Glossary/Threat Intel/Business Email Compromise (BEC)

What Is Business Email Compromise (BEC)?

The email came from the CFO. Same display name, same signature block, same clipped tone he always used. It told the accounts-payable clerk that the Henderson acquisition had closed early and the final $480,000 needed to go out today, to a new escrow account, before the wire window shut at 3 PM. There was a follow-up message saying he was in back-to-back meetings and could not take a call. The clerk processed it. By the time the real CFO surfaced two hours later, the money had been split across three accounts and most of it was gone.

No malware ran. No exploit fired. No alert tripped. The "attack" was a convincing email and a deadline, and that is exactly why business email compromise (BEC) is one of the most expensive crimes in cybersecurity. The FBI's Internet Crime Complaint Center (IC3) put 2025 BEC losses at $3.04 billion, the second-highest loss category in its 2025 Internet Crime Report behind investment fraud. This guide covers what BEC is, the five scenarios the FBI recognizes, how the attack actually runs from reconnaissance to wire, why it slips past email filters that catch malware, the signals that surface it, and the controls that stop it. It is written for the SOC analysts, DFIR responders, and fraud teams who have to reconstruct a transfer that should never have left.

What is business email compromise (BEC)?

Business email compromise is a financial-fraud technique in which an attacker poses as a trusted party, an executive, a vendor, a lawyer, a colleague, and uses email to trick someone into sending money or sensitive data to the attacker. The payload is not code. It is a believable instruction from someone the target has no reason to doubt.

That makes BEC a social engineering attack first and a technical one second. The attacker's whole job is to manufacture trust and urgency: the request looks routine, the sender looks right, and the deadline removes the pause where someone might verify. Where a phishing campaign casts wide and hopes for a click, BEC is targeted, researched, and patient. A single successful message can move six or seven figures, which is why the average reported BEC loss runs far higher than almost any other internet crime.

Two terms get used together. BEC proper is the impersonation of a trusted identity to drive a fraudulent action. Email account compromise (EAC) is when the attacker actually controls a real mailbox and sends from it. EAC is one route into a BEC scam, the most dangerous one, because the email is genuinely from the legitimate account. The FBI tracks them as a single category because the outcome is the same: money or data sent to the attacker on the strength of a trusted email.

The five types of BEC the FBI recognizes

The FBI's IC3 documents five scenarios for how BEC fraud is carried out. They share a method and differ in who the attacker pretends to be and what they ask for.

BEC type Who the attacker impersonates The ask Common target
CEO fraud A senior executive (CEO, CFO) Urgent wire transfer to a new account Finance / AP staff
Account compromise A real employee, from their own hacked mailbox Redirect a legitimate payment Vendors, customers, AP
False invoice / vendor email compromise A known supplier or vendor Pay this invoice to updated bank details Accounts payable
Attorney impersonation A lawyer handling a deal Confidential, time-pressured funds transfer Real estate, M&A parties
Data theft An executive or HR Send W-2 forms or employee PII HR, payroll

CEO fraud is the classic. The attacker spoofs or imitates a senior executive and instructs a finance employee to wire funds urgently, often citing a confidential deal and a hard deadline so the request is acted on before it is verified.

Account compromise uses a genuinely hijacked mailbox. The attacker logs into a real employee's email, watches the threads, and at the right moment redirects a legitimate payment to their own account. Because the message is from the real address, content filters and the recipient both trust it.

False invoice (vendor email compromise) targets the accounts-payable process directly. The attacker, posing as an established supplier, sends an invoice or a "we have changed banks" notice with new payment details. Companies with foreign suppliers are heavily targeted, since updated international banking details raise fewer eyebrows.

Attorney impersonation leans on authority and secrecy. The attacker poses as a lawyer or law firm handling a sensitive matter, a closing, an acquisition, a settlement, and pressures a lower-level employee to move funds quietly. The real estate sector is a favorite, with spoofed messages to title companies, agents, buyers, and sellers changing where closing funds go.

Data theft does not chase money first. The attacker impersonates an executive or HR and asks payroll or HR for W-2 forms or a list of employee PII. That data feeds tax fraud, identity theft, and the next round of targeted attacks, and a stolen employee roster often becomes the seed for a future data breach.

Why BEC beats malware-based attacks

A malware campaign has to get code onto a machine and run it. Every step gives the defender something to catch: an attachment to detonate in a sandbox, a hash to match, a process to flag, a beacon to spot on the wire. BEC skips all of it. The "weapon" is an email with no attachment, no link, no executable. There is nothing for an antivirus engine or an attachment sandbox to detonate, because there is nothing malicious to detonate.

That is the core asymmetry. Most email security is built to find bad content. BEC carries no bad content. A message that says "please update the wire instructions for invoice 4471 to the account below" is, byte for byte, a normal business email. The maliciousness lives in the intent and the identity behind it, not in anything a scanner can fingerprint.

