Business Email Compromise Explained: How BEC Fraud Works and How to Stop It
Few fraud tactics deliver as much damage with as little technical effort as business email compromise (BEC).
A single spoofed email can move millions, causing immense financial losses to both businesses and individuals, and reputational damage to their banks.
In 2024 alone, US organizations reported over 21,000 BEC fraud cases, with losses reaching nearly $2.8 billion. Globally, exposed losses have now exceeded $55 billion, across more than 305,000 reported BEC incidents since 2013. That puts the average impact at well over $180,000 per case making BEC one of the most financially devastating fraud types banks and businesses face.
What Is Business Email Compromise?
Business Email Compromise (BEC) is a type of fraud where criminals impersonate trusted business contacts to trick employees into sending money or sensitive data. Unlike phishing, which typically targets large groups with generic lures, BEC fraud is highly targeted. Attackers study their victims, craft convincing emails, and often use urgency or authority to push through fraudulent payments.
This makes business email compromise part of the broader social engineering ecosystem, where scams manipulate people rather than systems. Other impersonation scams target consumers, romance scams, tech support scams, authority bias scams, but BEC is firmly business-focused. It exploits corporate payment processes and organizational trust, which is why average losses per case are far higher than in consumer fraud.
Discover the full picture of modern scams
Types of BEC Fraud
At its core, business email compromise is impersonation fraud. The attacker poses as someone the victim already trusts—whether it’s a CEO, CFO, vendor, lawyer, or even a colleague—often using techniques like domain spoofing and lookalike domains. From there, the fraud can take several common forms:
- CEO fraud — impersonating a senior executive to pressure staff into authorizing a wire transfer.
- Invoice fraud — posing as a supplier and sending fake or altered payment instructions. In recent years, this scheme has evolved into vendor email compromise (VEC), where fraudsters infiltrate or convincingly spoof real supplier accounts to divert payments.
- Payroll diversion scams — tricking HR or payroll teams into rerouting employee salary payments to accounts controlled by the attacker.
- Attorney impersonation — fraudsters pose as lawyers or legal representatives, often pressuring employees with urgent or confidential requests. These scams are especially common during major corporate events such as mergers, acquisitions, or legal disputes, when added credibility makes them harder to challenge.
- Conversation hijacking — attackers gain access to legitimate email accounts and silently monitor ongoing business correspondence. At a strategic moment, they insert themselves into the thread using the existing trust and context to redirect payments or harvest sensitive information.
Each subtype relies on the same principle: exploiting trust inside business relationships. What changes is the role the attacker impersonates and the process they manipulate.
Case Examples: Notable BEC Incidents and Financial Losses
Statistics don’t capture the full impact of BEC. These real-world cases show how scams strike businesses, governments, and even homebuyers.
Toyota Boshoku: $37 Million Lost in a Single BEC Scam
In 2019, Toyota Boshoku, a supplier to the Toyota automotive group, fell victim to a BEC scam. An attacker impersonated a trusted internal contact and persuaded the finance team to authorize a wire transfer, resulting in a loss of around $37 million.
The Rimasauskas Heist: $100 Million from Tech Giants
In an extreme case of vendor impersonation (a subtype of BEC called VEC), Lithuanian fraudster Evaldas Rimasauskas posed as Taiwan-based Quanta Computer and deceived both Facebook and Google out of more than $100 million collectively. He was later sentenced by a US court.
City of Saskatoon: A $1 Million Hit to Local Government
In 2019, the City of Saskatoon in Canada transferred more than $1 million to criminals posing as a CFO from an engineering firm. The attack showed that business email compromise isn’t limited to global corporations—municipal governments and public institutions are also in the crosshairs.
Homebuyer Nightmare: $545,000 Stolen in Real Estate Scam
In 2024, a homebuyer in South Australia lost her entire property settlement—around $545,000—after fraudsters slightly altered her solicitor’s email address and sent new instructions for the transfer. Thanks to coordinated police and bank intervention, most of the funds were recovered, but the case illustrates how BEC fraud can devastate individuals in business-like transactions such as real estate.
Why Email Security Fails
Given the scale of losses, a natural question arises: shouldn’t email security stop this? The uncomfortable truth is that traditional defenses—spam filters, malware detection, domain checks—were never designed to catch business email compromise.
- No malware, no links — Most BEC emails don’t carry attachments or malicious links. They rely on plain text, carefully worded to look authentic, which means they slip past filters tuned to catch obvious threats.
- Look-alike domains and subtle changes — Attackers often register domains that differ by a single character or use compromised legitimate accounts. These small changes are hard for filters and busy employees to spot.
- Context is missing — Email gateways analyze the message in isolation. They can’t see that an “urgent payment” request doesn’t fit the company’s normal workflow, or that the CFO never sends instructions at midnight.
- Social engineering beats technology — Above all, BEC is about manipulating people, not machines. A well-crafted impersonation email bypasses technical barriers because the fraudster is exploiting trust and authority rather than software vulnerabilities.
This combination makes BEC particularly dangerous: the emails look clean to security tools but persuasive to humans. And once the request lands in the inbox of finance or HR, the pressure is on.
Best Practices for BEC Prevention
Preventing BEC fraud is critical for every business, because sooner or later almost all will be targeted. Data suggests that around 70% of companies face at least one attempted business email compromise each year. There is no single silver bullet, but a set of preventive measures that blend technology, process, and people consistently proves most effective. Some of the best practices include:
- Verification before payment — Always confirm new or unusual payment requests using a second channel, such as a phone call to the known contact or a secure messaging system. Never rely solely on email instructions.
