TI News Feed · Threat Intelligence Guides
View live threat intel feed →
TI News FeedThreat Intelligence Guides & ResourcesView Live Feed →
Attacks

What Is Business Email Compromise (BEC)? How the Scam Works

Business email compromise skips the malware and goes straight for the wire transfer — impersonating a trusted executive or vendor to trick an employee into sending money. It's one of the costliest cybercrimes.

By TI News Feed Editorial Team8 min readPublished Updated

Reviewed & fact-checked against primary sources by the TI News Feed Editorial Team. See our editorial & corrections policy.

Business email compromise (BEC) is a type of targeted email scam in which an attacker impersonates a trusted party — typically a senior executive, a vendor, or a colleague — to trick an organization into transferring money or handing over sensitive information. Unlike most cyberattacks, BEC often involves no malware at all. It's a pure social engineering attack that exploits human trust and business processes, which is exactly what makes it so effective and so hard to catch with technical defenses. By the numbers, BEC is consistently one of the costliest categories of cybercrime, responsible for billions in losses.

In short: BEC weaponizes trust and urgency rather than code. There's no virus to detect — just a convincing email asking someone to do their job a little too quickly.

Why BEC is so dangerous

  • It bypasses technical defenses. With no malicious attachment or link, BEC emails often sail past antivirus and filters that hunt for malware.
  • It's highly targeted. Attackers research their victims and craft tailored, believable messages — a form of spear phishing.
  • It exploits authority and urgency. A request that appears to come from the CEO, marked urgent and confidential, pressures employees to act without verifying.
  • The losses are large and immediate. A single successful wire transfer can move hundreds of thousands or millions of dollars, often irrecoverable once sent.

How a BEC attack works

  1. Research. The attacker studies the target organization — identifying executives, finance staff, vendors, and ongoing deals, often using OSINT and social media.
  2. Set up the impersonation. They either spoof a trusted email address, register a look-alike domain, or actually compromise a real mailbox (account takeover) to send from a genuine address.
  3. Make the request. Posing as the trusted party, they send a plausible, urgent request — to change payment details, approve a wire transfer, or share sensitive data.
  4. Cash out. The victim complies, sending funds to an attacker-controlled account or releasing information that fuels further fraud.

Common types of BEC

  • CEO fraud: impersonating a senior executive to order an urgent wire transfer from finance staff.
  • Vendor / invoice fraud (VEC): impersonating a supplier to redirect a legitimate invoice payment to a fraudulent account — often the most lucrative variant.
  • Account compromise: taking over a real employee mailbox and using it to send fraudulent requests from a trusted internal address.
  • Attorney impersonation: posing as a lawyer handling a confidential, time-sensitive matter to pressure a quick payment.
  • Data theft: targeting HR or finance to steal employee tax forms, payroll data, or other sensitive records.
  • Payroll diversion: impersonating an employee to redirect their salary to a new account.

BEC vs ordinary phishing

BEC is a specialized, high-end form of phishing, but it differs in important ways. Mass phishing casts a wide net with malicious links or attachments; BEC is precisely targeted, usually contains no malicious payload, and relies entirely on impersonation and persuasion. That absence of a technical "hook" is why BEC evades many email defenses and why people — not just technology — are the critical line of defense.

How to prevent business email compromise

  • Verify out-of-band. The single most effective control: confirm any payment or account-change request through a separate, known channel (a phone call to a verified number) — never by replying to the email.
  • Enforce payment controls. Require dual approval for wire transfers and changes to vendor banking details, with mandatory callbacks to verified contacts.
  • Authenticate email. Implement SPF, DKIM, and DMARC to make domain spoofing harder, and flag external emails clearly.
  • Protect accounts with MFA. Phishing-resistant multi-factor authentication reduces the mailbox takeovers that power the most convincing BEC.
  • Train continuously. Teach staff — especially finance and executives — to recognize urgency, authority pressure, and unusual requests, and make verifying a normal, expected step.
  • Have a response plan. Fast action (contacting banks within hours) can sometimes recall a fraudulent transfer, so build BEC into your incident response playbooks.

A typical BEC scenario — and what to do if you're hit

A finance clerk receives an email that appears to come from the CFO, sent late on a Friday: a confidential acquisition is closing, a deposit must be wired immediately to a new account, and discretion is essential. The tone, signature, and sense of urgency all feel right — but the CFO never sent it. The address is a look-alike domain, or the CFO's mailbox was quietly compromised. If the clerk wires the funds, the money is often moved through a chain of accounts and withdrawn within hours.

If you believe you've fallen victim, speed is everything. Contact your bank immediately and request a recall or freeze of the transfer — same-day action sometimes recovers the funds. Report it to law enforcement and any relevant national cybercrime body, which may be able to help halt the transfer through banking channels. Preserve the emails as evidence, reset credentials and check for mailbox rules the attacker may have set to hide their activity, and review whether other fraudulent requests went out. Then fold the lessons back into your incident response and payment-control processes so the next attempt is caught before money moves. Crucially, treat a successful BEC as more than a financial loss: if a mailbox was compromised to send the request, the attacker may still have access, so resetting credentials and hunting for their persistence is as important as recovering the funds.

Where threat intelligence fits

Threat intelligence tracks the look-alike domains, spoofing infrastructure, and BEC campaigns targeting specific industries, as well as the compromised credentials — often from infostealers — that enable mailbox takeover. Early warning of a domain registered to impersonate your company, or of credentials exposed for a finance employee, lets you act before the fraudulent request is ever sent.

The bottom line

Business email compromise is a targeted, malware-free scam that impersonates a trusted executive or vendor to trick organizations into wiring money or sharing data — and it's among the costliest cybercrimes. Because it exploits human trust and process rather than code, defense centers on out-of-band verification, strict payment controls, email authentication, MFA, and ongoing training. To track the impersonation infrastructure and credential exposure behind these scams, follow our live threat intelligence feed, aggregated from dozens of authoritative sources.

Frequently asked questions

What is business email compromise (BEC)?

Business email compromise is a targeted email scam in which an attacker impersonates a trusted executive, vendor, or colleague to trick an organization into transferring money or sharing sensitive information. It typically involves no malware, relying instead on social engineering and impersonation.

What are the main types of BEC?

Common types include CEO fraud (impersonating an executive for urgent transfers), vendor/invoice fraud (redirecting supplier payments), account compromise (using a hijacked real mailbox), attorney impersonation, data theft targeting HR/finance, and payroll diversion.

How is BEC different from phishing?

BEC is a specialized, highly targeted form of phishing that usually contains no malicious link or attachment, relying entirely on impersonation and persuasion. Mass phishing casts a wide net with malicious payloads. BEC's lack of a technical hook is why it evades many email defenses.

How do you prevent business email compromise?

Verify payment and account-change requests out-of-band through a known channel, enforce dual approval and callback controls for wire transfers and vendor changes, implement SPF/DKIM/DMARC, protect mailboxes with phishing-resistant MFA, train staff to spot urgency and authority pressure, and plan fast response.

Why is BEC so costly?

BEC targets financial processes directly, so a single successful request can move hundreds of thousands or millions of dollars, often to accounts that are quickly emptied and hard to recover. Combined with its ability to bypass malware-focused defenses, this makes it one of the costliest cybercrimes.

Primary sources & further reading

This guide is reviewed and fact-checked against authoritative primary sources:

Related threat intel guides

AttacksWhat Is Phishing? Types, Examples and PreventionAttacksWhat Is Social Engineering? Techniques and DefensesAttacksWhat Is a Data Breach? Causes, Impact and PreventionAttacksWhat Is Infostealer Malware? How Info-Stealers Work & Spread