Business Email Compromise (BEC): How It Works and How SMEs Stop It

Business email compromise (BEC) is a social-engineering scam where an attacker impersonates a CEO, vendor, or lawyer over email – no malware, no suspicious link – and tricks an employee into wiring money or handing over login credentials. It is one of the most expensive cyber threats in the world: the FBI's Internet Crime Complaint Center (IC3) recorded over $2.9 billion in reported BEC losses in 2023 alone, and cumulative losses since 2013 have surpassed $50 billion globally. For a small business, one convincing fake invoice can drain a bank account in an afternoon.

What is business email compromise (BEC)?

Business email compromise is a targeted attack that uses deception rather than malware. The attacker impersonates someone the victim trusts – a company executive, a supplier, or a legal adviser – and makes a financial or data request that looks completely routine. Unlike phishing campaigns that blast millions of generic emails, BEC is surgical: the attacker researches a specific company and crafts an email that matches the real person's style, title, and timing.

Because there's no malicious attachment and no suspicious link, BEC emails sail past most spam filters. The weapon is psychology, not code.

What are the most common types of BEC scams?

BEC comes in several flavours, but they all follow the same playbook: earn trust, manufacture urgency, get the money.

CEO fraud (executive impersonation)

An attacker spoofs or compromises the CEO's email account and contacts the finance team with an urgent, confidential wire transfer request. "Don't call me – I'm in a board meeting. Process this now." The combination of authority and urgency makes employees hesitant to verify.

Invoice fraud and vendor impersonation

The attacker poses as a known supplier and sends a realistic-looking invoice with updated banking details. The company pays – but the money goes to the attacker's account. This variant is especially common in Vietnam and UAE markets where cross-border supplier payments are routine.

Account compromise

The attacker gains actual access to a legitimate business email account – often through a phishing attack or a reused password – and uses it to send fraudulent requests from the inside. There's no spoofing; the email is genuinely from the real account.

Attorney or legal impersonation

An attacker poses as a lawyer handling a confidential matter (merger, lawsuit, acquisition) and pressures the target to transfer funds or share sensitive documents "before the deadline." The legal framing adds credibility.

AI-augmented BEC (the emerging threat)

Generative AI now lets attackers write flawless impersonation emails in any language, in seconds, at scale – including accurate mimicry of an executive's tone and phrasing pulled from public LinkedIn posts or leaked email threads. This is raising the quality ceiling on BEC attacks fast.

How does a BEC attack work? (step-by-step)

A BEC attack is not a random strike – it's a five-stage process that can take weeks.

1. Target identification. The attacker picks a company with visible payment activity – often found through LinkedIn, company websites, and news articles. SMEs are prime targets because they typically lack dedicated security staff.
2. Reconnaissance. The attacker maps the org chart, identifies the finance decision-maker and their manager, learns the payment process, and harvests email addresses from public sources or data leaks.
3. Email impersonation. The attacker creates a spoofed domain (e.g. company-name.co instead of company-name.com), compromises a real account, or registers a look-alike address. The email thread mimics real internal style.
4. The request. An urgent, confidential message lands in the target's inbox – a wire transfer, a password reset, a supplier payment update. Urgency and authority are designed to shut down the victim's instinct to verify.
5. Execution. The victim complies. Money leaves. Credentials are handed over. The attacker often covers tracks by deleting sent items and setting up email forwarding rules – so the attack continues even after the first fraud.

"BEC is the costliest crime type we track," the FBI stated in its 2023 Internet Crime Report. "It requires no technical sophistication – only knowledge of how businesses communicate." (FBI IC3, 2023)

Why is BEC so hard to detect – especially for SMEs?

BEC is hard to catch because it doesn't look like an attack. There's no malware for antivirus to flag. There's no suspicious URL for a web filter to block. The email looks normal because it was crafted to look normal.

For SMEs, three factors make this worse:

• No dedicated security analyst watching email traffic for anomalies
• Small teams where authority is concentrated – one person often controls both approval and payment
• High trust in senior leadership, which attackers exploit directly

The finance or accounts payable person receiving a wire request from the "CEO" isn't thinking about cybersecurity. They're thinking about getting the job done.

How can SMEs detect and prevent BEC?

You don't need a security operations centre to protect against BEC. You need the right combination of technical controls, process rules, and monitoring.

