Ransomware Examples: 15 Famous Attacks and How They Happened
Ransomware Cyberattack Trends Threat Intelligence Dark Web
What Is Ransomware? Ransomware is malicious software that encrypts files on infected systems and demands payment for the …
Learn how to spot and stop BEC scams before they cost your company millions.
• BEC doesn’t trip email filters because there’s nothing technically malicious in the message. No links, no attachments. That’s why it works so well and why you can’t rely on technology alone to stop it.
• The average successful BEC wire transfer is $157,000. The FBI logged over 21,000 complaints in 2024. One convincing email from a “trusted” sender is all it takes.
• Compromised email accounts are the hardest BEC variant to catch. When attackers use a real employee’s inbox, every security check passes. Credential monitoring catches exposed accounts before attackers get in.
• Prevention comes down to process. Require out-of-band verification for any payment change over a threshold. A phone call to a known number stops most BEC scams cold.
A finance director gets an email from the CEO asking for an urgent wire transfer. The email comes from the right address, uses the right tone, and references a real deal in progress. There’s just one problem: the CEO didn’t send it.
That’s business email compromise. Just a convincing email from someone you trust asking for something that sounds reasonable.
It’s the most expensive type of cybercrime the FBI tracks. And it’s getting worse every year.
This guide covers how BEC scams work, how they differ from phishing, and how to prevent business email compromise scams before they reach your finance team.
Contents
What Is Business Email Compromise?
It goes by several names, but they all describe the same scam.
Business email compromise (BEC) is a type of cybercrime where attackers use email to impersonate trusted individuals and manipulate employees into making unauthorized payments or sharing confidential data. BEC relies on social engineering rather than malware, which is why traditional email security filters often miss it.
What makes BEC different from standard phishing? Phishing casts a wide net. Attackers send thousands of emails with malicious links or fake login pages, hoping someone clicks. BEC is the opposite: low volume, high effort, targeted at specific people.
A BEC email has no malicious payload. No link to block. No attachment to scan. The email itself is the weapon. That’s what makes it so hard to detect with technology alone.
The FBI’s IC3 reported $2.77 billion in BEC losses in 2024 across 21,442 complaints. Cumulatively, BEC has caused over $55 billion in global losses since 2013. It’s consistently the most expensive cybercrime category the FBI tracks.
How Common Are BEC Attacks?
BEC is growing fast. 63% of organizations experienced a BEC attack in 2024, according to the Association for Financial Professionals. Attacks increased 15% in 2025.
Generative AI is accelerating the trend. Attackers use AI to write more convincing emails and mimic writing styles. They can now scale attacks that used to require hours of manual research on each target. BEC went from 1% of all cyberattacks in 2022 to 18.6% since generative AI tools became widely available. Some attackers are combining BEC emails with AI-generated voice calls that clone an executive’s voice, making verification by phone harder too.
The average successful BEC wire transfer is $157,000. But the range is wide. Some scams net millions from a single email.
What Are the Different Types of BEC Scams?
There are six main variants. Each exploits a different relationship and trust dynamic.
CEO fraud. Attackers impersonate a senior executive and email the finance team requesting an urgent wire transfer. They research the company first, referencing real projects or deals to make the request credible.
Invoice fraud. Attackers pose as a known vendor and send an invoice with updated payment details. The invoice looks real. The bank account is the attacker’s.
Email account compromise. Attackers gain access to an employee’s actual email account, usually through stolen credentials or phishing. They send BEC emails from the real inbox, so there’s nothing spoofed to detect. This is the variant that causes the most damage because every security check passes.
Email spoofing is when an attacker forges the “From” field in an email to make it appear to come from a trusted sender. DMARC, SPF, and DKIM are email authentication protocols that help receiving servers detect spoofed messages. They don’t stop BEC from compromised accounts, since those emails come from the real address.
