It doesn’t start with a virus. It doesn’t start with a suspicious attachment. It starts with an email from your CEO asking you to wire $85,000 to a new supplier account before the end of business today.
The email looks right. The name is right. The tone is right. Even the signature is right.
You send the wire. The money disappears. The real CEO has no idea what happened.
That’s business email compromise. And it’s responsible for more financial loss than ransomware, data breaches, and malware combined.
In 2025, BEC generated $3 billion in verified losses in the US alone, making it the second most financially damaging form of cybercrime recorded by the FBI. The real figure is almost certainly higher. Most incidents go unreported out of embarrassment or because organizations don’t realize they’ve been targeted until the money is long gone.
This guide covers exactly how BEC attacks work, why they succeed, what the most common variants look like, and what a real defense strategy looks like in 2026.
What Is Business Email Compromise?
Business email compromise (BEC) is a fraudulent attack that targets companies by impersonating trusted entities-such as executives, vendors, or business partners-and tricking employees into transferring money or giving up sensitive data.
Unlike most cyber-attacks, there is no malicious code, no malicious attachment, and no infected links in the emails used. You will not be attacked with ransomware or malicious software.
Attackers are weaponizing someone’s identity. When an attacker composes a convincing email that they are pretending to be sent by someone you know and trust, and the request made is designed to compel you to perform a certain action-pay money, alter payment details, share payroll data, or provide credentials to log in, then it’s a BEC attack.
This is why these types of attacks are so damaging and so difficult to stop with traditional defenses. They are not technologically malicious. The email appears real, the request seems plausible and genuine; only the sender’s identity is fake.
The term email account compromise (EAC) is used in cases where the attacker gains access to a real email account, rather than just sending an email appearing to come from that person’s account. However, both terms fit within the umbrella of BEC.
Why BEC Is So Effective
BEC attacks human nature-not technology.
The employees have been conditioned to be cooperative. They’ve been conditioned to defer to authority (especially from high-level executives). They’re trained to act quickly on urgent requests. They’re trained to be helpful to vendors and clients.
BEC attacks weaponize every one of those instincts simultaneously.
A message that appears to come from the CFO, requests an urgent wire transfer, and explains that it’s confidential because it relates to an ongoing acquisition: that message triggers compliance responses that no amount of cybersecurity training fully eliminates. The urgency suppresses the verification instinct. The authority suppresses the instinct of skepticism. The confidentiality suppresses the consultation instinct.
Modern BEC attacks are also built on genuine intelligence about their targets. Attackers spend days or weeks researching the organization before sending a single message. They know the names of executives, the names of finance team members, the tone of internal communications, the names of vendors and suppliers, and the timing of regular payment cycles.
That preparation is what makes the messages convincing. They don’t look like scams because they aren’t built like generic scams. They’re built specifically for one target, in one organization, at one moment in time.
How Attackers Prepare: The Reconnaissance Phase
BEC attacks don’t start with an email. They start with research.
Before a single fraudulent email is ever sent, attackers compile vast amounts of information on the target organization. The reconnaissance phase, which can take days or weeks to complete, involves multiple types of source data.
- Public sources are used to determine the organization’s structure. LinkedIn can be used to ascertain personnel within finance/AP departments. Company websites will name names and titles of executive personnel. Press releases can provide details of mergers/acquisitions and newly established vendor relationships. Job postings indicate technologies and payment systems in use.
- Compromised email accounts provide the deepest intelligence. When an attacker gains access to an email account through phishing or stolen credentials, they read through months of correspondence before doing anything else. They learn writing styles, ongoing business relationships, payment amounts, approval processes, and the exact language that gets requests approved. This is why email account security deserves the same attention as any other critical system.
- Dark web sources provide credential intelligence. Stealer logs, breach databases, and credential markets give attackers access to email passwords and session tokens harvested from previous breaches. Stealer logs, in particular, contain detailed snapshots of everything in a victim’s browser at the time of infection: saved passwords, active sessions, and email content. Attackers use this to either log into accounts directly or to craft highly convincing impersonation messages.
- Social engineering fills the gaps. A phone call to reception asking for the right person to send an invoice to. A LinkedIn connection request to an accounts payable contact. Small, innocuous interactions that build the intelligence picture before the attack begins.
By the time the fraudulent email arrives in someone’s inbox, the attacker typically knows more about the target’s internal processes than most of the target’s own employees do.
How Attackers Gain Access
BEC attacks compromise the email communication channel in one of two ways, both of which have implications for defenses:
Email Spoofing – Email spoofing means the sender is an attacker attempting to impersonate another user by forging their return address. The attacker is in control of their own e-mail account, from which they then send their fraudulent email message, making it appear to be from the intended user and domain. This method of spoofing is not particularly sophisticated to carry out if the target has weak or no use of authentication technologies such as SPF, DKIM, and DMARC.
Account Takeover- An attacker has gained access to the real email account. They typically do this using phishing emails, by using credentials they stole in other attacks (credential stuffing), or through the use of malware, which then extracts credentials from an infected machine.
