How much does a typical BEC attack cost a small business?

The FBI's Internet Crime Complaint Center reported $2.9 billion in business email compromise losses in 2023, with average losses around $125,000 per successful incident. For small businesses, a single successful BEC attack is often catastrophic and can take months to recover from operationally.

Why are small businesses targeted by BEC?

Three reasons. They handle wire transfers without enterprise-grade controls. They lack dedicated security teams to verify unusual requests. And the attackers have learned that small business owners are often the only people authorized to approve large transactions, which means a single compromised email can move significant money.

What is the most effective defense for a team without an IT department?

Layered. Native provider filtering as the first pass. Multi-factor authentication on every email account. Verification protocols on financial actions (always confirm wire transfers by phone using a known number). Phishing awareness training for the few employees who handle finance. Structural inbox filters to collapse mass-volume reach economics. No single layer is sufficient.

Does cyber insurance help recover BEC losses?

Sometimes. Many policies cover BEC losses up to a sub-limit, often $250,000 to $500,000. Recovery depends on whether the policy is current, whether the insured followed the policy's required controls, and whether the loss was reported promptly. Small business owners should review their policy's BEC coverage specifically rather than assume general cyber liability covers it.

Can banks reverse a BEC wire transfer?

Sometimes, if reported within 24 to 72 hours. The longer the delay, the lower the recovery rate. Wire transfers can sometimes be recalled through the receiving bank, but this depends on jurisdiction, account status, and how quickly the funds were withdrawn. The FBI's IC3 reports significantly higher recovery rates when victims report within the first day.

BEC Survival Guide for Small Business (2026)

BEC attacks cost small businesses an average of $125,000 per incident. Here is a realistic survival guide for teams without IT departments.

Business email compromise is the largest category of cybercrime loss in the United States. The FBI’s Internet Crime Complaint Center reported $2.9 billion in BEC losses in 2023, more than ransomware, identity theft, or any other single category. The average loss per successful incident is around $125,000. For a small business, a single successful BEC attack is often the difference between staying open and not.

The honest truth is that most small business email security guides assume an IT department, a security team, or a budget for enterprise tools. This guide is for the small business that has none of those, and a realistic survival plan with the resources you actually have.

Why Small Businesses Are Disproportionately Hit

BEC attackers do not pick victims randomly. They optimize. The pattern of who gets hit and why is consistent.

Small businesses move significant money with limited controls. A construction firm pays subcontractors. A real estate company processes earnest money and closing wires. A small medical practice handles patient billing and insurance reimbursements. The dollar amounts are large enough to be worth attacking, and the controls around the dollar amounts are usually one or two people authorized to approve transfers.

The owner is often the bottleneck. In small businesses, the founder or owner usually has the authority to approve any transaction. Compromising the owner’s email account, or convincingly impersonating them, gives the attacker direct access to the financial decision-making layer.

No security team to verify. Enterprise targets have a security operations center watching for unusual patterns. A 12-person company has the founder, who is also doing sales and operations. There is no one whose job is to notice that the wire instructions in this email do not match the wire instructions on file.

Email is the primary coordination channel. Small businesses run on email. Vendor invoices, client communications, internal coordination, contractor agreements all happen there. When an attack uses email as the entry point, it lands in the channel where business decisions are made.

The attackers know all of this. They build their campaigns around it. The result is the disproportionate concentration of BEC losses on small and medium businesses, which the FBI’s data has shown consistently year over year.

The Three BEC Patterns That Matter Most

Most BEC volume falls into a small number of patterns. Recognition of the shapes is the first half of defense.

Pattern one: vendor wire-update. A vendor you actually work with sends an email asking to update their banking details for the next invoice payment. The email comes from the vendor’s real domain (or a near-match), the request is plausible, and the new account is the attacker’s. The attack often follows a real vendor account compromise, so the email genuinely came from the vendor’s address.

Pattern two: CEO impersonation. An email arrives from what appears to be the founder or CEO, asking finance or operations to handle an urgent wire transfer for a vendor or partner. The urgency is real-feeling, the recipient is someone who reports to the founder, and the routing details are sent in a follow-up. The attack often uses a lookalike domain or a compromised CEO account.

Pattern three: payroll redirection. An email from a person impersonating an employee asks HR or finance to update direct deposit details for the employee’s paycheck. The new account is the attacker’s. The original employee notices when the next paycheck does not arrive, by which point at least one cycle of pay has been redirected.

All three patterns share the same underlying mechanism: an email request to move money or change financial routing, sent from a sender that is technically valid (real or near-real domain) and contextually plausible (uses real names, references real relationships).

Spam filters cannot reliably catch these by design. The emails are clean. There is no malware, no suspicious link, no obvious red flag a content classifier could score against. The detection burden falls on the human reader and on whatever verification protocols the business has running.

