What is business email compromise?

Business email compromise (BEC) is a category of email-based fraud where attackers impersonate trusted business contacts (executives, vendors, employees) to convince a recipient to wire funds, share sensitive data, or take other high-value actions. BEC produces the largest aggregate dollar losses of any single cybercrime category, with the FBI's IC3 reporting $2.9 billion in 2023 losses.

How is BEC different from regular phishing?

BEC is a more sophisticated subset of phishing focused on financial outcomes through impersonation rather than credential theft. Regular phishing usually tries to steal login credentials at scale. BEC researches a specific target, impersonates someone the target trusts, and asks for a financial action directly. BEC is higher-effort per attack but produces much larger per-incident losses.

Who gets targeted by BEC?

Any organization that handles wire transfers, large invoice payments, or sensitive financial data. Small and medium businesses are disproportionately targeted because they have less defensive infrastructure than large enterprises. Real estate, legal, accounting, healthcare, and financial services see the highest attack frequency.

Why cant spam filters catch BEC?

Because BEC emails are technically clean. They use real domains (often the impersonated party's actual domain through compromise, or a near-match lookalike), pass authentication, contain professional prose, and reference real business context. Content classifiers cannot distinguish them from legitimate business mail without unacceptable false-positive rates.

What is the most effective defense against BEC?

Layered. Written verification protocols on financial actions (the highest-impact single defense). Hardware-key MFA on critical accounts. Phishing awareness training for finance teams. Structural inbox filtering to collapse mass-volume reach economics. And cyber insurance with explicit BEC coverage to absorb residual losses. No single layer is sufficient.

What Is BEC (Business Email Compromise)?

Business email compromise is the largest single category of cybercrime loss. Here is what it is, how it works, and why filters cannot reliably catch it.

Business email compromise is the email scam that has cost American businesses billions of dollars over the last decade and continues to dominate cybercrime loss statistics in 2026. Unlike most categories of cybercrime, BEC does not depend on technical exploits, malware, or credential theft. It depends on convincing a human recipient to take a financial action based on an email that appears to come from someone they trust.

This post is the structural definition of BEC, how it differs from other phishing categories, and why the defenses that work are different from the ones most organizations have already deployed.

The Definition

Business email compromise is a category of email-based fraud where attackers impersonate trusted business contacts (executives, vendors, employees, partners) to convince a recipient to take a high-value action that benefits the attacker. The action is most often a wire transfer, but BEC also includes payroll redirection, vendor banking changes, gift card purchases, and W-2 form harvesting.

The defining structural property: BEC operates on impersonation, not on technical exploitation. The mechanism is social engineering, executed through email, with the email itself being the only “weapon” in the attack. There is no malware, no suspicious link, no credential theft step. The attack succeeds when the recipient takes the action the email requests.

The FBI’s Internet Crime Complaint Center has tracked BEC losses since 2013. In 2023, the IC3 reported $2.9 billion in BEC losses across approximately 21,000 reported incidents, an average of around $137,000 per reported incident. The actual loss volume is larger because many incidents go unreported.

The Five Standard Variants

BEC is an umbrella category. The FBI tracks several specific variants.

Variant one: CEO fraud. The attacker impersonates a senior executive (CEO, CFO, founder) and asks a finance employee to handle an urgent wire transfer or send sensitive data. The pretext relies on the recipient’s deference to leadership and the urgency typical of executive requests. We covered this variant in CEO fraud: how one email can cost a company $125,000.

Variant two: vendor email compromise. The attacker either compromises a real vendor’s email account or impersonates the vendor through a lookalike domain. The pretext is a banking update for invoice payments. The recipient updates the vendor’s banking details in their AP system, and the next legitimate invoice payment routes to the attacker.

Variant three: payroll redirection. The attacker impersonates an employee and asks HR or finance to update the employee’s direct deposit details. The new account is the attacker’s. The original employee notices when the next paycheck does not arrive, by which point one or two pay cycles have already been redirected.

Variant four: attorney impersonation. Common in real estate and M&A contexts. The attacker impersonates an attorney involved in a transaction and provides “updated” wire instructions for the closing or settlement. The wire transfer for what would have been an earnest money deposit, downpayment, or settlement amount goes to the attacker.

Variant five: data theft (W-2 harvesting and similar). The attacker impersonates an executive and asks HR to send all employee W-2 forms or other sensitive payroll data. The data is used for identity theft, tax fraud, or sold on criminal markets.

The five variants share the same underlying mechanism (impersonation of a trusted party requesting a high-stakes action) but target different decision-makers within an organization.

Why BEC Works on Otherwise Careful Organizations

The naive analysis assumes BEC victims are careless or untrained. The realistic analysis is that BEC targets the moments where careful organizations are most likely to fail.

Reconnaissance is detailed. The attacker spends weeks studying the target before launching the attack. Public information from LinkedIn, press releases, conference appearances, and social media reveals organizational structure, leadership names, vendor relationships, and recent business activity. The attacker knows enough to construct a convincing pretext that uses real names, real relationships, and real business context.

Personalization defeats pattern recognition. Generic phishing has obvious tells (templated language, wrong company name, generic pretext). BEC has none of these. The email mentions the actual current project, the actual vendor name, the actual transaction in progress. The recipient’s pattern recognition for “phishing” does not fire because the email does not match the patterns they were trained to recognize.

