for short. And unlike the loud, smash-and-grab ransomware attacks that announce themselves with a scary note, BEC is a quiet con. It exploits trust, routine, and the sheer busyness of running a small company. The FBI has called it the multi-billion dollar scam, and the numbers keep climbing because the tactic works so well. This article will show you exactly how these scams unfold, why small businesses get hit so hard, and the concrete steps you can take to block them before your bookkeeper clicks send on a payment that disappears forever.
What Exactly Is Business Email Compromise?
At its core, Business Email Compromise is a type of fraud where a criminal impersonates someone you trust, usually over email, to trick you into sending money or sensitive information. They are not breaking your firewall with a fancy exploit. They are manipulating a human being, often by using an email address that looks almost identical to the real one, or by actually taking over a real account. The goal might be a fraudulent wire transfer, a changed payroll direct deposit, or a batch of employee tax forms that get sold on the dark web. The damage is immediate and financial. And unlike credit card fraud, there is often no easy way to reverse the transaction once the money hits an overseas account.
The scammers are patient. They do their homework, reading your website, your social media, and any public financial filings. They learn who the CEO is, who handles the accounts, and which vendors you pay regularly. Then they craft an email that feels completely normal, timed to a real payment cycle. Because it looks so familiar, the usual red flags do not wave. It is the quiet, polite thief in the inbox.
How BEC Scams Unfold Step by Step
Understanding the playbook takes away some of its power. Most BEC attacks follow a predictable pattern, although each step is polished to match your specific business.
Step One: The Reconnaissance Phase
The scammer starts by learning everything they can about your business without ever making contact. Your website tells them the names of key people, your mission statement, and sometimes even the brands you carry. LinkedIn reveals job titles, how long employees have been around, and who just got promoted. Public records and social media posts add color. The goal is to map your company’s internal relationships. They want to know who has the authority to approve payments and who normally sends invoices. This research phase can last days or weeks, and you never see it happening.
Step Two: The Approach and Impersonation
Once they have a clear target, the criminal makes a move. There are two common methods here. The first is email spoofing, where they make an email look like it comes from the CEO’s real address when it actually comes from a nearly identical domain. Think “yourcompany.com” versus “yourcompany.co” or a subtle substitution like “rn” instead of “m”. The second method is account takeover, where they use a stolen password to get inside a real email account and send messages as that person. The takeover is more dangerous because everything comes from the legitimate address and the scammer can read the entire email history to mimic tone, signature, and ongoing conversations.
Step Three: The Grooming and Trust Building
The scammer rarely asks for money in the first message. They might send a brief, innocent note asking if you are at your desk, or a simple request to update a vendor’s banking information. It feels like a routine check-in. The reply builds a thread, and a thread feels legitimate. They exploit the natural human instinct to be helpful and responsive, especially when the request seems to come from the boss. By the time the actual fraudulent instruction arrives, the victim has already exchanged a couple of emails and lowered their guard.
Step Four: The Fraudulent Request
Then comes the ask. It is often a wire transfer for an urgent invoice, a time-sensitive deal, or a confidential acquisition that cannot be discussed openly. The language creates pressure: the CEO is in a board meeting and cannot take a call, the vendor will cancel a discount if not paid today, or the tax penalty is due by noon. Everything is designed to short-circuit the normal verification process. The banking details in the attached invoice or in the email body lead to an account controlled by the criminal, often in a jurisdiction that makes recovery extremely difficult.
Step Five: The Disappearance
Once the money is sent, the scammer may send one more confirmation to buy time before the victim realizes what happened. Then the email account, if it was a spoofed one, goes silent. If it was a takeover, the criminal might delete sent messages and cover their tracks. The victim discovers the fraud hours or days later, often when the real vendor calls asking where the payment is. By then, the funds have been moved through a maze of accounts and cryptocurrency exchanges, and the trail is ice cold.
The Most Common BEC Scenarios in 2026
BEC is not a single trick. It has several well-worn variations, each tailored to a different angle of your business operations.
