A finance manager gets an email from the CEO: "I need you to process a wire transfer for $47,000 to finalize an acquisition. This is confidential — do not discuss it with anyone else on the team. I will explain at the board meeting next week."
The email looks right. The name matches. The writing style is familiar. The request makes sense because the company has been discussing acquisitions. The finance manager sends the money.
But the CEO never wrote that email. An attacker did. And that $47,000 is gone forever.
This is Business Email Compromise — the most expensive form of cybercrime in the world. BEC attacks caused $2.9 billion in reported losses in 2025 alone. That is more than ransomware, data breaches, and traditional phishing attacks combined.
The scary part? BEC emails contain zero malware. Zero suspicious links. Zero dangerous attachments. They are just convincing emails from someone pretending to be a person you trust. That is why email security filters catch ransomware 99% of the time but miss 40-60% of BEC attacks.
How BEC Attacks Actually Work
Every BEC attack follows the same three-phase pattern:
Phase 1: Research (2-6 weeks). The attacker studies your company. They read LinkedIn profiles, company websites, news articles, and SEC filings. They identify who handles money (CFO, accounting team), who has authority (CEO, executives), and who the company works with (suppliers, lawyers, banks).
Phase 2: Setup (1-2 weeks). The attacker either compromises a real email account through phishing or creates a convincing look-alike domain. For example, if your company is acmecorp.com, they register acmecorp-inc.com or acrnecorp.com (notice the "rn" looks like "m").
Phase 3: The Ask (minutes). They send one carefully crafted email requesting money or sensitive data. The request always feels urgent, confidential, and comes from authority. By the time anyone realizes it is fake, the money is in an overseas account.
The 5 Types of BEC Attacks
| BEC Type | Who They Impersonate | Who They Target | Average Loss |
|---|---|---|---|
| CEO Fraud | CEO or executive | Finance team | $125,000 |
| Invoice Manipulation | Existing supplier | Accounts payable | $98,000 |
| Account Compromise | Employee (hacked) | Contacts of that employee | $75,000 |
| Attorney Impersonation | Lawyer or legal firm | CEO or finance during M&A | $250,000 |
| Data Theft | CEO or HR director | HR or payroll | $35,000* |
*Data theft losses include regulatory fines, notification costs, and fraud from stolen employee tax information.
Real-World BEC Attacks and Their Cost
These are not hypothetical scenarios. These happened to real companies:
1. Toyota Boshoku — $37 Million (2019)
Attackers impersonated a business partner and convinced a Toyota subsidiary finance executive to change wire transfer payment details. The company transferred $37 million to an attacker-controlled account. Discovered too late for full recovery.
2. Facebook and Google — $121 Million (2013-2015)
A Lithuanian man impersonated a computer hardware manufacturer and sent fake invoices to both tech giants over two years. Facebook paid $99 million and Google paid $23 million before discovering the fraud. The attacker was eventually caught and most money was recovered — but only because the victims were massive tech companies with legal resources.
3. Ubiquiti Networks — $46.7 Million (2015)
Attackers impersonated employees and targeted the company finance department using spoofed email accounts. The company disclosed a $46.7 million loss in an SEC filing. They recovered $15 million through legal action.
4. Small Business Reality Check
For every headline-grabbing million-dollar BEC, thousands of small businesses lose $10,000-50,000 quietly. A 2025 FBI report found that small businesses with under 100 employees made up 62% of all BEC victims but recovered money in only 29% of cases, compared to 54% for enterprises.
7 Red Flags That Scream BEC Attack
Train every employee to recognize these warning signs:
- Urgency + secrecy. "Handle this immediately" combined with "do not tell anyone." Legitimate urgent requests rarely demand secrecy.
- Change in payment details. "Our bank account has changed, here are new wire details." Real vendors update payment info through formal account management processes, not random emails.
- Email domain slightly off. The display name looks right but the actual address uses acrnecorp.com instead of acmecorp.com. Always check the full email address, not just the display name.
- First-time wire request. Your CEO has never asked you to wire money before. Attackers do not know your internal processes, so their requests often break normal patterns.
- Time pressure on a Friday. BEC attacks spike on Fridays because attackers want the payment processed before the weekend — giving them 48+ hours before anyone investigates.
- Reply address differs from sender. The "From" says CEO@yourcompany.com but the "Reply-To" goes to a Gmail or look-alike address. Click "Reply" and check where your email would actually go.
- Skipping normal process. "Skip the approval workflow, I will sign off on this later." Any request to bypass established financial procedures is a red flag, even if it comes from the CEO.