With account takeover, the attacker sends emails from the real account with the real email address. Email authentication tools can’t flag it as suspicious because it isn’t technically spoofed. The messages pass every technical check because they genuinely come from the legitimate account.
Account takeover attackers often establish email rules before launching the fraud: forwarding copies of all incoming mail, deleting specific messages from the victim’s inbox, or silently copying messages to external addresses. These rules persist even after the initial access is removed if they’re not specifically checked for and deleted.
The Most Common Types of BEC Attacks
BEC isn’t a single attack pattern. It adapts to the target and the opportunity available.
1. CEO Fraud
This is the most prevalent BEC variation. An attacker will impersonate a high-level employee, usually a CEO or CFO, and request that someone within the finance department wire money.
The BEC email includes urgency (often “this needs to happen today”), instructions against revealing the plan (“don’t discuss this with anyone else”), and a realistic-sounding explanation (like “it’s about an acquisition we are currently discussing”).
The combination of authority, urgency, and secrecy is specifically designed to prevent the verification steps that would expose the fraud. And it works. CEO fraud is responsible for a significant proportion of the multi-million dollar BEC losses reported annually.
2. Vendor and Invoice Fraud
Attackers will impersonate one of the many vendors your company usually pays and send a request to the accounts payable department asking that you start wiring payment to a different account-namely the attacker’s. If not caught quickly enough, many payments may end up going to the attacker. This attack is especially effective because attackers take advantage of existing business relationships.
3. Payroll Diversion
Here, the attacker impersonates an employee and requests a change in their bank account information on file for payroll. When the victim’s next paycheck is deposited, it goes into the attacker’s bank account. When the victim contacts the payroll department about not receiving their pay, it’s often too late.
4. Attorney Impersonation
In this version, an attacker will impersonate a law firm or attorney to convince someone that an immediate financial transaction is necessary due to a legal issue, pending deal or some other sensitive legal matter. The victim may also be advised to keep the details of the communication under wraps due to its sensitive nature.
5. Supply Chain BEC
Rather than impersonating someone inside the target organization, attackers compromise a supplier’s email account and conduct the attack from within a legitimate, trusted email thread.
The victim sees an email from a real email address they’ve corresponded with for years, continuing a real conversation thread, asking for a routine-seeming change. This is one of the most difficult BEC variants to detect because every technical signal says the email is legitimate.
Understanding third-party cyber risk is directly relevant here: your suppliers’ email security affects your financial exposure even when your own systems are perfectly secured.
How AI Is Making BEC Worse in 2026
Every BEC trend that was concerning last year is significantly more concerning in 2026, largely because of AI.
Generative AI has eliminated the most tell-tale sign of fraudulent emails-an employee or security device used to be able to spot them based on their bad grammar or weird sentence construction. Now they are flawlessly grammatical, contextually relevant, and indistinguishable from communications originating from the person being impersonated.
16% of data breaches in 2025 were due to attackers using AI, and of those, 37% involved AI-generated phishing or fraudulent communication, according to IBM’s Cost of a Data Breach Report 2025, and the number is only increasing throughout 2026.
AI is being used across multiple phases of BEC attacks:
- Reconnaissance automation- AI has given attackers the ability to scour an organization, its employees, vendors, and communication patterns in an instant-a task that could have taken hours of manual work now takes minutes.
- Voice cloning- deepfake audio can replicate a CEO’s voice from a sample and allow for fake phone calls in support of an email-based BEC attack. Several well-publicized BEC incidents in 2025 included reports from employees that they’d received voice confirmation from their CEO, which was actually AI-generated.
- Writing style- AI has given attackers the ability to learn from emails sent from a compromised account and craft new messages that perfectly replicate a person’s typical tone and writing style. It’s not something that humans have been capable of replicating in the past.
- Scale- Previously, highly targeted and elaborate BEC attacks were too resource-intensive to launch on low-value targets; now it’s incredibly feasible to hit multiple smaller targets with AI-supported BEC attacks.
Real-World BEC Examples
These aren’t hypothetical. They happened.
Pepco Group (2024): European discount retailer Pepco Group stated that its Hungarian operation lost around 15.5m from an elaborate BEC scam. Bogus messages from this entity wired funds from the Hungarian branch into attacker-held accounts. No customer or employee data was compromised during this event, the entire 15.5m was from a convincing email impersonation.
Dickinson Public Schools (2026): A US school district had $4.8 million recovered which had been wired to attackers as part of a BEC scheme. News in April 2026 indicated the swift reporting to the IC3, FBI’s IC3, to secure the wire transfer.
Unnamed technology company: IC3 reports from 2025 include multiple cases of technology companies losing between $1 million and $5 million through vendor impersonation attacks where attackers had monitored email communications for weeks before substituting fraudulent payment instructions into ongoing vendor conversations.
The pattern across all these incidents is consistent: the fraud worked because it was convincing, because verification steps were skipped, and because the money moved before anyone caught the discrepancy.
