Every year, businesses lose more money to business email compromise than to ransomware, data breaches, and most other forms of cybercrime combined. And unlike ransomware, you often don’t know it happened until the funds are already gone and the attacker has disappeared.
This post breaks down what BEC is, how attacks unfold step by step, and what controls actually stop them before money moves.
Business email compromise attacks impersonate trusted contacts (executives, vendors, lawyers) to trick employees into transferring funds or handing over sensitive data. They’re cheap to execute, hard to detect with standard tools, and devastatingly effective. The good news: the right combination of controls stops the vast majority of them.
What Is Business Email Compromise?
Business Email Compromise (BEC) is a type of cyberattack in which criminals impersonate a trusted individual or organization via email to deceive employees into transferring funds, sharing sensitive data, or taking other harmful actions. Unlike mass phishing campaigns, BEC attacks are targeted, personalized, and often bypass technical defenses entirely because they contain no malicious links or attachments.
The FBI tracks BEC separately from other cybercrime precisely because of its outsized financial impact. According to the FBI Internet Crime Complaint Center (IC3) 2023 Annual Report, BEC and its variant email account compromise (EAC) generated over $2.9 billion in reported losses in the United States alone in 2023, making it the highest-loss cybercrime category tracked by the FBI for the third consecutive year.
How Does a BEC Attack Work?
BEC attacks follow a recognizable pattern even when the specifics vary. The attacker doesn’t need malware or a zero-day exploit. They need a convincing email, a sense of urgency, and a target who hasn’t been trained to pause and verify.
Reconnaissance: The attacker researches the target organization using LinkedIn, company websites, press releases, and social media. They map out executive names, reporting structures, vendor relationships, and pending transactions. This phase can take days or weeks.
Account compromise or spoofing: The attacker either gains access to a real email account (via a prior phishing attack or credential stuffing) or spoofs one by registering a look-alike domain (e.g., “balanced-plus.ca” instead of “balancedplus.ca”) or using a display name trick where the visible name is correct but the sending address is not.
The request: A well-timed, urgent message instructs a finance employee to wire funds, update vendor banking details, or share payroll records. The request often arrives Friday afternoon, when oversight is thin and time pressure is real. It frequently includes a reason to bypass normal approval: “don’t loop in IT, this is a confidential acquisition.”
Funds move: The employee acts. Money reaches an attacker-controlled account and is typically laundered within hours through layered transfers, making recovery extremely difficult even when the fraud is caught quickly.
BEC attacks don’t require malware, exploits, or technical sophistication. They exploit trust, authority, and urgency. Technical defenses alone will not stop them.
The Five Types of BEC Attacks
The FBI IC3 categorizes BEC into five primary scenarios. Knowing which type is targeting your organization shapes how you respond and train.
- CEO fraud: An executive’s email is spoofed or compromised. Finance or accounting receives an urgent wire transfer request, often referencing a real deal or deadline.
- Vendor/invoice impersonation: Attackers pose as a known supplier and request a banking detail change on a pending invoice. The next legitimate payment lands in the attacker’s account.
- Account compromise: A legitimate employee’s email account is hacked and used to request fraudulent payments from customers or partners who trust the sender.
- Attorney impersonation: Criminals pose as a law firm handling a sensitive, time-critical transaction and pressure the target to act quickly and confidentially.
- Data theft (W-2 and payroll fraud): HR or finance is tricked into sending employee payroll data, W-2 equivalents, or PII that enables follow-on identity fraud or tax fraud.
In our work with GTA mid-market firms, the most effective BEC attempts we’ve seen reference real details: a specific vendor name, an upcoming renewal, or an executive who is publicly traveling. Attackers do their homework before sending a single email.
BEC vs. Phishing: What’s the Difference?
