Business 8 min read

What is Business Email Compromise (BEC)?

Your "CEO" emails asking you to urgently transfer funds. It looks real. It sounds urgent. But it's a scam that's cost businesses $55 billion over the past decade. Here's how it works and how to protect your business.

Key Takeaways

  • $55.5 billion lost globally to BEC scams over the past decade
  • $120,000 average loss per BEC incident
  • 83% of funds are unrecoverable once transferred
  • 28% of victims are small businesses - often lacking security processes
  • Prevention is key: Verify payment requests via phone before transferring

The True Cost of BEC

$55.5B
Lost globally (past decade)
$120K
Average loss per incident
83%
Funds unrecoverable

Source: FBI Internet Crime Complaint Center (IC3)

How BEC Scams Work

BEC scams are sophisticated social engineering attacks. Unlike mass phishing emails with obvious grammar mistakes, BEC attacks are targeted, researched, and often highly convincing.

Here's a typical scenario:

A Typical BEC Attack

1

Research: Scammer researches your company on LinkedIn, learns names of executives, identifies who handles finances

2

Setup: Creates a lookalike email domain (ceo@company-group.com instead of ceo@company.com)

3

Attack: Sends urgent email to accounts payable, impersonating the CEO

4

Result: Employee transfers $120,000 to the scammer's account

The 5 Main Types of BEC

1. CEO Fraud

Scammer impersonates the CEO or another executive, emailing finance staff to urgently wire funds for a "confidential deal" or "time-sensitive acquisition."

2. Vendor/Invoice Fraud

Scammer impersonates a vendor you regularly pay, claiming their bank details have changed. You update the payment info and send money to the scammer.

3. Account Compromise

An employee's actual email account is hacked. The scammer uses it to request payments from vendors or redirect incoming payments.

4. Attorney Impersonation

Scammer poses as a lawyer handling confidential matters, creates urgency around settlements or transactions that require immediate payment.

5. Data Theft

Instead of money, scammer impersonates HR or a manager to request W-2s, employee data, or customer information for identity theft.

Why Small Businesses Are Targeted

28% of BEC victims are small businesses. Scammers know that smaller companies often lack the security infrastructure and formal processes of larger corporations.

Why SMBs Are Vulnerable:

  • Fewer approval steps - One person might handle all finances
  • Direct access to leadership - Staff more likely to comply with "CEO" requests
  • Limited security awareness training - No formal education on threats
  • No email authentication - Missing SPF, DKIM, DMARC protection
  • Trust-based culture - Less formal verification processes

Real Example: The $120,000 Mistake

"Sarah, the office manager at a 15-person accounting firm, received an email from her boss asking her to wire $120,000 to a new client. The email came from 'john@smithcpa.co' - her boss's usual email was 'john@smithcpa.com.au'. In the rush of end-of-month, she didn't notice the difference. The money was gone in minutes and never recovered."

This scenario happens thousands of times each year. The difference of two letters cost this firm six figures.

How to Protect Your Business

BEC Prevention Checklist

Process Controls

  • Dual-approval for payments over a threshold (e.g., $5,000)
  • Verbal verification for any payment or bank detail changes
  • Documented vendor payment procedures with verification steps

Technical Controls

  • Enable SPF, DKIM, and DMARC on your domain
  • Enable two-factor authentication on all email accounts
  • Use email security tools that flag external or lookalike domains

Training

  • Regular awareness training for all staff who handle money
  • Simulated phishing tests to identify vulnerabilities
  • Create a culture where questioning requests is encouraged

What to Do If You're Hit

Act Immediately:

  1. 1. Contact your bank immediately - You may have hours to recall the wire
  2. 2. Report to authorities - FBI IC3 (US), Scamwatch (AU), Action Fraud (UK)
  3. 3. Preserve evidence - Keep all emails, don't delete anything
  4. 4. Notify affected parties - Clients, vendors, staff as appropriate
  5. 5. Review and improve - How did this happen? What controls failed?

How TrustNope Helps

TrustNope helps you verify sender domains before trusting emails. When you receive a suspicious email:

  • Check the sender's domain - Is it the real company domain or a lookalike?
  • Verify email authentication - Does the domain have SPF/DKIM/DMARC?
  • Check domain age - Was this domain just registered to scam you?
  • Lookalike detection - We flag domains that look suspiciously similar to major brands

A 30-second check before processing a payment request could save your business $120,000.

Suspicious Email? Check the Domain First.

Before you wire money or change payment details, verify the sender with TrustNope.

Check a Domain Free