In 2021, the FBI's Internet Crime Complaint Center received 19,954 business email compromise complaints with adjusted losses of nearly $2.4 billion. That made BEC the single most financially damaging cybercrime category — beating ransomware by a factor of almost 49 to 1. And those are just the cases people actually reported.

I've investigated dozens of BEC incidents over my career, and here's what still surprises people: these attacks rarely involve sophisticated malware or zero-day exploits. They rely on trust, urgency, and the simple fact that most employees won't question an email that looks like it came from the CEO. If you run a business of any size, this is the threat that should keep you up at night — and the one most likely to hit your bottom line this year.

What Is Business Email Compromise, Exactly?

Business email compromise is a type of social engineering attack where a threat actor impersonates a trusted figure — usually an executive, vendor, or attorney — to trick an employee into transferring funds, sharing sensitive data, or changing payment details. Unlike mass phishing campaigns that spray thousands of inboxes, BEC attacks are targeted, researched, and patient.

The FBI categorizes BEC into several variants: CEO fraud, vendor email compromise, attorney impersonation, account compromise, and data theft. The common thread is always the same — a criminal manipulates human trust instead of exploiting a software vulnerability.

Here's the part most organizations miss: the attacker often has access to real email threads before launching the scam. They've either compromised someone's mailbox through credential theft or spent weeks monitoring communications. When they finally send the fraudulent request, it reads exactly like a legitimate message because it's modeled on real ones.

The $2.4 Billion Lesson Most Organizations Learn Too Late

The numbers from the FBI IC3 2021 Internet Crime Report are staggering, but they don't capture the full picture. Many BEC losses go unreported because companies fear reputational damage. I've personally worked with organizations that lost six figures and chose to absorb the hit quietly rather than file a complaint.

Consider one of the most infamous BEC cases: in 2020, Puerto Rico's Industrial Development Company wired $2.6 million to a fraudulent account after receiving spoofed emails that appeared to come from a government pension fund. The emails instructed a change in the bank account tied to remittance payments. A simple, believable request — and no malware involved.

Ubiquiti Networks disclosed in 2015 that it lost $46.7 million through a BEC attack involving employee impersonation and fraudulent payment requests targeting its finance department. That figure appeared in SEC filings. This wasn't a startup. It was a publicly traded technology company.

Why Traditional Email Filters Miss BEC

Most email security gateways are built to catch malware attachments, known phishing URLs, and bulk spam. BEC messages contain none of these. A typical BEC email is plain text — no links, no attachments, no payload. It's just words, carefully chosen to exploit authority and urgency.

That's why I tell every organization I work with: technology alone cannot stop business email compromise. You need humans who recognize the tactics. You need process controls that prevent a single email from moving money. And you need both working together.

How Threat Actors Build a BEC Attack Step by Step

Understanding the attack chain helps you interrupt it. Here's what I've seen in real investigations, broken into phases.

Phase 1: Reconnaissance

The attacker identifies targets using LinkedIn, company websites, press releases, and social media. They're looking for the CEO's name, the CFO's email format, who handles accounts payable, and which vendors the company uses. This information is almost always publicly available.

Phase 2: Account Compromise or Spoofing

The attacker either compromises an actual email account through credential theft — often using a phishing email to steal a password — or sets up a lookalike domain. I've seen attackers register domains that differ by a single character, like replacing an "m" with "rn." At a glance, the difference is invisible.

If they compromise the real account, they often set up mail forwarding rules to monitor conversations silently. They'll wait days or weeks, reading every thread, learning the language and rhythm of internal communication.

Phase 3: The Ask

The fraudulent request usually arrives during a high-pressure moment — right before a wire deadline, during a merger, while the CEO is traveling. The email uses language pulled directly from real messages. It often includes phrases like "Please handle this quietly" or "I'm in a meeting, can you process this now?"

Phase 4: The Transfer

Once the employee initiates the wire or shares the data, the money moves fast. Attackers frequently use domestic accounts that quickly cascade funds to overseas accounts. The Cybersecurity and Infrastructure Security Agency (CISA) has flagged BEC as one of the most financially destructive online crimes because recovery rates are low once funds leave the initial account.

The Controls That Actually Stop BEC

I've seen organizations throw money at email security tools and still lose six figures to a well-crafted BEC email. Here's what actually works — a layered approach combining people, process, and technology.