CEO Fraud or Executive Impersonation
The classic setup. An email that appears to come from the owner or a senior executive lands in the finance person’s inbox, asking for an urgent wire transfer. The tone is authoritative and rushed. “I’m in a client dinner and cannot talk, but I need you to process this payment immediately. I’ll explain later.” The finance person feels the pressure of hierarchy and the desire to be responsive. Most of the time, the request is processed without a second thought, because nobody wants to be the one who held up the CEO’s important deal.
Invoice Fraud and Vendor Impersonation
Here the scammer poses as a regular supplier. They might hack into the vendor’s email or simply spoof it, then send a message saying their banking details have changed. Attached is a new invoice with the updated payment information. The accounts payable team updates the vendor file and pays the next invoice to the criminal’s account. By the time the real vendor follows up about a past-due balance, weeks have passed. Small businesses with lean accounting teams are especially vulnerable because the person handling payments may not have the bandwidth to verify every change.
Payroll Diversion and HR Scams
A more recent twist targets human resources and payroll. The scammer impersonates an employee, often using a spoofed or lookalike email, and sends a request to update their direct deposit information. The payroll department makes the change, and the next paycheck goes to the criminal’s account. The real employee notices on payday, and the company is left scrambling to recover the funds while also dealing with an upset staff member. The same approach works for stealing tax forms, which contain enough personal data for identity theft and fraudulent tax returns.
Legal and Real Estate Wire Fraud
Small law firms, title companies, and real estate brokerages are prime targets because they routinely handle large wire transfers. The scammer intercepts communication about a closing and sends last-minute wiring instructions that redirect the down payment to a fraudulent account. Homebuyers have lost their life savings this way. For a small business, the liability is enormous, and professional reputation damage can be permanent.
Why Small Businesses Are the Prime Target
There is a persistent myth that cybercriminals only go after giant corporations with deep pockets. The opposite is true for BEC. Small and medium businesses are the preferred prey. You have enough cash flow to make the scam worthwhile, often enough in a single transaction to net tens or hundreds of thousands of dollars. But you rarely have the dedicated fraud prevention teams or sophisticated email filtering that big enterprises deploy. Your payment processes often rely on a single person who wears many hats. That person is overworked, trusted, and not suspicious of a request that looks like a routine part of their day. The criminals understand this dynamic intimately and they exploit it.
Additionally, small businesses often lack formal verification procedures for payment changes. A vendor calls to update their address and someone makes a note without a call-back verification. An employee sends an email about a new direct deposit form and payroll processes it without a second factor check. These little gaps are exactly the openings BEC scammers look for. The attacks are not about overwhelming your technology. They are about slipping through the cracks in your human processes.
How to Block BEC: Technical Defenses
Stopping BEC requires a mix of technology that catches the obvious fakes and processes that catch the clever ones. Neither alone is enough.
Email Authentication Protocols: SPF, DKIM, and DMARC
These three acronyms sound like alphabet soup, but they are your first technical shield. They work together to verify that an email claiming to come from your domain actually came from your servers. SPF lists which servers are allowed to send mail for your domain. DKIM adds a digital signature that proves the message was not altered in transit. DMARC tells receiving servers what to do when an email fails these checks, either quarantine it or reject it outright. Setting these up correctly for your domain makes it much harder for criminals to spoof your company’s name. It also helps prevent scammers from impersonating your brand to your customers and partners.
Advanced Email Filtering and AI-Based Detection
Your basic spam filter is not enough anymore. Modern BEC emails often contain no malware, no suspicious links, just plain text with a polite request. That makes them invisible to traditional filters. Advanced email security services use artificial intelligence to analyze communication patterns. They can flag an email that claims to be from your CEO but originates from a strange IP address in a different country, even if the display name looks right. They detect subtle impersonation attempts, like domain names with replaced characters, and they can automatically flag messages that contain urgent requests for wire transfers or changes to banking information. Some services also use natural language processing to identify tone and intent, catching the pressure tactics BEC relies on.
Implementing a Strict Payment Verification Process
This is not purely technical, but technology can support it. Any request to change vendor banking details or employee direct deposit information must trigger a mandatory out-of-band verification. That means you do not reply to the email. You pick up the phone and call a known number, not a number from the email. You confirm verbally with someone you trust that the request is legitimate. Set up your accounting system so that banking changes require dual approval from two separate people. A single person should never be able to both change vendor details and release a payment. These process controls act as a safety net when a clever email slips through every technical filter.
