Business email compromise (BEC) is a type of attack where a criminal impersonates a trusted person, typically a CEO, vendor, or attorney, to trick an employee into sending money or sensitive information. BEC attacks cause more financial damage than any other type of cybercrime, with the FBI reporting over $2.9 billion in losses in a single year. Unlike ransomware, which is loud and obvious, BEC is quiet. There is no malware, no locked screens, and often no sign anything happened until the money is gone.
How BEC Attacks Work
A BEC attack starts with research. The attacker learns about your company by browsing your website, LinkedIn profiles, and social media. They identify who the CEO is, who handles finances, who your vendors are, and how your company communicates internally.
Next, the attacker either compromises a real email account (through phishing, credential theft, or password spraying) or creates a lookalike email address that is almost identical to a real one. For example, they might register "athencla.com" instead of "athencia.com," a difference most people would not notice in a busy inbox.
Then comes the request. The attacker sends a convincing email asking for an urgent wire transfer, payment to a new bank account, or sensitive data like W-2 forms or employee records. The email appears to come from someone the employee trusts and expects to receive instructions from. The urgency and authority built into the request pressure the employee into acting quickly without verifying through a separate channel.
The entire attack relies on social engineering, not technology. That is what makes it so effective and so difficult for traditional security tools to catch.
Common BEC Scenarios
CEO fraud. An email appearing to come from the CEO or owner asks the bookkeeper or office manager to wire funds for a "confidential acquisition" or "urgent vendor payment." The email often includes language like "handle this quietly" or "I'm in a meeting, can you take care of this before end of day?"
Vendor invoice manipulation. An email appearing to come from a real vendor says "our bank account has changed, please send future payments to this new account number." The email may include a convincing invoice with the correct logo, formatting, and amounts, but with different banking details.
Attorney impersonation. A fake attorney contacts an employee about a "confidential legal matter" requiring immediate payment. These often target finance staff and use legal urgency to discourage questions.
Payroll diversion. An email appearing to come from an employee asks HR to update their direct deposit information to a new bank account. The employee's real paycheck then goes to the attacker.
Data theft. A request for W-2s, employee lists, Social Security numbers, or client data, sent to HR or the office manager from what appears to be the CEO. This information is then used for identity theft or sold on the dark web.
Why Small Businesses Are Especially Vulnerable
Small businesses are the ideal target for BEC because they often have fewer approval layers for financial transactions. One person may handle all payments, and a request from the owner is rarely questioned. There is often no formal verification process for changing vendor payment details or processing wire transfers.
Smaller teams also mean fewer people to notice something is off. In a larger company, a suspicious wire transfer request might pass through multiple approvals and raise questions. In a 15-person company, the person who handles the books may simply process the request because the email looks like it came from the boss.
The amounts requested in BEC attacks are often deliberately calibrated. Attackers request amounts large enough to be profitable but small enough to avoid triggering bank fraud alerts or unusual payment scrutiny. A $28,000 wire transfer feels urgent but not outlandish, which is exactly the point.
Protection Step 1: Implement Verification Procedures
The most effective defense against BEC is a simple human process: verify before you act.
Require verbal (phone call) confirmation for any wire transfer, payment change, or new vendor setup. Call the person using a phone number you already have on file, not a number provided in the email. If the CEO sends an email requesting a wire transfer, call the CEO on their known cell phone number and confirm it.
Require dual authorization for wire transfers and payments above a set threshold. No single person should be able to initiate and approve a large payment on their own.
Never change vendor payment details based solely on an email request. Always verify new banking information through a known contact at the vendor company, using a phone number from your records.
These verification steps may feel like extra work, but they are far cheaper than losing $50,000 to a fraudulent wire transfer.
Protection Step 2: Secure Your Email Accounts
If an attacker cannot compromise your actual email accounts, they are limited to spoofing or lookalike domains, which are easier to detect. Locking down your email is critical.
Enable MFA on all email accounts. This is the single most effective technical protection against account compromise. If an attacker phishes an employee's password, MFA stops them from signing in. Use Conditional Access policies in Entra ID to enforce MFA across your entire Microsoft 365 tenant, not just for users who remember to turn it on.
Configure anti-phishing policies in Microsoft Defender for Office 365. Defender for Office 365, included with Microsoft 365 Business Premium, provides impersonation protection that flags emails where the sender's name matches a known internal user but the email address does not. This catches many BEC attempts before they reach the inbox.
Enable mailbox auditing to detect unauthorized access to email accounts. Microsoft 365 has mailbox auditing enabled by default, but verify it is active for all users.
Set up alerts for mail forwarding rule changes. One of the first things an attacker does after compromising an account is set up a forwarding rule to intercept replies. Configure alerts in the Security & Compliance center to notify admins when new forwarding rules are created.
Huntress provides identity threat detection and response (ITDR) that monitors for suspicious sign-in activity, credential attacks, and account takeover attempts across your Microsoft 365 environment. This adds a layer of 24/7 human monitoring that catches identity-based threats that automated tools may miss.
Protection Step 3: Protect Against Domain Spoofing
Configure SPF, DKIM, and DMARC on your email domain to prevent attackers from sending email that appears to come from your exact domain. With DMARC set to a "reject" policy, spoofed emails are blocked by the receiving server and never delivered.
This does not prevent lookalike domains (athencla.com vs. athencia.com), but it stops exact-domain spoofing. For a detailed setup guide, see our article on how to secure your business email against spoofing with SPF, DKIM, and DMARC.
Protection Step 4: Train Your Team
Make BEC a specific topic in your security awareness training, separate from general phishing awareness. BEC attacks are different because they often contain no malicious links or attachments. They rely entirely on social engineering, which means technical email filters may not catch them.
Use real-world examples relevant to your industry. A law firm should hear about fake settlement wire requests; a construction company should hear about fraudulent subcontractor invoices. The scenarios need to feel real to your team.
Emphasize that urgency and authority are the primary manipulation tools in BEC. Any request that is both urgent and involves money or sensitive data should trigger a verification call, every time.
Create a culture where questioning a financial request is expected, not disrespectful. The bookkeeper should feel comfortable calling the CEO to verify a wire transfer, even if the email says "don't call me, I'm in a meeting." That is exactly when they should call.
Huntress provides security awareness training as part of its platform, including targeted BEC scenarios and phishing simulations that help employees practice identifying these attacks in a safe environment.
What to Do If You Suspect a BEC Attack
Act fast. Every hour matters, especially if money has already been sent.
- Do not send the requested payment or information. If you have not acted on the request yet, stop.
- Verify the request through a separate communication channel. Call the supposed sender using a known phone number.
- If money was already sent, contact your bank immediately. Wire recalls have a narrow window (often 24 to 48 hours). The sooner you call, the better your chances of recovering the funds.
- Report to the FBI's IC3 at ic3.gov and your local FBI field office. BEC is a federal crime and the IC3 has a Recovery Asset Team that works with banks to freeze fraudulent transfers.
- If an email account was compromised, reset the password, revoke all active sessions, check for forwarding rules and inbox rules, and review recent sent items to see what the attacker sent from the account.
- Notify your cyber insurance carrier. Most policies have specific timelines for breach notification, and delayed reporting can affect your claim.
Need Help?
BEC is the costliest form of cybercrime for small businesses, and prevention starts with the right combination of training, verification procedures, and email security. If you want help hardening your email environment or responding to a suspected compromise, contact Athencia. We handle BEC prevention and incident response for small businesses across the country.