The Survival Plan

A small business with no IT team can implement a meaningful BEC defense in a weekend. The honest plan, in order of priority:

Step one: enable hardware-key MFA on every email account. Every employee with email access should have a YubiKey or equivalent and have it enrolled as the second factor on Gmail or Microsoft 365. App-based MFA is acceptable as a fallback. SMS-based MFA is the lowest tier and is increasingly defeatable through SIM-swap attacks.

This single step eliminates most account takeover attacks. An attacker who phishes a password without the hardware key cannot log in. Account compromise is the entry point for many BEC attacks (especially the vendor pattern), so MFA is the highest-impact single action.

Step two: write a wire transfer verification protocol. A one-page document that says: any wire transfer initiated by email must be confirmed by phone using a number from your records (not the number in the email) before it is processed. The phone confirmation has to be voice-to-voice; voicemail is not acceptable.

The protocol is short, the rule is hard, and it has to apply to everyone in the company including the founder. The whole point is that the founder can be inconvenienced, because attacker-initiated requests are designed to look like legitimate-but-urgent founder requests.

Step three: train the few employees who matter most. Not everyone needs phishing awareness training. The people who matter are the ones who handle wire transfers, payroll, vendor payments, and procurement. A 30-minute training, repeated quarterly, that walks through the three BEC patterns and the verification protocol. KnowBe4, Hoxhunt, and Proofpoint Security Awareness all sell to small businesses at reasonable per-seat pricing.

Step four: add structural inbox filtering. This is the layer most small business guides miss because the product category is recent. A small cover charge on unknown senders changes the cost structure of reaching the inbox, which collapses the mass version of vendor impersonation and payroll redirection attacks. The targeted attacker can still pay the cover charge, but the email arrives with a PAID label attached. If the email claims to be from your CEO, your existing vendor, or your bank (anyone the recipient already knows and corresponds with), they would be on the guest list and would not pay a cover charge. A paid email claiming to be a familiar party is itself a visible red flag. Rythm at $1.65 per month per inbox handles this layer for small businesses without an IT team. We covered the structural-vs-content distinction in why we don’t use AI to fight AI phishing.

Step five: review your cyber insurance policy. Many small businesses have general business insurance that excludes BEC or has a sub-limit you have not noticed. A 30-minute call with your broker to confirm what is covered, what is excluded, and what controls the policy requires you to maintain is worth the time. If you do not have cyber insurance, $1,500 to $5,000 per year for a small business policy is standard, and BEC is the most common claim category.

Step six: report immediately if it happens. The FBI’s IC3 reports significantly higher recovery rates when victims report within the first day. The local FBI field office, the receiving bank, and your own bank should all be notified within hours of discovery. The wire transfer recall window is short, and recovery rates fall sharply after the first 72 hours.

What Insurance and Banks Cannot Recover

Some BEC losses are not recoverable. Once funds have been transferred to an account in a non-cooperative jurisdiction, withdrawn in cash, or moved through a money-mule network, the recovery path is essentially closed. The FBI’s recovery program (the Recovery Asset Team) has had real successes, particularly within the first 24 hours, but the realistic expectation for delayed reports is partial recovery at best.

The implication: defense in depth is cheaper than recovery. Every layer above (MFA, verification protocol, training, structural filter, insurance review) is much cheaper than even a partial BEC loss. A 12-person company spending $200 per month on the entire defense stack is paying less than the deductible on most cyber insurance policies. The math is heavily in favor of running the layers.

What Small Business Owners Get Wrong

A few common mistakes worth naming.

“It will not happen to us.” It will. Small businesses are over-represented in BEC loss data, and the targeting is driven by the things that make small businesses vulnerable, not by attacker preference for one type of company. Every small business handling wire transfers is a target.

“We have a small team and we trust each other.” The trust is being weaponized by the attackers. The patterns above (vendor update, CEO impersonation, payroll redirection) all rely on existing trust within the team. The defense is verification protocols that apply regardless of who initiated the request.

“Spam filters will catch this.” They will catch the obvious mass attacks. They cannot reliably catch the targeted versions, by design. BEC attacks are content-clean by construction, and content-clean is what spam filters were trained to let through.

“Cyber insurance will cover it.” Sometimes, if your policy covers BEC and you followed the required controls. Many small businesses discover at claim time that their policy excludes BEC or has a $50,000 sub-limit that does not begin to cover the loss. Read the policy now.

The Honest Bottom Line

Business email compromise is a real and large risk for small businesses. The defense is layered, low-cost, and largely a matter of process discipline rather than technology spending. The structural inbox filter is the newest layer and the most overlooked. The remaining layers (MFA, verification, training, insurance) have been standard advice for a decade and are still under-implemented at most small businesses.

For the broader phishing-defense version of this stack, see how to defend your inbox from phishing in 2026. For the original BEC overview, see business email compromise: the $2.7 billion threat. Rythm handles the structural filtering layer for small businesses at $1.65 per month per inbox.

A weekend of work and a few hundred dollars per month is the price of meaningful BEC defense. It is also a small fraction of the cost of a single successful attack. The math is clear. The execution is the part that requires discipline.

Business Email Compromise Survival Guide for Small Businesses