How to Block BEC: The Human Firewall
Technology can catch a lot, but the final decision maker is the person behind the keyboard. Building a human firewall means training your team to think critically, pause before acting, and feel safe raising concerns.
Making Verification a Cultural Norm
The single most effective defense against BEC is a company culture where verifying unusual requests is celebrated, not punished. If the CEO sends an urgent wire request, the finance person should feel completely comfortable walking down the hall or making a quick call to confirm. The CEO must model this by thanking them for checking, not acting annoyed. When a vendor calls to change banking details, the accounts payable person should have a clear, non-negotiable policy to call back a saved number and verify. These little friction points are not inefficiencies. They are the checks that stop fraud in its tracks. Make them a point of pride.
Regular, Realistic Training Sessions
Phishing and BEC training does not have to be a boring compliance module. Gather your team once a quarter and walk through a real BEC attempt that hit a business in your industry. Show them the actual email. Point out the subtle signs: the domain that is off by one letter, the slightly unusual phrasing, the pressure to act immediately. Discuss what the correct response should be. Make it interactive and conversational. This kind of training sticks far better than a video everyone clicks through while checking their own email. Also, run simulated BEC tests using a safe service that sends fake urgent requests. Use the results to guide your training, never to shame.
Encouraging Immediate Reporting Without Fear
One of the biggest tragedies in BEC cases is the delay between discovery and response, often because the employee who clicked or sent the payment is terrified of getting fired. You need a policy, stated clearly from day one, that you will never punish someone for reporting a security mistake. An error reported immediately is a crisis that can be contained. The same error hidden for three days is a disaster. When people know they will be met with support, not blame, they speak up quickly, and that speed is everything when you are trying to recall a wire transfer.
What to Do If You’ve Been Compromised
Even the best defenses can fail. Having a plan for that moment makes the difference between a manageable incident and a catastrophe.
Step One: Contact Your Bank Immediately
The clock is ticking the moment the money leaves your account. Call your bank’s fraud department, not the general customer service line, and explain that you are a victim of a fraudulent wire transfer. Ask them to issue a recall request or a SWIFT recall if the transfer was international. In some cases, banks can freeze the receiving account if the funds have not been moved yet. The faster you act, the higher the chance of recovery. Do not be embarrassed. Fraud departments handle these calls daily. They would rather hear from you quickly than weeks later when the money is gone.
Step Two: Secure the Compromised Account
If the scam came from a spoofed external address, your account may not be compromised, but you should still change your password and review your login activity as a precaution. If the email actually came from inside your organization because an account was taken over, you need to act fast. Force a password reset for that account and enable multi-factor authentication immediately if it was not already on. Check the account’s forwarding rules to see if the criminal set up automatic forwarding to an external address. Review the sent items to understand what other data or contacts they may have accessed. Then expand your investigation to other accounts that may have been compromised using the same credentials.
Step Three: Report to Law Enforcement and Your Cyber Insurance Provider
File a complaint with your local police and with the FBI’s Internet Crime Complaint Center, IC3. While recovery rates for international wires are low, the reports help law enforcement track patterns and sometimes recover funds from coordinated takedowns. If you have cyber insurance, contact your provider immediately. They can connect you with forensic investigators, legal counsel, and crisis communication support. Do not try to handle the entire response alone. The emotional toll of BEC is significant, and having professionals guide you reduces the burden and increases the odds of a better outcome.
Conclusion
Business Email Compromise thrives on trust and busyness, two things that are abundant in every healthy small business. The criminals behind these scams are not technical wizards. They are social engineers who have learned that the fastest route to your bank account runs through a well-timed, polite email. Blocking them requires a layered defense that combines solid email authentication, advanced filtering, and ironclad payment verification processes. But most of all, it requires a team that has been trained, trusted, and empowered to hit pause on any request that feels off. The money you save will be significant, but the peace of mind you gain from knowing your people can spot the con is worth even more. Take the steps now, before that sinking feeling arrives in your inbox.
This article was written by [Manuel López Ramos](https://trustcyberhub.com/manuel-lopez-ramos/) and is published for educational purposes, with the aim of providing general information for learning and awareness.