- Multi-person approval — For high-value transfers, require at least two people to sign off. This simple control creates a buffer against single points of failure.
- Ongoing training across all levels — A 2024 UK study found that managers were twice as likely as frontline employees to fall for phishing attempts, underscoring the need for tailored education throughout the organization. Finance, HR, procurement, and executives alike should receive regular training on how BEC works, what red flags to look for, and how to escalate suspicious requests without fear of blame.
- Domain and email monitoring — Watch for look-alike domains and sudden changes in vendor communication. Proactive monitoring can flag suspicious activity before it reaches employees.
- Incident playbooks — Having a clear, rehearsed response plan (who to call, how to freeze transfers, and when to involve law enforcement) can significantly improve recovery chances if a payment slips through.
Banks’ Role in BEC Fraud: Why It’s Time to Take Notice
A misconception about business email compromise is that it’s just an “email problem.” Banks often assume that better spam filters or stricter verification at the corporate level would stop it. But BEC fraud, especially CEO and CFO impersonation, is no longer limited to emails. It is evolving into a multimedia scam powered by AI. Some surveys suggest that as many as 40% of BEC emails are now AI-generated, showing just how quickly attackers have adopted these tools.
AI-generated deepfake video and voice have already fooled employees at major organizations. In a widely publicized CEO fraud case, a finance worker at engineering firm Arup in Hong Kong transferred $25 million after attending a video call featuring AI-generated impersonations of top executives. This isn’t an isolated incident. Firms across sectors, including automotive (Ferrari), advertising (WPP), and cybersecurity (Wiz), are increasingly being targeted.
Explore the AI vs Fraud Whitepaper
That doesn’t mean customers are entirely helpless. While banks are the final gatekeepers, there is also room to empower employees earlier in the process. Real-time support tools like ScamFlag, powered by generative AI, can help staff recognize when an email, chat, or even a payment instruction shows signs of manipulation. By giving users a contextual second opinion in the exact moment of doubt, ScamFlag reduces the likelihood that a fraudulent request ever reaches the bank in the first place.
Still, for banks the threat landscape shifts dramatically. They don’t read the deceptive email, see the deepfake video or hear the fraudulent phone call, but they do see its outcome: a payment request that doesn’t align with usual behavior. The amount, beneficiary, timing, and even the user’s hesitation suddenly stand out.
That’s where banks possess a unique vantage point. By analyzing the context of transactions and user behavior, they can spot the fingerprints of manipulation and disrupt the fraud before money actually moves.
Behavioral Intelligence: Spotting BEC Fraud Where It Actually Shows
Once a fraudulent email, phone call, or even a deepfake video convinces an employee, the fraud shifts into the bank’s domain. At this stage, the request looks legitimate on the surface: correct login, valid credentials, and an authorized user making a payment.
But business email compromise does leave traces—just not in the message. It shows up in the way the payment is initiated. Behavioral intelligence captures those subtle shifts in context and user behavior that reveal manipulation:
- An accounts payable clerk who normally uses templates suddenly copy-pastes account numbers from outside sources.
- A supplier payment is scheduled at an unusual time, from a device not typically used for finance operations.
- The user pauses, hesitates, or repeatedly re-enters details. If this happens while the user is on a phone call, it is one of the clearest indicators of live coaching by a fraudster.
Individually, these actions might look like quirks. Together, they form a behavioral fingerprint of BEC fraud. Banks that monitor these patterns can step in at the critical moment—delaying a suspicious transfer, adding another layer of verification, or reaching out to confirm intent with the customer.
This approach changes the game. Instead of reacting after funds vanish, banks can disrupt business email compromise in real time, at the exact moment manipulation turns into money movement. In a landscape where even AI-generated CEOs are calling in, behavioral intelligence ensures that banks, not fraudsters, keep the upper hand, protecting their clients.
Learn More About Behavioral Intelligence
From Email Problem to Bank Responsibility
Business email compromise has grown into one of the most costly fraud categories worldwide. Training and verification remain important for businesses, but they will never close the gap entirely. Fraudsters adapt too quickly, and now with deepfakes and voice cloning, even the most cautious finance teams can be tricked.
That’s why banks must see business email compromise for what it really is: not just an email problem, but a fraud problem that lands squarely in their environment. Only banks can see the context of a transaction and whether the timing, behavior, or payment details deviate from what’s normal.
A layered defense is the only effective answer. Businesses need education, verification, and strong processes. Banks need behavioral intelligence and contextual analysis to disrupt fraud in real time. Together, these measures can turn BEC fraud from one of the most lucrative wins for fraudsters into one of the hardest scams to pull off.
Related Articles
-
July 23, 2024
South Africa’s Growing Challenge with Online Fraud
South Africa is facing an unprecedented proliferation in fraud incidents.
Currently ranking among the top in cybercrime density, fraudsters...
-
June 28, 2024
How the Nordics Are Tackling Phishing in a Cashless World
The Nordic region – including Sweden, Denmark, Norway, Finland, and Iceland – is known for embracing the future....
-
January 11, 2023
The Phishers Favorite Pond
In an effort to keep our customers up to speed on the latest trends when it comes to...