Urgency degrades verification. Even employees who have a wire transfer verification protocol sometimes skip it under time pressure. The BEC email is engineered to create exactly that pressure: the executive is in a meeting, the closing is today, the vendor needs the change by end of business. The urgency is the design feature.

Authentication can pass. When the attacker has compromised a real account or registered a clean lookalike domain with proper SPF, DKIM, and DMARC, the email passes technical authentication. The receiving server delivers it. The user’s filter does not flag it. The standard “check the sender domain” defense returns a green light.

The combination produces an attack that looks like legitimate business correspondence to every filter and most readers, until the moment of action when the recipient executes the request.

Why Filters Cannot Reliably Catch BEC

Native spam filters depend on pattern recognition. BEC produces no patterns: each attack is a single email or short sequence to one target, with custom pretext, custom personalization, and (often) custom sender infrastructure.

Enterprise email security tools (Defender for Office 365, Proofpoint, Mimecast) have BEC-specific detection capabilities, but the detection rate against well-crafted attacks is materially lower than against mass phishing. Industry reports consistently show enterprise tools catching some BEC attempts, particularly the formulaic ones, while missing the targeted attempts that look most like legitimate mail.

The structural problem: a content filter would have to flag any unsolicited financial-action email as suspicious. But legitimate businesses also send unsolicited financial-action emails (real vendor banking updates, real CEO requests, real executive assistant coordination). Flagging all of them produces unacceptable false-positive rates that disrupt normal business. Not flagging them produces the BEC pass-through rate the filters currently exhibit.

This is the same arms race that affects all content-based filtering, with the additional difficulty that BEC attacks are deliberately calibrated to look like legitimate mail.

What Actually Stops BEC

The defenses that work share a common property: they remove the dependence on the recipient’s in-the-moment recognition of the attack. The decision is made in advance, encoded in protocol, and applied regardless of how convincing the email looks.

Written verification protocol on financial actions. Any wire transfer, banking change, or sensitive data request initiated by email is verified by phone using a known number before action. The protocol applies to every employee including the CEO. The protocol works because it does not depend on detecting the attack.

Dual approval on threshold transactions. Any transaction above a defined threshold requires two-person sign-off. The two-person rule means BEC would have to compromise two employees simultaneously, which is materially harder than compromising one.

Hardware-key MFA on executive and finance accounts. Eliminates the credential-theft path that produces the highest-quality BEC (where the attacker has actually compromised the impersonated executive’s email account). Without account compromise, the attack falls back to lookalike domains or display-name spoofing, which are technically detectable.

Phishing awareness training for finance teams. Realistic expectations: training cuts success rates roughly in half. The other half still acts on convincing fraud, which is why the protocol-based defenses matter more.

Structural inbox filtering. A small cover charge on unknown senders changes the cost structure of reaching the inbox. Mass-volume BEC campaigns (where the attacker impersonates the CEO of dozens of companies in parallel using automation) depend on free reach to be profitable. Once each finance employee’s inbox costs four cents to reach, the mass version of BEC becomes uneconomic. Targeted attacks on single high-value targets are still possible, but the email arrives with a PAID label attached. Established colleagues, vendors, and executives are on the recipient’s guest list and would not pay a cover charge to reach them; a paid email claiming to be from one of them is a visible red flag at the inbox layer.

We covered the small business defense in business email compromise survival guide for small businesses and the structural-filtering layer in why we don’t use AI to fight AI phishing.

Cyber Insurance and Recovery

Cyber insurance with explicit BEC coverage is a meaningful component of the defense stack. Standard cyber liability policies often have BEC sub-limits. A 30-minute conversation with the broker to confirm coverage, required controls, and sub-limit is worth the time. BEC is the most common cybercrime claim category, so most insurers have specific provisions.

Recovery, when BEC succeeds, depends on speed. The FBI’s IC3 reports significantly higher recovery rates for incidents reported within 24 hours, falling sharply afterward. The IC3 Recovery Asset Team has had real successes coordinating with receiving banks to reverse wire transfers in the first day after discovery.

The action sequence on discovery: call the receiving bank, file an IC3 complaint, notify your bank’s fraud team, notify the insurance carrier, and contact local law enforcement. Speed matters more than completeness. A partial report in the first hour beats a complete report in the first week.

The Bottom Line

BEC is the largest single category of cybercrime loss in the United States and is structurally different from most other email-based attacks. It does not rely on technical exploits or credential theft. It relies on convincing a human to take an action based on an email that appears to come from a trusted source.

The defenses that work are layered: written verification protocols, dual approval, hardware-key MFA, training, structural filtering, and cyber insurance. The combination produces a defense that does not depend on any single layer catching the attack. The total cost is small at small business scale, far smaller than the cost of a single successful incident.

Rythm handles the structural-filtering layer for Gmail and Outlook at $1.65 per inbox per month. The cover charge collapses mass-volume BEC economics, which is the layer content filters cannot operate on. Combined with the protocol-based defenses, it produces a defense framework that has caught the attack at the layer the recipient cannot reliably catch in the moment.