Technical controls: close the email authentication gap

Most BEC spoofing attacks work because the target domain has weak or missing email authentication. Set up SPF, DKIM, and DMARC on your domain – these tell receiving mail servers to reject or quarantine emails that pretend to come from your address. Enable multi-factor authentication (MFA) on every business email account to prevent account compromise even if a password leaks. If you're unsure whether your domain has these configured, ask your IT provider to check. It takes an afternoon to set up and closes the most common BEC entry point.

Process controls: put a human checkpoint on money movement

Establish a rule: no wire transfer, payment detail change, or large invoice is processed without a verbal confirmation via a known phone number – not a reply to the same email thread. This single rule stops the majority of BEC attempts cold. Dual approval for payments above a threshold (e.g. $5,000) adds a second checkpoint.

Employee awareness: teach the warning signs

Train your team to spot these BEC red flags:

• Urgency + secrecy ("handle this now, don't tell anyone")
• Request to change payment details via email only
• Slight domain variation (company-narne.com vs company-name.com)
• Out-of-character requests from a known contact
• Pressure not to verify through normal channels

A culture where employees feel safe saying "let me just call and confirm" is your strongest BEC defence. For deeper coverage, our guide on detecting credential theft in your business covers the signs that a BEC has already moved into account compromise territory.

24/7 monitoring: catch what humans miss

Even with training and technical controls, attackers adapt. The highest-risk scenario is a compromised internal account – where the attacker is already inside and sending legitimate emails from a real address. Catching this requires monitoring for anomalous email behaviour: forwarding rules added outside business hours, logins from unexpected locations, sudden changes in email volume from a finance-team address.

This is exactly the kind of signal a managed detection and response (MDR) service monitors around the clock. If you don't have the capacity to watch your own email environment 24/7, Shieldnet's upcoming email security product does – detecting the behavioural anomalies that precede or follow a BEC attack before the wire transfer goes out. For teams already stretched thin, our guide to managing security alerts without a full-time team covers how to keep response manageable.

What should you do if your business is hit by a BEC attack?

Speed matters. Most banks can recall a wire transfer if you act within 24–72 hours.

1. Contact your bank immediately. Ask them to issue a SWIFT recall on the wire transfer. Reference the Financial Crimes Enforcement Network (FinCEN) SWIFT recall process.
2. Report to the FBI IC3. File a complaint at ic3.gov. The IC3 coordinates with financial institutions and international partners to freeze and recover funds – but only if reported fast.
3. Lock the compromised account. Reset credentials, revoke active sessions, and audit email forwarding rules immediately. BEC attackers routinely keep access after the initial fraud. Our guide to spotting account takeover early walks through the post-incident checklist.
4. Preserve evidence. Do not delete the fraudulent emails – they are evidence for law enforcement and insurance claims.
5. Notify affected parties. If the BEC involved customer or partner data, check your local data protection obligations (PDPD in Vietnam; UAE Federal Decree-Law No. 45 on Personal Data Protection).

Frequently asked questions

What is the difference between BEC and phishing?

Phishing is a broad, volume-based attack – millions of generic emails designed to steal credentials from anyone who clicks. BEC is highly targeted and often involves no link or attachment at all; the attacker uses social engineering and impersonation to manipulate a specific person at a specific company into taking a financial action. BEC is typically far more expensive per incident.

What is an example of a business email compromise attack?

A finance manager receives an email that appears to come from the CEO asking for an urgent wire transfer to close a deal – marked confidential, with a request not to discuss with colleagues. The "CEO" email is actually a spoofed address ([email protected] instead of [email protected]). The manager, under time pressure, processes the payment. The money goes to an attacker-controlled account overseas.

How do attackers get the information they need for a BEC scam?

Primarily from public sources: company websites, LinkedIn profiles, press releases, and social media. Org charts, reporting lines, executive names, and even typical email formats ([email protected]) are often publicly visible. Attackers also buy leaked email databases from dark-web markets to identify valid email addresses and map corporate relationships.

Does BEC only happen over email?

Email is the primary channel, but attackers are increasingly using phone calls (vishing), SMS, and even WhatsApp to supplement – particularly in the verification phase. AI-generated voice clones of executives are a growing tactic: an employee receives a call from "the CEO's voice" instructing them to process a payment. Always verify financial requests through a pre-established, out-of-band contact method.

Can managed security services stop business email compromise?

Not entirely on their own – because BEC is partly a human problem. But an MDR service adds the detection layer that purely technical controls miss: monitoring for compromised account behaviour, unusual email forwarding rules, and suspicious login activity that indicates an attacker is already inside. Combined with the process and awareness controls above, it closes the gap that leaves most SMEs exposed.