Imagine receiving an email from your CEO asking you to make an urgent payment before the end of the day. The email has the right signature. It uses the same writing style you’re used to. It even references a real project your company is working on. Without thinking twice, you approve the transfer. Hours later, you discover the CEO never sent the email and the money is gone.
That’s the reality of Business Email Compromise (BEC), one of the most financially damaging forms of cybercrime facing organisations today. Unlike traditional phishing attacks that rely on mass emails and obvious scams, BEC attacks are highly targeted, carefully planned and designed to exploit one thing above all else: trust.
What is Business Email Compromise?
Business Email Compromise is a cyberattack in which criminals impersonate a trusted individual or gain access to a legitimate business email account to trick victims into transferring money, revealing sensitive information or performing unauthorised actions.
Sometimes attackers compromise a genuine email account through credential theft or malware. In other cases, they register a lookalike domain that differs from the legitimate one by just a single character.
For example:
- Legitimate: finance@company.com
- Malicious: finance@cornpany.com (where the “m” has been replaced with “rn”)
- Malicious: finance@company.co
- Malicious: finance@company-security.com
At a quick glance, these addresses can appear genuine, especially when employees are busy or under pressure.
Why BEC is So Dangerous
Many people imagine cybercriminals as hackers breaking through firewalls or deploying sophisticated malware but BEC is different. The attacker often doesn’t need to exploit a technical vulnerability at all. Instead, they exploit human psychology and established business processes.
Their emails look routine. Their requests seem legitimate. And they often create a sense of urgency that discourages people from stopping to verify what they’re being asked to do. The result can be devastating financial losses, data breaches or both.
How a Business Email Compromise Attack Works
Although every campaign is different, most BEC attacks follow a familiar pattern.
1. Reconnaissance
Before sending a single email, attackers research their targets extensively. They gather information from:
- Company websites
- Social media profiles
- Professional networking sites such as LinkedIn
- Press releases
- Public filings
- Email formats and naming conventions
Their goal is to understand the organisation’s structure, identify decision-makers and learn how financial or procurement processes operate.
2. Account Compromise or Impersonation
Next, the attacker either:
- Gains access to a legitimate business email account through phishing or credential theft, or
- Creates a spoofed or lookalike email address that closely resembles the real one.
Both approaches are intended to make recipients believe the email is authentic.
3. Building Trust
Rather than launching an obvious attack immediately, criminals often mimic normal business communications.
They may adopt the writing style of an executive, continue an existing email thread or reference genuine projects and suppliers to make their message appear credible.
4. Making the Request
Once trust has been established, the attacker asks the victim to take action.
Common requests include:
- Sending an urgent wire transfer
- Updating supplier bank account details
- Purchasing gift cards
- Sharing payroll or tax information
- Revealing usernames or passwords
- Sending confidential business documents
The message is often framed as highly confidential or time-sensitive to discourage verification.
5. Cashing In
If the victim complies, funds are transferred to attacker-controlled accounts or sensitive data is stolen and exploited. By the time the fraud is discovered, recovering the money can be extremely difficult.
Common Types of BEC Attacks
CEO Fraud
In this scenario, attackers impersonate senior executives and instruct employees to make urgent payments or disclose confidential information.
Because employees naturally trust leadership and may hesitate to question executive requests, these scams can be remarkably effective.
Fake Invoice Scams
Criminals pose as legitimate suppliers and send invoices with altered banking details. The invoice itself may appear genuine, but payment is redirected into the attacker’s account instead of the vendor’s.
Account Takeover
Rather than spoofing an address, attackers compromise a real employee’s mailbox and use it to communicate with customers, suppliers or colleagues. Because the emails originate from a genuine account, they can be especially convincing.
Attorney or Legal Impersonation
Attackers pretend to be lawyers or legal representatives handling confidential matters, often contacting finance or junior employees with urgent requests for payments or sensitive documents.
Payroll and HR Data Theft
Human resources teams are common targets because they manage valuable personal information. Attackers may request employee tax records, salary details or personally identifiable information that can later be used for identity theft or additional fraud.
Red Flags Every Employee Should Know
Most BEC attacks contain subtle warning signs. Be cautious if you notice:
- Urgent requests demanding immediate action
- Unexpected changes to supplier bank details
- Pressure to bypass normal approval processes
- Requests for unusual payment methods such as gift cards or cryptocurrency
- Emails asking for confidential information without explanation
- Slightly altered sender addresses or domains
- Messages that feel inconsistent with the sender’s normal communication style
One extra character in an email address can be the difference between paying a trusted supplier and paying a criminal.
The Business Impact of BEC
The financial consequences of BEC can be severe, but the damage rarely stops there. Organisations may also face:
- Loss of customer trust
- Reputational damage
- Operational disruption
- Regulatory scrutiny
- Legal liability
- Exposure of confidential data
- Costly incident response and recovery efforts
Even when stolen funds are recovered, the investigation and remediation process can consume significant time and resources.
How to Protect Your Organisation
Fortunately, reducing the risk of Business Email Compromise does not rely on a single security tool. It requires a combination of technical controls, well-defined processes and informed employees.
1. Enable Multi-Factor Authentication (MFA)
Protect business email accounts with MFA to make stolen passwords far less useful to attackers.
2. Verify Payment Requests Independently
Never rely solely on email to confirm changes to payment instructions or banking details. Instead, verify requests using a trusted communication channel, such as calling the supplier or executive using a previously known phone number.
3. Follow Established Approval Processes
Urgency should never override financial controls. Require appropriate approvals for high-value transactions and ensure exceptions are carefully scrutinised.
4. Review Email Addresses Carefully
Before responding or transferring funds, inspect the sender’s actual email address, not just the display name. Small differences can reveal a fraudulent message.
5. Conduct Regular Security Assessments
Periodic reviews of email security controls, authentication mechanisms and user awareness programmes help organisations identify weaknesses before attackers do.
Conclusion
Business Email Compromise succeeds because it looks like ordinary business communication. Attackers don’t always need sophisticated malware or advanced hacking techniques. Sometimes, all they need is a convincing email, a believable story and a recipient who is too busy to pause and verify.
When it comes to BEC, taking a minute to verify a request can prevent a mistake that costs millions.
