← Back to Blog
Business January 18, 2026 6 min read

Business Email Compromise: The $50 Billion Scam

BEC attacks have cost businesses over $50 billion globally. They don't use malware or technical exploits — just well-crafted emails and social engineering. Here's what every employee needs to know.

Business Email Compromise (BEC) is one of the most financially devastating cybercrimes. According to the FBI, BEC scams have caused over $50 billion in losses worldwide since 2013. And unlike ransomware headlines, these attacks happen quietly — one fraudulent wire transfer at a time.

What is Business Email Compromise?

BEC is a sophisticated scam where attackers impersonate company executives, vendors, or trusted partners to trick employees into transferring money or revealing sensitive information. No malware needed — just social engineering. In 2026, attackers are escalating BEC with deepfake video calls and OAuth-based credential theft to make these attacks even more convincing.

Average BEC loss: $125,000 per incident. Some attacks have stolen tens of millions in a single transfer.

The 5 Types of BEC Attacks

1. CEO Fraud

Attackers impersonate the CEO or another executive, emailing the finance department with an urgent wire transfer request. The email often mentions confidentiality: "This is sensitive — please don't discuss with anyone."

Example: "I need you to wire $47,000 to this account for a confidential acquisition. I'm in meetings all day so just reply to this email."

2. Vendor/Supplier Scam

Scammers pose as a vendor your company regularly pays, claiming their bank details have changed. The next invoice payment goes to the attacker's account.

Example: "Due to a recent audit, we've changed our banking information. Please update our details before processing the next payment."

3. Account Compromise

Attackers actually hack into an employee's email account and use it to request payments from vendors, customers, or internally. Since the email is real, it's extremely convincing.

4. Attorney Impersonation

Scammers pretend to be lawyers handling confidential deals. They create urgency around "time-sensitive" transactions that require immediate payment.

5. Data Theft

Not all BEC is about money. Some attackers target HR or payroll to steal employee W-2 forms, personal information, or wage data for tax fraud.

Why BEC Works So Well

  • No malware to detect — Security software can't flag a well-written email
  • Research-based targeting — Attackers study LinkedIn, company websites, and news
  • Exploits authority — Employees hesitate to question the CEO
  • Creates urgency — "This needs to happen today"
  • Timing is strategic — Often sent when executives are traveling or in meetings

Red Flags of BEC Attacks

Watch for these warning signs:
  • Unusual urgency or secrecy requests
  • Requests to bypass normal approval processes
  • Changes to payment details for existing vendors
  • Slightly different email addresses (ceo@company.co vs ceo@company.com)
  • "Reply to this email only" instructions
  • Grammar errors or unusual phrasing from known contacts

How to Protect Your Organization

Technical Controls

  • Implement DMARC, SPF, and DKIM — Makes domain spoofing harder
  • Enable email authentication warnings — Flag external emails prominently
  • Use multi-factor authentication — Prevents account compromise
  • Monitor for lookalike domains — Attackers register similar domains

Process Controls

  • Verify payment changes verbally — Call using a known number, not one from the email
  • Require dual approval — No single person should authorize large transfers
  • Establish code words — For verifying urgent executive requests
  • Create a waiting period — 24-48 hours for vendor banking changes

Training

  • Regular security awareness training — Cover BEC specifically
  • Simulated BEC exercises — Test employees with fake scenarios
  • Create a reporting culture — Make it safe to question suspicious requests

What To Do If You Suspect a BEC Attack

  1. STOP — Don't make any payments or transfers
  2. VERIFY — Call the requester using a known phone number
  3. REPORT — Notify your IT/security team immediately
  4. If money was sent — Contact your bank immediately to attempt a recall

Verify Suspicious Business Emails

Received an unusual request from a vendor, executive, or partner? Forward the email to us for authentication analysis:

We'll verify the sender's authentication, check for spoofing indicators, and help you determine if it's legitimate.