In 2023, the FBI's Internet Crime Complaint Center reported that business email compromise accounted for $2.9 billion in adjusted losses — making it the single costliest category of cybercrime they track. Not ransomware. Not credit card fraud. Email scams where someone pretends to be your CEO, your vendor, or your attorney. I've watched organizations lose six figures in a single wire transfer because one employee trusted an email that looked exactly like it came from their boss.
This isn't a niche problem. BEC hits companies of every size, in every industry, every single day. And the attacks are getting sharper. If you run a business or manage a team, this post breaks down exactly how these attacks work in 2024 and what you can actually do to stop them.
What Is Business Email Compromise, Exactly?
Business email compromise is a type of social engineering attack where a threat actor impersonates a trusted figure — a company executive, a vendor, a lawyer — to trick an employee into transferring money, sharing sensitive data, or changing payment details. Unlike mass phishing campaigns that spray thousands of generic emails, BEC is targeted, researched, and patient.
The attacker might spend weeks studying your organization. They scrape LinkedIn for your org chart. They read press releases to learn about upcoming deals. They register a domain one character off from yours. Then they strike with an email that feels completely routine.
That's what makes BEC so dangerous. There's usually no malware, no malicious link, no attachment to scan. It's pure manipulation. And your email security gateway often lets it sail right through.
The $2.9 Billion Problem Nobody Talks About Enough
According to the FBI IC3 2023 Internet Crime Report, BEC complaints totaled 21,489 with adjusted losses of $2.9 billion. That's an average loss of roughly $135,000 per incident. Some were far worse.
Here's what frustrates me: ransomware dominates the headlines, but BEC quietly drains more money from American businesses every year. The Verizon 2023 Data Breach Investigations Report found that pretexting — the social engineering technique behind most BEC attacks — doubled in volume from the prior year. The trend hasn't slowed.
I've personally helped three organizations recover from BEC incidents in the past eighteen months. In every case, the employee who initiated the wire transfer said the same thing: "It looked completely normal."
How a BEC Attack Actually Works: Step by Step
1. Reconnaissance
The threat actor identifies the target company and researches its structure. They find the CFO's name, the CEO's email format, the accounts payable contact. LinkedIn, company websites, SEC filings, and social media give them everything they need.
2. Infrastructure Setup
They register a lookalike domain — maybe swapping an "l" for a "1" or adding a hyphen. Or they compromise a legitimate email account through credential theft, often using a phishing email aimed at a senior executive. Once inside a real mailbox, they can monitor conversations for weeks.
3. The Setup Email
The first email is rarely the one asking for money. It's a conversation starter. "Hey, are you in the office today?" or "I need you to handle something confidential." This builds rapport and establishes the impersonation before the real ask comes.
4. The Fraudulent Request
Now comes the wire transfer request, the gift card purchase, or the vendor payment redirect. The email uses urgency and authority: "This needs to go out before end of business." "Don't loop anyone else in — this is confidential until the deal closes."
5. The Vanishing Act
Once the money moves, it's typically routed through multiple accounts — often overseas — within hours. Recovery rates are low. The FBI's Recovery Asset Team has improved outcomes, but speed is everything. If you don't report within 48 hours, the money is usually gone.
Five BEC Variants You Need to Recognize
Not every business email compromise looks the same. Here are the five primary variants the FBI tracks:
- CEO Fraud: Attacker impersonates the CEO and emails finance staff with an urgent wire transfer request.
- Account Compromise: An employee's email account is hacked and used to request payments from vendors in the contact list.
- Vendor Email Compromise: Attacker impersonates a vendor and sends a fake invoice or updated banking details.
- Attorney Impersonation: Attacker poses as outside counsel handling a time-sensitive, confidential matter.
- Data Theft: Instead of money, the attacker requests W-2 forms, PII, or tax records — often targeting HR departments.
The vendor email compromise variant is growing fastest. It exploits the implicit trust between business partners, and a single compromised vendor can become a launchpad for attacks against dozens of downstream companies.
Why Traditional Email Security Misses BEC
Here's the uncomfortable truth: your spam filter wasn't built for this. Most secure email gateways look for known malicious signatures — bad URLs, infected attachments, spoofed headers. Business email compromise emails often contain none of those.