8 Proven BEC Defenses
Defense 1: Dual Approval for Payments
Require two people to approve any payment over $5,000. The person who receives the payment request cannot be the same person who approves it. This single control blocks 67% of BEC attempts because the second approver usually catches what the first person missed.
Defense 2: Out-of-Band Verification
Before processing any payment change or wire request, verify through a different communication channel. If the request came by email, call the person using a phone number you already have on file — never a number from the suspicious email. This blocks 87% of BEC attacks when followed consistently.
Defense 3: AI Behavioral Detection
Deploy an AI email security tool that learns normal communication patterns. When the "CEO" sends an email that does not match the real CEO's writing style, send time, or request patterns, the AI flags it. Solutions like Abnormal Security catch 94% of BEC attacks this way.
Defense 4: DMARC with Reject Policy
Set up DMARC with p=reject on your domain to prevent direct domain spoofing. This stops attackers from sending emails that perfectly match your domain address. It does not stop look-alike domains, but it eliminates one major attack vector.
Defense 5: Look-Alike Domain Monitoring
Use a domain monitoring service to alert you when someone registers a domain similar to yours. Tools like PhishLabs, Recorded Future, and even free services like dnstwist scan for domains like acmecorp-inc.com, acmec0rp.com, or acmecorp.co that attackers register before launching BEC campaigns.
Defense 6: Financial Process Hardening
- Never change vendor payment details based on email alone
- Maintain a verified vendor contact list independent of email
- Require written authorization on company letterhead for banking changes
- Set daily wire transfer limits that require executive override
Defense 7: Employee Training
Run BEC simulations quarterly — not just phishing simulations. Most security training focuses on malicious links. BEC training should focus on social engineering patterns: urgency, secrecy, authority, and process bypass. Target finance, HR, and executive assistants specifically.
Defense 8: Email Banner Warnings
Configure your email system to display a prominent warning banner on all emails from external senders. Something like: "This email came from outside your organization. Verify the sender before clicking links or processing requests." Simple but effective — it reminds employees to pause and think.
What to Do If You Fall for a BEC Attack
Speed matters. The first 24 hours determine whether you recover your money or lose it permanently.
Hour 0-1: Immediate Actions
- Contact your bank. Call the wire department directly and request an emergency recall. Banks can sometimes freeze funds if the receiving account has not been drained yet.
- Contact the receiving bank. If the wire went to a domestic bank, your bank can issue a Financial Fraud Kill Chain request through the FBI.
- Do not email anyone about the incident. If an attacker compromised an email account, they may be reading your messages. Use phone calls only.
Hour 1-24: Investigation Actions
- File an FBI IC3 complaint. Go to ic3.gov and submit a detailed report. Include all email headers, wire transfer details, and account numbers.
- Preserve evidence. Save the original BEC email with full headers. Screenshot the email, export it as .eml file, and print hard copies.
- Check for account compromise. If the BEC was sent from an internal account, that account is compromised. Reset the password immediately, revoke all active sessions, and audit the mailbox for forwarding rules.
- Notify your cyber insurance provider. Most policies have a 24-72 hour notification window.
Recovery Rates by Response Time
| Response Time | Recovery Rate | Why |
|---|---|---|
| Under 24 hours | 54% | Banks can often freeze domestic transfers |
| 24-48 hours | 29% | Money may have been moved to a second account |
| 48-72 hours | 15% | Funds likely converted to crypto or withdrawn |
| Over 72 hours | 4% | Money is overseas and effectively unrecoverable |
BEC Prevention Checklist for Your Company
Use this checklist to audit your current BEC defenses:
Email Security
- DMARC configured with p=reject on your primary domain
- External email banner enabled for all outside messages
- AI behavioral email security deployed (Abnormal, Proofpoint TAP, or similar)
- Look-alike domain monitoring active
Financial Controls
- Dual approval required for payments over $5,000
- Out-of-band verification mandatory for new vendor payment details
- Verified vendor contact list maintained separate from email
- Daily wire transfer limits set with executive override requirement
Training
- BEC-specific training for finance, HR, and executive assistants (quarterly)
- BEC simulation exercises run at least twice per year
- Clear reporting process — employees know exactly who to call if they suspect BEC
- No-blame policy — employees who report suspected BEC are praised, not punished
Incident Response
- BEC response playbook documented and accessible
- Bank emergency contact numbers listed and current
- FBI IC3 filing process documented
- Cyber insurance policy reviewed with BEC coverage confirmed
BEC is not a technology problem — it is a people problem that technology can help solve. The most effective defense combines strong financial processes with AI-powered email security and regular training. No single tool stops all BEC attacks, but the combination of these defenses blocks 97% of attempts before money ever leaves your account.
