Business Email Compromise (BEC): What Every SMB Needs to Know

According to the FBI’s 2024 Internet Crime Report, business email compromise generated $2.77 billion in reported losses across the United States, making it the single highest-dollar cybercrime category tracked that year. That figure didn’t come from ransomware or sophisticated data breaches. It came from attackers sending emails.

No malware. No hacking tools. Just carefully crafted messages that exploit trust and bypass your technical defenses entirely.

This guide breaks down how BEC attacks work, the five most common scam types targeting SMBs, and the specific controls that stop them.

What Is Business Email Compromise?

Business email compromise (BEC) is a financially motivated scam in which attackers impersonate a trusted contact to trick a business into transferring money or surrendering sensitive data. That contact is typically a company executive, a known vendor, or an employee the target works with regularly.

What separates BEC from generic phishing is precision. A phishing campaign blasts millions of identical emails hoping a small percentage click. BEC targets one or two specific individuals at a specific company, using researched details to make the request look completely legitimate.

BEC involves no malware, no malicious links, and no attachments. Traditional email security tools scan for technical payloads, and BEC doesn’t carry one. Without a payload to detect, it arrives in inboxes looking like normal business correspondence.

Any organization that pays invoices, runs payroll, or initiates wire transfers is a potential target. Company size doesn’t matter.

How a BEC Attack Works

BEC attacks follow a consistent progression that begins with careful research. Understanding each step helps your team recognize when something is happening before money moves.

1. Reconnaissance. The attacker researches the target using LinkedIn, the company website, and social media to identify executives, financial contacts, and active vendor relationships. This targeted research phase shares its structure with spear phishing tactics but is executed specifically to enable financial fraud, not credential theft.
2. Account Access or Spoofing. The attacker either compromises a real email account through credential theft (account takeover) or creates a look-alike domain with a spoofed display name. “companyname-corp.com” instead of “companyname.com” is a common version. Both approaches can fool employees who aren’t specifically looking at the sending address.
3. Trust Building. In account takeover scenarios, the attacker may sit silently in a compromised inbox for weeks, monitoring communication patterns, tone, and active transactions before sending anything. This patience is what makes account takeover BEC especially difficult to detect.
4. The Ask. A carefully timed message arrives requesting an urgent wire transfer, a change to banking details, or a batch of employee W-2 records. The request is almost always framed as confidential and time-sensitive, with both elements designed to short-circuit normal approval steps.
5. Execution. Funds move to attacker-controlled accounts, often routed overseas within hours. Once a transfer clears, recovery is difficult.

Five Types of BEC Fraud Targeting SMBs

BEC takes several forms. Each one exploits a different process gap in how SMBs handle money and communication.

• CEO fraud. The attacker impersonates the company’s CEO or another executive and emails a financial employee with an urgent wire transfer request. The ask is typically framed as a confidential acquisition or emergency payment that can’t go through normal approval channels.
• Wire transfer fraud. A direct request to move funds to a new or updated bank account, disguised as a routine vendor payment update or time-sensitive business transaction. The amounts involved can easily reach six figures.
• Invoice fraud and vendor impersonation. The attacker poses as a known supplier and sends a revised invoice with updated banking details. Accounts payable processes it without verbal verification because everything about the email looks legitimate.
• Payroll diversion. The attacker impersonates an employee, often by spoofing HR or via account takeover, and requests a direct deposit account change just before payroll runs. Timing the request close to a pay date creates pressure to act fast.
• Attorney or legal impersonation. The attacker poses as outside counsel handling a sensitive matter and pressures a financial employee to process a transfer quickly and discreetly, bypassing internal review entirely.

BEC vs. Phishing: What Sets Them Apart

Phishing casts a wide net: mass emails carrying malicious links or attachments aimed at as many recipients as possible. BEC is surgical, targeting one or two specific people with no technical payload at all.

That distinction matters for your defenses. BEC emails pass through spam filters because they carry none of the markers those tools scan for:

• No malicious links
• No attachments
• No known malicious signatures

They read exactly like normal business correspondence because they’re designed to.

The financial intent is what defines BEC. Phishing aims at credential theft or malware delivery. BEC skips technical compromise entirely and goes straight for the money through social engineering.

For context on phishing types more broadly, including spear phishing, smishing, and vishing, the broader phishing overview covers each variant in detail.

The Scale of BEC Losses in 2024

The FBI data puts hard numbers on that risk. According to the FBI’s 2024 Internet Crime Report, BEC generated $2.77 billion in reported losses, making it the highest-dollar cybercrime category tracked by a significant margin over ransomware.

BEC complaints represent a small share of total cybercrime volume. The losses per incident are massive, which is how a limited number of complaints adds up to billions of dollars.