BEC is often grouped with phishing, but they are meaningfully different attacks that require different defenses. Phishing is a scattershot campaign; BEC is a targeted strike built around research and impersonation.
| Factor | Phishing | Business Email Compromise |
|---|---|---|
| Scale | Mass-distributed to thousands | Targeted at one person or department |
| Technique | Malicious links or attachments | Social engineering and impersonation |
| Goal | Credential theft, malware delivery | Wire fraud, data theft |
| Detection by filters | Often caught by email security tools | Frequently bypasses filters (no malicious payload) |
| Research required | Minimal | Days to weeks of target research |
| Primary defense | Email filtering, URL scanning | Verification policies, training, MFA |
Why Are BEC Attacks So Hard to Stop?
Three factors make BEC attacks unusually dangerous compared to other email threats.
They bypass technical defenses. A well-crafted BEC email contains no malicious links, no attachments, and no executable code. It can pass SPF, DKIM, and DMARC checks if the attacker has registered a convincing look-alike domain. Standard email security tools have nothing to flag.
They exploit human psychology. Urgency, authority, and secrecy are baked into every BEC script. “I need this done before the wire cutoff at 3 PM.” “Don’t loop in accounting on this, it’s a confidential matter.” These triggers short-circuit the verification habits that people apply under normal circumstances.
They’re cheap to run. Researching a target on LinkedIn costs nothing. Registering a look-alike domain costs under $20. The attacker’s return on investment is extraordinary relative to the effort required, which is why BEC volume has grown steadily even as other cybercrime tactics have faced increasing technical barriers.
Warning Signs of a BEC Attempt
Watch for these red flags in any financial or data request received by email: the sender’s domain differs slightly from the real one; the request bypasses normal approval steps; there’s urgency paired with a request for secrecy; vendor banking details have “changed” ahead of a payment; or the request comes from an executive who is traveling or otherwise hard to reach.
Domain spoofing is subtle. Attackers register variations that look correct at a glance: adding a hyphen, swapping a letter (rn for m), or using a country-code TLD like .ca instead of .com. Training employees to check the actual sending address, not just the display name, catches a large percentage of attempts before any action is taken.
How to Protect Your Business From BEC
No single control stops BEC. The organizations that avoid significant losses combine technical safeguards with process controls and ongoing training, so that multiple layers must fail simultaneously for an attack to succeed.
Enable MFA on all email accounts: Compromised credentials are far less useful to an attacker when multi-factor authentication blocks access. Microsoft 365 and Google Workspace both support MFA natively. This is the single highest-impact control for preventing account compromise (EAC), the variant where attackers hijack a real inbox.
Deploy DMARC, DKIM, and SPF: These email authentication protocols make it significantly harder to spoof your domain and signal to receiving mail servers how to handle unauthenticated messages. The Canadian Centre for Cyber Security (CCCS) recommends all three as baseline controls for organizations of any size.
Establish a wire transfer verification policy: Any request to transfer funds, change vendor banking details, or share sensitive payroll data that arrives via email must be verbally confirmed using a known phone number before action is taken. No exceptions, regardless of how urgent the email appears.
Run BEC-specific security awareness training: Generic phishing simulations don’t prepare employees for CEO fraud or vendor impersonation. Training should include realistic scenarios that test responses to authority-and-urgency combinations, not just malicious link clicking.
Add external sender banners: A visible “EXTERNAL” tag on emails originating from outside your domain creates a pause point that catches a surprising number of impersonation attempts before they succeed.
Limit public org chart exposure: Attackers use LinkedIn to map reporting structures and identify which employees have financial authority. Review what your public profiles reveal about who approves payments and who reports to whom.
A 60-second phone call to a known number is your most reliable BEC defense. Build a formal policy: any wire transfer or banking change request received by email requires verbal confirmation before processing, regardless of the sender’s apparent authority. This one process control has prevented significant losses at organizations that had no other BEC-specific defenses in place.
What to Do If Your Business Has Been Targeted
Speed is the only meaningful variable in BEC recovery. If a fraudulent transfer has occurred, every hour reduces the chance of recovery.