Out-of-Band Verification for Every Financial Request

This is the single most effective control. Any request to change payment details, wire funds, or redirect invoices must be verified through a separate communication channel — a phone call to a known number, a face-to-face confirmation, or a secure messaging platform. Never verify by replying to the same email thread.

Write this into your financial procedures. Make it policy. I've seen this one control prevent losses that would have exceeded $500,000.

Multi-Factor Authentication on Every Email Account

If a threat actor can't compromise your real email accounts, they lose their most powerful weapon — legitimate access to real conversations. Multi-factor authentication drastically reduces the risk of credential theft. According to the NIST Digital Identity Guidelines (SP 800-63B), MFA is a baseline control for protecting authentication systems.

Yet I still encounter organizations where executive accounts use only a password. In 2022, that's inexcusable.

Security Awareness Training That Simulates Real Attacks

Your employees are your last line of defense against business email compromise. They need training that goes beyond a once-a-year slideshow. Effective programs use phishing simulation exercises that replicate the exact techniques BEC attackers use — urgency, authority impersonation, and process manipulation.

If you're looking for a practical starting point, our phishing awareness training for organizations walks teams through real-world BEC scenarios. We also offer a comprehensive cybersecurity awareness training program that covers social engineering, credential theft, and the broader threat landscape your employees need to understand.

Email Authentication Protocols: DMARC, DKIM, and SPF

These three protocols work together to make it harder for attackers to spoof your domain. DMARC (Domain-based Message Authentication, Reporting, and Conformance) tells receiving mail servers what to do with messages that fail authentication checks. When configured in enforcement mode, it dramatically reduces the effectiveness of domain spoofing.

Yet Verizon's 2021 Data Breach Investigations Report found that phishing — including BEC — remained a top action variety in breaches. Many organizations still haven't implemented DMARC beyond monitoring mode. If that's you, move to enforcement.

Zero Trust Architecture for Email and Internal Systems

A zero trust approach assumes that no user, device, or connection should be automatically trusted. Applied to email, this means continuous authentication, least-privilege access to financial systems, and segmentation that prevents a compromised mailbox from granting access to wire transfer capabilities.

Zero trust isn't a product you buy — it's a design philosophy. But it's directly relevant to BEC prevention because it limits the blast radius of any single compromised account.

What Should You Do If You Suspect a BEC Attack?

Speed is everything. If you suspect your organization has received or acted on a BEC email, take these steps immediately:

  • Contact your bank. Request a recall or reversal of the wire transfer. The faster you act, the higher the recovery chance. The FBI's Recovery Asset Team successfully helped freeze approximately $500 million in BEC transfers in 2021.
  • File a complaint with the FBI IC3 at ic3.gov. Include all email headers, transaction details, and recipient account information.
  • Preserve all evidence. Do not delete emails or modify mailbox rules. Forensic investigators need the complete picture.
  • Reset credentials for any potentially compromised accounts and audit mailbox rules for unauthorized forwarding.
  • Notify your cyber insurance carrier if you have a policy. Many BEC losses fall under social engineering coverage riders.

Why BEC Will Get Worse Before It Gets Better

Remote and hybrid work environments have made business email compromise even more effective. When your CFO works from home three days a week, no one thinks twice about handling financial requests entirely over email. The informal hallway verification — "Hey, did you actually send this?" — doesn't happen anymore.

Threat actors know this. They've adapted their tactics to exploit the communication gaps created by distributed workforces. The Verizon 2021 DBIR noted that social engineering attacks overall increased significantly, with pretexting — the core technique in BEC — becoming more prevalent year over year.

I expect business email compromise losses to keep climbing through 2022 and beyond. The attacks are low-cost, high-reward, and difficult to prosecute across international borders. Your best defense is building a culture where every financial request gets verified, every employee understands the threat, and every email account is protected with multi-factor authentication.

Your Next Step Is Simpler Than You Think

You don't need a seven-figure security budget to defend against BEC. You need clear procedures, trained employees, and basic technical controls. Start with mandatory out-of-band verification for all payment changes. Deploy MFA on every email account this week. And invest in ongoing phishing simulation training that keeps social engineering tactics fresh in your team's mind.

The organizations that get hit hardest by business email compromise are never the ones with weak firewalls. They're the ones where someone trusted an email they shouldn't have — and no process existed to catch the mistake. Build that process today. Equip your team with real-world security awareness training that reflects how these attacks actually work. The $2.4 billion problem is real, but so is the solution.