Business Email Compromise: The $2.7 Billion Threat Your Spam Filter Ignores

Business email compromise (BEC) is the most expensive form of cybercrime in the United States. In 2023, the FBI’s Internet Crime Complaint Center (IC3) reported $2.7 billion in BEC losses, more than ransomware, more than identity theft, more than any other category.

The average BEC attack costs $125,000. For a small business or startup, that’s often fatal.

And here’s the part that should worry you: BEC attacks bypass spam filters by design. They don’t contain malware. They don’t have suspicious links. They look exactly like a normal email from someone you trust. As we detailed in 5 types of phishing emails that fool Gmail, the most dangerous messages are the ones that look completely normal.

How BEC Works

A BEC attack isn’t spam. It’s impersonation.

Step 1: Research. The attacker studies your company. LinkedIn profiles, organizational charts, press releases, social media. They learn who reports to whom, who handles finances, who has authority to approve payments.

Step 2: Impersonation. They create an email that appears to come from a trusted source: your CEO, your accountant, a vendor, a client. The email address might be spoofed ([email protected]) or a near-match ([email protected]).

Step 3: The ask. A request that sounds reasonable: “Please wire $47,000 to this account for the vendor payment we discussed.” “Can you send me the employee W-2s?” “I need you to update our banking details.” Urgent, but not alarming. Routine, but time-sensitive.

Step 4: Execution. Someone in your company acts on the request. By the time anyone realizes it was fake, the money is gone.

Why Filters Can’t Catch It

BEC emails contain none of the signals that spam filters look for:

• No malware attachments
• No suspicious links
• No bulk sending patterns
• No known malicious domains (often sent from legitimate compromised accounts)
• Grammatically perfect (especially with AI assistance)
• Contextually accurate (references real projects, real people, real amounts)

Gmail, Outlook, Proofpoint, Mimecast: none of them can reliably catch a well-executed BEC attack because there’s nothing technically “wrong” with the email. It’s a normal message. It just happens to be from an attacker.

The AI Acceleration

BEC was already dangerous before AI. Now it’s worse.

AI tools can generate contextually perfect impersonation emails in seconds. They can mimic writing style, reference real conversations (from publicly available data), and create urgency that feels natural.

The trend is clear: AI-crafted impersonation is significantly more effective than traditional attempts, and the gap is widening every quarter.

What Actually Prevents BEC

Training (necessary but insufficient)

Phishing awareness training helps. But BEC specifically targets moments of high trust and high urgency, the situations where training is least effective. Your best employee, on their busiest day, is the most vulnerable.

Verification protocols (effective but fragile)

“Always verify wire transfer requests by phone.” Good policy. Works until someone is in a rush, or the attacker has also compromised the phone number, or the request seems too routine to double-check.

Identity-based filtering (the structural fix)

If the problem is impersonation (someone pretending to be a known contact) the structural fix is verifying identity before the message reaches you. This is the principle behind economic email filtering.

Rythm does this automatically. Your real contacts are on your guest list and pass through freely. An impersonator, no matter how convincing the email, is sending from a different address. They’re not on the guest list, so their message is held. The guest list doesn’t care what the email says or how legitimate it looks. It checks one thing: is this sender known?

This doesn’t replace training or verification protocols. It adds a structural layer that catches what the other layers miss: the messages that look legitimate from senders who aren’t.

The ROI Argument

The average BEC attack costs $125,000. Rythm starts as low as $1.65/month.

That’s a 3,787:1 ratio between the cost of the threat and the cost of an additional layer of protection.

No security measure is perfect. But a deterministic filter that separates known senders from unknown senders, and requires unknowns to verify themselves, addresses the exact mechanism BEC relies on: impersonating someone who should be trusted. If you’re a founder without an IT team, Rythm for founders explains how this applies to startups and small businesses specifically.