The Financial and Legal Consequences
There is very little chance of recovering BEC losses. After wiring, they rapidly transfer to numerous accounts and frequently change to cryptocurrency or to overseas banks within hours. If reported promptly, the FBI’s IC3 can sometimes help the owner of the stolen money recover it, but only for a limited period and not always.
The financial loss isn’t the only consequence.
Regulatory exposure: If the funds transferred or data accessed were subject to privacy laws, the organization is now also liable under GDPR, HIPAA or CCPA, in addition to the financial losses incurred. The need to meet cybersecurity compliance obligations doesn’t disappear when the breach occurs as a social engineering attack instead of an exploit.
Legal issues: The funds that are transferred through BEC fraud may lead to legal disputes between the organizations involved and the intended recipient who did not receive the payment. In particular, supply chain BEC attacks pose complicated liability issues between vendors and customers.
Cyber insurance complications: BEC claims are now being carefully analyzed. Some policies will have sub-limits for social engineering losses that are much lower than the policy limit. Some need particular controls as a requirement for coverage.
Reputational damage: If a BEC incident is made public, the damage inflicted on supplier and customer trust can be long-lasting.
How to Prevent Business Email Compromise
No single control stops BEC. It requires layered defenses covering the technical, process, and human dimensions simultaneously.
1. Implement and enforce email authentication
SPF, DKIM, and DMARC are the technical foundation of email security against spoofing-based BEC. DMARC in particular, when set to a reject policy, prevents spoofed emails using your domain from reaching recipients. Most organizations have these configured but set to monitoring rather than enforcement mode. Enforcement is what provides protection.
2. Establish out-of-band verification for financial requests
This is the single most effective procedural control. Any request involving a payment, a change of banking details, or sensitive data should be verified through a second, independent channel. Not a reply to the email. A phone call to a number already on file, a message through an internal chat platform, or a face-to-face conversation.
Training employees to treat this verification as a standard step, not a sign of distrust, is the cultural shift that makes this effective.
3. Apply the four-eyes principle to payments
Both a procedural and a payment control; any payment over a pre-defined threshold and any change to any existing payment detail must be approved by a second, independent person. This prevents a single compromised employee from authorizing and sending payments without them being checked over by another person.
4. Monitor for account takeover indicators
Any email rules being created that are not a normal part of how the user operates. Login attempts that are from unexpected locations or machines. Mass email deletions. Forwarding rules to external addresses. These are the behavioral signals of an account that has been compromised by a data harvesting attack or phishing incident.
Security monitoring that watches for these specific patterns provides early warning before the fraud attempt is actually launched.
5. Run realistic BEC simulation training
Generic phishing awareness training doesn’t adequately prepare employees for sophisticated BEC. Simulations that specifically replicate CEO fraud, vendor impersonation, and invoice fraud scenarios, including AI-generated variants, build the verification habits that matter.
The measure of effective training isn’t the click rate on fake phishing emails. It’s whether employees call to verify unusual financial requests before acting on them.
What to Do If Your Organization Is Hit
Speed is everything. Every hour after a BEC transfer reduces the probability of recovery.
Step 1: Contact your bank immediately
Call your bank directly using the number on their official website, not a number from any email. Request a wire recall or a SWIFT recall for the transferred funds. Banks have internal fraud teams that can attempt to freeze funds if contacted quickly enough.
Step 2: Report to the FBI’s IC3
File a complaint at ic3.gov immediately. The FBI has a Financial Fraud Kill Chain process that, when initiated within 72 hours, has recovered funds for some victims. The earlier you report, the higher the probability of recovery.
Step 3: Preserve all evidence
Do not delete any emails related to the incident. Preserve email headers, message content, and all communications with the apparent sender. This evidence is essential for both law enforcement investigation and any subsequent insurance claim.
Step 4: Contain the compromised account
If the attack involved an account takeover rather than spoofing, revoke access to the compromised account immediately. Check and delete any email forwarding rules or filters the attacker may have created. Reset credentials and review access logs. Your incident response guide should have a specific playbook for email account compromise.
Step 5: Assess notification obligations
Depending on what information was accessed or what data was in the compromised email account, you may have regulatory breach notification obligations. Involve legal counsel early to assess what notifications are required and when.
Conclusion
Business email compromise is effective because it attacks the weakest point in any security system: human judgment under pressure.
Technical defenses matter. DMARC stops spoofing. MFA limits account takeover. Behavioral monitoring catches compromised accounts. But none of those controls alone stops a well-crafted impersonation that reaches an employee who hasn’t been trained to verify unusual financial requests.
The organizations that consistently avoid BEC losses share one characteristic: they have made out-of-band verification a reflex, not an exception. When a payment request arrives, the question isn’t “does this email look legitimate?” It’s “have I confirmed this through a second channel?”
That culture doesn’t build itself. It requires deliberate training, clear processes, and visible leadership commitment to security over speed when those two things conflict.