SMBs carry disproportionate exposure. Larger enterprises have layered financial controls: dual-authorization systems, dedicated treasury teams, and out-of-band verification workflows that add friction to fraudulent requests. Most SMBs don’t have those structures in place.

Average BEC losses per incident frequently run into the six figures. For a company with 50 employees, a single successful attack can cause financial damage that takes years to absorb.

Recovery is rarely complete. Wire transfers route quickly to overseas accounts, and cyber insurance coverage for BEC varies significantly:

• Some policies cover social engineering losses only under specific endorsements
• Insurers may also deny claims if baseline controls like multi-factor authentication weren’t in place when the incident occurred

Red Flags: How to Spot a BEC Email

Training your finance and operations teams to recognize BEC patterns is one of the most cost-effective defenses available. The warning signs appear consistently across every variant.

• Urgency combined with secrecy. Messages that pressure speed (“process this today, no exceptions”) and demand confidentiality (“don’t mention this to anyone”) appear in virtually every BEC attack. That combination alone is a hard stop.
• Display name versus actual sending address mismatch. The visible name may read as a trusted executive, but the domain is slightly off: a hyphen where there shouldn’t be one, a transposed letter, or a free webmail address entirely.
• Any request to change bank account details or authorize a wire transfer. This triggers a mandatory out-of-band verification call to a pre-established phone number. Never use a number provided in the suspect email thread.
• Tone or style inconsistencies. Attackers who haven’t spent weeks inside a compromised inbox may mimic a contact but get details wrong: sentence structure, sign-off language, or vocabulary that doesn’t match prior exchanges.
• Pattern breaks. An executive who has never emailed a specific employee directly, suddenly making an urgent financial request, is itself a red flag worth pausing on before acting.

How to Prevent Business Email Compromise

Preventing BEC requires both technical controls and verified process changes. Neither alone is sufficient.

Enable multi-factor authentication (MFA) on all business email accounts, particularly Microsoft 365 and Google Workspace. MFA means that even compromised credentials can’t give an attacker inbox access for reconnaissance or account takeover.

Deploy DMARC alongside SPF and DKIM on your company domain. Domain-based Message Authentication, Reporting and Conformance (DMARC) works with Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM). Together, they prevent external parties from spoofing your organization’s address when targeting your vendors or partners. DMARC configuration requires careful setup, but the protection it provides against domain spoofing is direct and measurable.

Additional controls that close BEC exposure:

• A verbal verification policy: any request to change banking details or initiate a wire transfer gets confirmed via a phone call to a known, pre-established number before action is taken
• Dual-approval workflows for wire transfers and payroll changes above a defined threshold, requiring a second approver through a separate communication channel
• BEC-specific employee training and simulated BEC scenarios (generic phishing simulations don’t adequately prepare staff for BEC’s social engineering methods)
• Email rules that flag external senders using internal executive display names

Chicagoland businesses can access layered email security, including MFA enforcement, DMARC configuration, and 24/7 account monitoring, through LeadingIT’s Chicago cybersecurity services.

What to Do If Your Business Falls for a BEC Scam

Speed determines how much you recover. Follow this sequence immediately.

1. Contact your bank without delay. The FBI’s Financial Fraud Kill Chain has helped recover funds when financial institutions are notified within 48 to 72 hours of a fraudulent transfer. Act within the hour if the transfer just cleared.
2. File a complaint with the FBI IC3 at ic3.gov. This triggers the kill chain process and creates the official record required for insurance claims and any subsequent legal action.
3. Preserve all evidence before remediation. Do not delete emails. Do not reset passwords without first capturing logs. Engage IT support to document the full scope of account access before any cleanup begins.
4. Notify affected vendors or partners. Vendor impersonation BEC creates downstream victims. If their accounts or payment relationships were involved in the attack, they need to know promptly.
5. Review your cyber insurance policy carefully. Coverage for social engineering losses often requires a specific endorsement. Claims may be denied if baseline controls such as MFA were absent at the time of the incident.
6. Build incident response readiness before the next attack. Organizations with documented recovery procedures and tested backup environments respond faster and limit damage more effectively. For the immediate steps following any phishing-type incident, LeadingIT’s phishing incident response guide covers that process in detail.

When BEC defenses are working, your finance and operations teams process payment requests with confidence. Verification workflows catch fraud before money moves. A successful attack becomes the exception rather than a recurring risk.

With those controls in place, your team can focus on the work that actually moves the business forward.

LeadingIT provides managed cybersecurity services to SMBs across the Chicagoland area. That includes email security configuration, MFA enforcement, DMARC implementation, and 24/7 monitoring that flags account anomalies before they become wire transfer losses.