The economics favor the attacker too. Reconnaissance is cheap because the raw material is public. An attacker mines open-source intelligence, company press releases, LinkedIn org charts, out-of-office replies, conference talks, to learn who approves payments, who is traveling, which vendors are active, and how the executives write. No zero-day required. The whole campaign can run from a single lookalike domain and a free email account, and the payoff is a wire transfer, not a foothold that still has to be monetized later. The IC3 has noted attackers increasingly using AI to draft flawless executive-style messages and even clone voices, which removes the broken-grammar tell that used to give these emails away.

The BEC attack lifecycle

Business Email Compromise · attack lifecycle
No malware. Just research, a trusted channel, and a deadline.
Four stages turn public data into a wire transfer the bank cannot reverse.
01 · RECON
Reconnaissance
OSINT, LinkedIn, press releases. Who approves payments, who is traveling, which vendors are active.
02 · CHANNEL
Spoof or takeover
Lookalike domain (rn for m, .co for .com) or phished credentials operating the real mailbox.
03 · PRETEXT
Pretext email
New acquisition, overdue invoice, changed bank details. Urgency plus confidentiality: act now, tell no one.
04 · PAYOUT
Fraudulent wire
Funds leave by wire or ACH, then layer through accounts abroad. $3.04B lost to BEC in 2025 (FBI IC3).
Defender · verify out of band The chain breaks at stage 3. A phone call to a number already on file, before any payment or banking-detail change clears, stops the wire that DMARC and MFA cannot.

A mature BEC scam runs in four stages. Understanding the sequence is what lets a defender intervene before the wire, not after.

1. Reconnaissance. The attacker profiles the target organization: who holds financial authority, who reports to whom, which suppliers send invoices, when key people are traveling or unreachable. Public sources do most of the work. The goal is to pick the right persona to impersonate and the right person to target.

2. Spoof or takeover. The attacker establishes the channel. Two paths dominate. The cheap path is a lookalike domain, registering rn for m, .co for .com, or a near-identical sender name so the address reads correctly at a glance. The expensive but more effective path is account takeover: phishing the real credentials, defeating or stealing the session, and operating from the genuine mailbox. Once inside, attackers often create mailbox rules that auto-forward or auto-delete messages so the real owner never sees the fraud thread.

3. Pretext. The attacker opens or hijacks a conversation that justifies the request. A new acquisition. An overdue invoice. A change of banking details. The pretext supplies a reason the money must move and a reason it must move now. Urgency and confidentiality are the two levers: act fast, and do not check with anyone.

4. Payment or data exfiltration. The target acts. Funds go out by wire or ACH, or the W-2s and PII get sent. The attacker moves the money quickly through layered accounts, often abroad, so that by the time anyone notices, recovery is hard. The 2025 IC3 report found the overwhelming majority of BEC losses moved by wire or ACH, the channels that clear fastest and reverse slowest.

How to detect BEC

BEC detection is mostly about the envelope and the account, not the body. The text is meant to look normal, so the signals live in the metadata and the behavior around the message.

  • Lookalike and cousin domains. A sender domain that is one character off, swaps a TLD, or transposes letters. Flag inbound mail from domains newly registered or visually similar to your own and your vendors'.
  • Reply-to mismatch. The display name and From address look right, but the Reply-To points somewhere else, so the answer goes to the attacker. This is a classic spoofing tell.
  • Display-name spoofing. The From shows "CFO Jane Doe" but the actual address is a free webmail account or an unrelated domain. Mail clients hide the address behind the name by default.
  • Anomalous mailbox rules and forwarding. In an account-takeover case, a new auto-forward to an external address or a rule that moves "invoice" or "payment" mail to a hidden folder is one of the strongest signals. Audit mailbox-rule creation events.
  • Impossible travel and anomalous logins. A sign-in from a new country minutes after a normal one, a new device, or a login from a hosting/VPN range tied to a finance user points to a compromised mailbox.
  • Out-of-band payment-change requests. Any email that changes bank details, redirects a wire, or invents an urgent confidential transfer is the highest-risk pattern there is. Treat a banking-detail change as a verification trigger, always.

For the SOC, the useful telemetry is mail-flow logs (SPF/DKIM/DMARC results, sender domains, Reply-To), authentication logs (sign-in location, device, MFA status), and audit logs for mailbox-rule and delegation changes. BEC is found by correlating those, not by scanning attachments.

How to defend against BEC

No single control stops BEC, because it attacks people and process, not just systems. The defense is layered: authenticate mail, harden accounts, and put a human verification step in front of money.