Attorney impersonation. Scammers pretend to be a lawyer handling a confidential matter. They pressure employees to transfer funds quickly, using secrecy as cover for bypassing verification.
Payroll diversion. Attackers email HR posing as an employee and request a change to direct deposit details. Paychecks get rerouted to the attacker’s account.
Data theft. Attackers target HR or finance staff to obtain employee records, tax forms, or customer data. This data fuels future attacks or gets sold on criminal markets.
What Are the Red Flags of a BEC Attack?
BEC emails are hard to spot because they don’t look suspicious in the traditional sense. But they follow patterns.
Urgency. Every BEC email creates artificial time pressure. “This needs to happen before end of day.” “Don’t delay this.” If a financial request doesn’t let you verify through normal channels, that’s the red flag.
Secrecy. “Keep this between us.” “Don’t discuss this with anyone yet.” Legitimate executives don’t ask staff to bypass normal processes in secret.
Changes to payment details. Any request to update vendor bank information, wire to a new account, or change direct deposit details should trigger verification.
Timing. BEC attacks often land when the impersonated person is traveling or in meetings. Attackers research schedules to pick the moment when calling to verify is most inconvenient.
Unusual sender behavior. Emails that don’t match the sender’s normal writing style, come at unusual hours, or request things outside their typical scope. If your CEO has never emailed you directly about a wire transfer before, that’s suspicious.
How Do You Prevent Business Email Compromise Scams?
You need process controls, employee training, and the right monitoring tools. Here are seven strategies that work.
Require out-of-band verification for payments
This is the single most effective BEC prevention control. Before processing any wire transfer, payment change, or unusual financial request, verify it through a separate channel. Call the requester at a known phone number. Don’t use the phone number in the email.
Set a dollar threshold. Any payment or change above that amount requires voice verification. No exceptions.
Deploy email authentication (DMARC, SPF, DKIM)
Email authentication protocols make it harder for attackers to spoof your domain. DMARC tells receiving servers what to do with emails that fail SPF or DKIM checks.
These don’t stop BEC from compromised accounts (the email comes from your real domain). But they block the easier spoofing attacks and protect your brand from being impersonated to your customers and partners.
Monitor for compromised email credentials
When attackers send BEC emails from a real employee’s inbox, every security check passes. The best way to prevent it is catching compromised credentials before attackers use them.
Credential monitoring scans stealer logs and breach data for your employees’ exposed email passwords. When credentials appear, you can force password resets immediately. Dark web monitoring extends this to criminal marketplaces where stolen access is bought and sold.
Require MFA on all email accounts
If attackers can’t log into an employee’s email, they can’t send BEC emails from it. MFA on every email account is non-negotiable. Use authenticator apps or hardware keys. SMS-based MFA is better than nothing but vulnerable to SIM-swapping.
This won’t stop spoofed emails, but it helps block the most dangerous BEC variant: email account compromise.
Train employees on BEC-specific tactics
Generic security awareness training mentions BEC but doesn’t prepare people for it. Run BEC-specific simulations that test whether employees verify unusual requests.
Focus on finance, HR, and executive assistants. These are the roles attackers target. Teach them that urgency and secrecy in a financial request are red flags, not reasons to skip verification.
Implement approval workflows for financial transactions
No single person should be able to authorize a large payment. Dual approval for wire transfers over a set threshold adds a second set of eyes. Separate who initiates payments from who approves them. This makes BEC much harder to execute because the attacker would need to compromise two people, not one.
For vendor payment changes specifically, require confirmation from the vendor through a known contact at a known number. Not the contact details in the email requesting the change.
Use AI-powered email security
Traditional email filters scan for malicious links and known bad senders. BEC bypasses both. AI-based tools analyze writing patterns and sender behavior to catch anomalies that rule-based filters miss.
These tools aren’t perfect. But they add a detection layer that traditional filters can’t provide. Products in this space include Abnormal Security, Proofpoint TAP, and Microsoft Defender for Office 365’s BEC detection features.