Contact your bank immediately: Financial institutions can sometimes recall or freeze fraudulent wire transfers if notified within 24 to 72 hours. Call your bank’s fraud line directly, not through email. Reference the FBI’s Financial Fraud Kill Chain (FFKC) process when speaking with your bank.
Report to the Canadian Anti-Fraud Centre: Canadian businesses should file a report with the Canadian Anti-Fraud Centre (CAFC) at antifraudcentre.ca. In the US, the FBI IC3 at ic3.gov is the correct reporting channel. Document everything before taking remediation steps.
Preserve all evidence: Do not delete or modify the fraudulent emails. Your incident response team and law enforcement need the original headers, timestamps, and message content to trace the attack chain.
Notify your insurer: Many cyber insurance policies cover BEC losses, but require prompt notification. Review your policy for reporting timelines before taking remediation actions that could affect coverage.
Engage your security team: Determine whether a real account was compromised. If so, contain it immediately: force password resets, revoke active sessions, and audit email forwarding rules, which attackers often add to maintain persistent access after discovery.
BEC fund recovery is genuinely difficult. Most wire transfers are laundered through multiple accounts within hours of reaching the attacker’s account. Prevention is far cheaper than recovery, and in many cases recovery simply isn’t possible.
BEC attacks are low-tech, high-yield, and preventable. The combination of multi-factor authentication on email, DMARC/DKIM/SPF deployment, a hard-and-fast verbal verification policy for wire transfers, and BEC-specific employee training stops the vast majority of attacks. No single control is enough; the layered approach is what works.
At Balanced+, our managed cybersecurity services include email security configuration, security awareness training tailored to BEC scenarios, and ongoing monitoring that catches the account compromise attempts that often precede a BEC attack. If you’re not confident your team and your controls would stop a well-researched impersonation attempt, let’s talk.
Frequently Asked Questions
What is the most common type of BEC attack?
CEO fraud and vendor/invoice impersonation are the most frequently reported BEC variants. In CEO fraud, an executive’s email is spoofed or compromised and used to pressure a finance employee into an urgent wire transfer. In vendor impersonation, attackers pose as a known supplier and request a banking detail update before a scheduled payment, redirecting the next legitimate payment to an attacker-controlled account.
Can spam filters stop a BEC attack?
Standard spam filters and antivirus tools are largely ineffective against BEC because the attacks contain no malicious links or file attachments. The email often looks entirely legitimate. Effective defenses are process-based (verbal verification policies) and technical (MFA, DMARC/DKIM/SPF, external sender banners) rather than filter-based.
What is the difference between BEC and EAC?
BEC (Business Email Compromise) typically involves impersonation without actually accessing a real email account. EAC (Email Account Compromise) goes further: the attacker gains control of a legitimate account and sends fraudulent requests directly from it. EAC is harder to detect because the emails originate from a real, trusted address and pass all authentication checks. The FBI IC3 tracks both under the same reporting category because the financial impact and attack goals are the same.
How much do BEC attacks cost Canadian businesses?
The Canadian Anti-Fraud Centre (CAFC) tracks BEC as one of the top fraud categories affecting Canadian organizations, though losses are widely underreported. The CCCS National Cyber Threat Assessment 2025-2026 identifies BEC as a persistent and growing threat to Canadian businesses of all sizes. US figures from the FBI IC3 serve as a useful proxy: $2.9 billion in reported losses in 2023 from roughly 21,000 complaints, suggesting an average loss well above $100,000 per incident.
Sources
- FBI Internet Crime Complaint Center (IC3) 2023 Annual Report , Federal Bureau of Investigation, 2024
- Business Email Compromise: The $50 Billion Scam , FBI IC3, 2024
- Implementation Guidance: Email Domain Protection , Canadian Centre for Cyber Security (CCCS), 2023
- National Cyber Threat Assessment 2025-2026 , Canadian Centre for Cyber Security (CCCS), 2025
- Report a Fraud , Canadian Anti-Fraud Centre (CAFC)