Authenticate inbound and outbound mail with SPF, DKIM, and DMARC. SPF lists who may send for your domain, DKIM signs your outbound mail, and DMARC tells receivers what to do when those checks fail and reports who is sending as you. A DMARC policy set to quarantine or reject makes it far harder for an attacker to spoof your exact domain, and the reports surface lookalike-domain abuse. This stops domain spoofing; it does not stop a lookalike domain or a genuine compromised account, which is why it is necessary but not sufficient.

Verify payment and banking changes out of band. This is the control that actually catches the loss. Any request to send a wire, change vendor bank details, or move funds urgently must be confirmed through a separate, known channel, a phone call to a number you already have on file, not a number from the email. Make it policy, make it mandatory, and make it apply to executives too. Most successful BEC dies here when the step is real.

Lock down accounts with phishing-resistant MFA. Account takeover is the most dangerous BEC path, and it starts with stolen credentials. Strong MFA, ideally FIDO2/passkeys rather than SMS, blocks most credential-phishing that feeds EAC. Pair it with conditional access and alerting on new mailbox rules and forwarding.

Train the people the attacker targets. Finance, AP, HR, payroll, and executive assistants are the real attack surface. Train them on the specific BEC patterns, urgency, confidentiality, banking-detail changes, and give them explicit permission to slow down and verify a request from the CEO. The training that works names the scenario, not generic "be careful online" advice.

Have an incident response plan for the wire that already left. Speed is everything. If a fraudulent transfer is caught fast, the FBI's IC3 Recovery Asset Team and the originating bank can sometimes freeze or claw back funds. Know who to call, file with IC3 immediately, and contact the bank to request a recall the same hour, not the next day.

The bottom line

Business email compromise is fraud carried out over email by someone who has done their homework. There is no exploit and usually no malware: the attacker researches the target, establishes a trusted channel through a lookalike domain or a hijacked mailbox, builds a pretext with urgency and confidentiality, and gets an employee to send money or data. It cost businesses $3.04 billion in 2025 alone because it attacks the one thing a scanner cannot inspect, the trust between people who do business by email.

The defense is layered and mostly procedural. Authenticate your mail with SPF, DKIM, and DMARC to kill domain spoofing. Harden accounts with phishing-resistant MFA and alert on mailbox rule changes to catch takeover. Above all, put a mandatory out-of-band verification step in front of every payment and banking change, because that is where the loss actually stops. For the defender, the BEC investigation lives in the same logs that prevent it: mail flow, authentication, and mailbox audit trails are both the detection surface and the evidence.

Frequently asked questions

What is business email compromise (BEC)?

Business email compromise is a fraud technique where an attacker poses as a trusted person, an executive, vendor, lawyer, or colleague, and uses email to trick an employee into sending money or sensitive data to the attacker. There is usually no malware involved. The attack relies on impersonation, urgency, and a believable pretext rather than malicious code.

How much does BEC cost businesses?

The FBI's Internet Crime Complaint Center reported $3.04 billion in BEC losses for 2025 in its 2025 Internet Crime Report, the second-largest loss category behind investment fraud. BEC has been one of the costliest cybercrime categories for years because a single successful message can move six or seven figures.

What are the five types of BEC?

The FBI recognizes five scenarios: CEO fraud (impersonating a senior executive to demand an urgent wire), account compromise (sending from a genuinely hacked employee mailbox), false invoice or vendor email compromise (posing as a supplier with changed bank details), attorney impersonation (a fake lawyer pressuring a confidential transfer), and data theft (requesting W-2 forms or employee PII from HR or payroll).

What is the difference between BEC and phishing?

Phishing casts a wide net with generic messages hoping someone clicks a malicious link or attachment. BEC is targeted and researched, impersonates a specific trusted identity, and usually carries no link or attachment at all. The goal of BEC is a fraudulent payment or data handover, not a malware infection, which is why it bypasses tools built to detect bad content.

How is BEC different from email account compromise (EAC)?

In BEC, the attacker impersonates a trusted party from outside, often using a lookalike domain or display-name spoofing. In EAC, the attacker actually controls a real mailbox and sends from the genuine address. EAC is the more dangerous route because the email truly comes from the legitimate account, so it passes authentication and the recipient's own trust. The FBI tracks them as one category.

How can you detect a BEC attempt?

Watch the envelope and the account, not just the body. Key signals are lookalike sender domains, a Reply-To that differs from the From, display-name spoofing, newly created mailbox forwarding or filter rules, impossible-travel or anomalous logins on finance accounts, and any email that requests an urgent wire or a change of banking details. Correlate mail-flow, authentication, and audit logs to surface these.

Practice track
SOC Analyst Tier 1
Build your foundational skills to monitor, detect, and escalate security alerts. This track includes essential tools, basic log analysis, and introductory incident response labs.
Browse SOC Analyst Tier 1 Labs โ†’