What Are Some Real-World BEC Examples?
BEC hits companies of every size. Here are cases with documented outcomes.
$12 million global scheme (2024). A ring involving operatives in Kenya and Nigeria ran BEC attacks across multiple countries. Three defendants were convicted in a Connecticut federal court. One received 8 years in prison.
$5 million Virginia case (2024). A Nigerian national was sentenced to over 5 years in prison for a BEC scheme targeting US companies. He was ordered to pay nearly $5 million in restitution.
FACC aerospace (2016). An Austrian aerospace manufacturer lost $54 million when a BEC email impersonated the CEO and tricked an employee into wiring funds. The CEO was fired over the incident. FACC later sued both the CEO and CFO for failing to implement adequate controls.
Same playbook, every time: research the target, impersonate someone trusted, create urgency around a payment.
What stands out across these cases is that the victims weren’t careless. They were experienced professionals who trusted their email. The scams worked because the attackers invested time in making the request look routine. Prevention isn’t about being smarter than the attacker. It’s about having processes that don’t rely on a single person’s judgment.
What Should You Do If You’ve Been Hit by a BEC Scam?
Act fast. The window to recover funds is narrow.
Contact your bank immediately. Request a wire recall. You typically have 24-72 hours before recovery becomes unlikely. Once money moves through multiple accounts or crosses borders, your chances drop sharply.
Report to law enforcement. File with the FBI’s IC3 at ic3.gov. If the transfer was international, time is critical. The IC3’s Recovery Asset Team has frozen over $500 million in BEC transfers since 2018.
Secure the compromised account. Reset passwords, enable MFA, and review email rules for any forwarding or filtering the attacker set up. Attackers often create inbox rules to hide their activity.
Conduct an incident response investigation. Determine how the attacker gained access. Was it a compromised account, a spoofed email, or social engineering? The answer shapes your remediation.
Notify affected parties. If customer data or vendor information was involved, you may have notification obligations. Even if it was purely financial, notify your vendors and partners so they can watch for follow-up scams that reference the same deal or invoice.
Review what failed. After the immediate crisis, figure out which control broke down. Was there no verification process? Did someone skip it? Was an email account compromised because it lacked MFA? The answer tells you what to fix so it doesn’t happen again.
Conclusion
BEC works because it exploits trust, not technology. The defense is human: call to confirm before you wire anything.
The companies that avoid BEC losses are the ones with strict payment verification and credential monitoring running in the background. Technology helps, but the phone call to a known number is what stops most BEC scams.
Check your exposure to see if employee email credentials from your organization have already appeared on criminal markets.
Business Email Compromise FAQ
BEC is a targeted scam where attackers impersonate executives or vendors via email to trick employees into transferring money or sharing sensitive data. The social engineering is the attack. There are no malicious links to click, which is why email filters miss it.
63% of organizations experienced BEC in 2024, according to the AFP Fraud and Control Survey. The FBI’s IC3 received over 21,000 BEC complaints that year. BEC attacks increased 15% in 2025, and generative AI is making them easier to scale.
Phishing casts a wide net with malicious links and fake login pages. BEC targets specific individuals with personalized emails. Phishing steals credentials. BEC steals money directly through fraudulent wire transfers or invoice manipulation.
Urgency and secrecy are the biggest tells. Watch for payment requests that bypass normal approval processes, changes to vendor bank details, pressure to act before verifying, and emails that arrive just before a deadline or when the supposed sender is traveling.
Not reliably. Traditional filters look for malicious payloads, and BEC emails don’t have any. AI-based tools that analyze sender behavior catch more, but they’re not foolproof. Process controls like out-of-band verification are your best defense.
When employee email credentials appear in stealer logs or breach data, attackers can log into the real account and send BEC emails from it. Credential monitoring catches these exposed credentials so you can force password resets before attackers exploit the access.
