← All Resources

Published · Cybersecurity · Threat Awareness

What is business email compromise?

Business email compromise, or BEC, is a scam in which a criminal uses email to trick an employee into sending money or sensitive information to the wrong place. The message appears to come from someone the victim trusts, a boss, a vendor, a client, or a bank, and it makes a request that looks routine, such as paying an invoice, updating bank details, or buying gift cards. Because the email looks legitimate and the request looks normal, BEC bypasses most technical defenses and targets the person, not the computer.

Business Email Compromise Scam Alert

The rest of this guide explains how the scam works, why it is so effective, the practical steps a small business can take to prevent it, and exactly what to do if you become a victim.

How the scam works

In a BEC attack, the criminal sends an email that appears to come from a known and trusted source making a legitimate-looking request. Sometimes the attacker has actually broken into a real email account and is sending the message from inside it. Other times they register a lookalike domain or spoof the display name so the message simply appears to come from someone you know. Either way, the goal is the same: get you to move money or hand over information before anyone thinks to double-check.

The FBI describes several common forms this takes:

  • The fake invoice or changed bank details. A vendor you regularly pay sends an invoice that looks normal, except the remittance or wiring instructions have quietly changed to an account the attacker controls.
  • The executive request. A message that appears to come from your CEO or owner asks an assistant or finance staffer to buy gift cards, send a wire, or share payroll information, usually framed as urgent and confidential.
  • The real estate wire fraud. A homebuyer or business receives wiring instructions that look like they came from the title company or attorney, and the down payment or closing funds are routed to a criminal instead.
  • Account compromise and data theft. A compromised mailbox is used to request payments from your own customers, or to harvest W-2s, tax records, and other sensitive data for later fraud.

Why BEC is so costly

BEC does not look dramatic, which is exactly why it works. There is no ransomware splash screen and no obvious malware; there is just a believable email and a payment that goes to the wrong account. The losses, however, are enormous. According to the FBI's Internet Crime Complaint Center (IC3), BEC accounted for more than $55.4 billion in exposed losses worldwide between October 2013 and December 2023, across roughly 305,000 reported incidents, and global losses rose about 9% in a single year between December 2022 and December 2023.

For a small business, a single successful BEC wire can mean tens or hundreds of thousands of dollars gone in minutes, often with little chance of recovery once the funds move overseas. That is why prevention, not cleanup, is where the effort belongs.

How to protect your business from BEC

The good news is that BEC is highly preventable. Most successful attacks succeed because a single verification step was skipped. The steps below, drawn from FBI and IC3 guidance, close that gap.

Step 1

Verify money and banking requests on a second channel

This is the single most effective defense. Any request to send money, change payment details, or update banking information should be confirmed using a communication channel other than the one the request arrived on.

  • Call the person back on a phone number you already have on file, not a number printed in the suspicious email.
  • For a vendor changing bank details, treat it as a red flag by default and confirm verbally with a known contact before paying anything.
  • For an executive request, walk into their office or call them directly. A real boss will not mind a quick confirmation; an attacker is counting on you not making the call.

Step 2

Scrutinize the sender's address and the domain

BEC emails frequently come from addresses that look right at a glance but are not.

  • Check the full email address, not just the display name. Make sure your mail program is set to show full addresses so a friendly name cannot hide the real sender.
  • Watch for lookalike domains, such as a swapped or added letter, a ".co" instead of ".com", or a hyphenated version of a name you know.
  • Be suspicious of "reply-to" mismatches, where the reply quietly goes to a different address than the one that appears to have sent the message.

Step 3

Turn on multi-factor authentication for every email account

Many BEC attacks begin with a stolen email password. Multi-factor authentication (MFA) requires a second proof of identity at login, so a stolen password alone is not enough to break into the mailbox.

  • Enable MFA on all business email accounts, especially for owners, finance staff, and anyone who can authorize payments.
  • Prefer an authenticator app or a passkey over text-message codes where possible, since SMS codes can be intercepted.
  • Extend MFA to other critical systems, including banking, payroll, and accounting platforms.

Step 4

Put controls around payments and vendor changes

Process beats good intentions. Building a few simple controls into how money moves removes the pressure that BEC depends on.

  • Require dual approval for wires and for any change to vendor or payroll banking details.
  • Set a verification policy in writing so staff know that an out-of-band callback is mandatory, not optional, and never a sign of distrust.
  • Be wary of urgency and secrecy. "Do this now and do not tell anyone" is a hallmark of BEC, not of legitimate business.

Step 5

Layer email security and train your team

Microsoft 365's built-in filtering stops the obvious threats, but the targeted impersonation and BEC messages that cause the most damage routinely slip past it. A dedicated email security layer and ongoing awareness training are what catch the rest.

  • Add advanced email security that uses AI and threat intelligence to detect impersonation and BEC attempts that standard filters miss.
  • Train staff to recognize the patterns, especially finance and front-office employees, and make reporting a suspicious email easy and blame-free.
  • Practice. Brief, regular reminders keep verification habits sharp long after a one-time training session fades.

What to do if you are a victim

If you discover that a payment has gone to a fraudulent account, speed matters more than anything else. Recovery is sometimes possible, but only if you act within hours.

  • Contact your financial institution immediately and ask them to recall the transfer and to contact the receiving bank to freeze the funds.
  • Report it to the FBI by filing a complaint at ic3.gov, the Internet Crime Complaint Center, regardless of the dollar amount lost. The IC3 Recovery Asset Team can work with banks to attempt to claw back domestic wires.
  • Preserve the evidence. Keep the original emails, headers, invoices, and wire confirmations; do not delete anything.
  • Secure the affected accounts. Reset passwords, review mailbox forwarding rules, and check for unauthorized access. See our guide on what to do if your account is hacked.
  • Tell the people who need to know, including affected vendors or clients, your insurer, and your IT or security partner.

Common questions

What is the difference between business email compromise and phishing?

Phishing is a broad term for any deceptive email that tries to steal credentials or deliver malware, usually sent in bulk. Business email compromise is a targeted form of social engineering aimed specifically at getting a business to send money or sensitive data, often by impersonating a trusted executive, vendor, or partner. BEC frequently has no malicious link or attachment at all, which is part of why it slips past traditional filters.

Why doesn't my antivirus or spam filter stop BEC?

Most BEC messages contain no malware and no obvious malicious link, so there is nothing for antivirus to detect. They are plain, well-written emails that simply ask for a payment or a change of bank details. Stopping them takes a combination of advanced email security that recognizes impersonation patterns, MFA on email accounts, and human verification habits for any money request.

How do I report a BEC scam to the FBI?

File a complaint with the FBI's Internet Crime Complaint Center at ic3.gov, regardless of how much money was involved. If money was sent, also call your bank immediately and ask them to recall the transfer and contact the receiving bank. Acting within the first 24 to 48 hours gives the best chance of recovering funds.

Are small businesses really targets for BEC?

Yes. Small businesses are frequent targets precisely because they often lack dedicated finance controls and advanced email security, yet still move meaningful sums by wire and ACH. A single fraudulent wire can be devastating for a small company, and attackers know it. The defenses in this guide are affordable and effective at small-business scale.

Worried your business is exposed to email fraud?

Veldtech layers AI-powered email security on top of Microsoft 365 to catch the impersonation and BEC attempts that standard filtering misses, and we help you build the verification habits that stop wire fraud. We work with small businesses in Sacramento, Citrus Heights, and across Northern California.

Contact Veldtech