A BEC email might be plain text. No links. No attachments. Just a polite request from what appears to be your CEO's email address. Some attackers even reply within an existing email thread they've been silently monitoring after a credential theft compromise.
This is why technology alone won't solve BEC. You need layers — and the most critical layer is your people.
How to Defend Against Business Email Compromise
Implement Multi-Factor Authentication Everywhere
Credential theft is the front door for most BEC campaigns. If an attacker phishes your CFO's password, multi-factor authentication is the deadbolt that keeps them out. Deploy MFA on every email account, every financial system, every VPN. No exceptions for executives — they're the primary targets.
CISA's MFA guidance makes the case clearly: MFA blocks 99% of automated credential attacks. It's the single highest-ROI security control you can deploy today.
Establish Out-of-Band Verification for Financial Requests
This is the control that would have prevented every BEC loss I've personally investigated. Create a policy that any wire transfer, payment redirect, or banking change request must be verified through a second channel — a phone call to a known number, a face-to-face confirmation, or a verification through your accounting system's approval workflow.
Never verify by replying to the email itself. The attacker controls that channel. Pick up the phone and call the number you already have on file.
Train Your Team with Realistic Phishing Simulations
Security awareness training is not a checkbox exercise. It's the difference between an employee who pauses and one who clicks. Effective training uses real-world scenarios — including BEC pretexts — to build the instinct to question unusual requests.
Our phishing awareness training for organizations runs simulated BEC attacks that mirror the exact tactics threat actors use in 2024. Your team practices identifying impersonation, urgency cues, and domain spoofing in a safe environment before they face the real thing.
Combine that with our cybersecurity awareness training program, which covers the full spectrum — from social engineering and credential theft to ransomware defense and zero trust principles. When your people understand how these attacks chain together, they make better decisions under pressure.
Adopt Zero Trust Email Policies
Zero trust isn't just a network architecture buzzword. Apply the principle to email: never automatically trust a message based on the sender's display name. Configure your email system to flag external messages with a visible banner. Disable auto-forwarding rules to external addresses. Monitor for newly created inbox rules — attackers love setting up silent forwarding to exfiltrate data.
Deploy DMARC, DKIM, and SPF
These email authentication protocols won't stop every BEC variant, but they make direct domain spoofing significantly harder. If you haven't published a DMARC policy at enforcement level (p=quarantine or p=reject), you're leaving the door open for attackers to send emails that appear to come from your exact domain.
Check your current DMARC status and get implementation guidance at NIST's cybersecurity resources.
Monitor for Lookalike Domains
Threat actors register domains like "yourcompany-inc.com" or "yourcornpany.com" weeks before launching a BEC campaign. Services that monitor for newly registered domains similar to yours can give you early warning. When you find one, report it to your registrar and your legal team immediately.
What to Do If You've Been Hit
Speed matters more than anything else. If your organization has fallen victim to a business email compromise attack, take these steps immediately:
- Contact your bank. Request a recall or reversal of the wire transfer. The faster you act, the higher the chance of recovery.
- File with the FBI IC3. Go to ic3.gov and file a complaint. If the transfer was over $20,000 and within the last 72 hours, the FBI's Recovery Asset Team may be able to intervene.
- Preserve all evidence. Save emails, headers, and any communication with the attacker. Don't delete anything.
- Notify your IT/security team. If the attack involved a compromised account, reset credentials, revoke sessions, and audit mailbox rules immediately.
- Report to law enforcement. Beyond IC3, contact your local FBI field office and your state attorney general's office.
Who Gets Targeted Most?
If you think BEC only hits large enterprises, think again. Small and mid-sized businesses are disproportionately targeted because they typically lack dedicated security teams, formal payment verification procedures, and ongoing security awareness training. A 50-person company with a single accounts payable clerk and no verification policy is an ideal target.
Industries with high-value wire transfers — real estate, legal services, manufacturing, and construction — see especially heavy BEC activity. Real estate closings are a favorite target because the transactions are time-sensitive, high-dollar, and involve multiple parties exchanging banking details over email.
The Human Factor Is the Whole Game
I've reviewed hundreds of BEC incidents. The technical sophistication is usually low. The social engineering sophistication is extremely high. These attackers understand human psychology — authority bias, urgency, fear of looking incompetent — and they exploit it with precision.
That's why the most effective defense is a culture where questioning an email is encouraged, not punished. When your accounts payable team feels empowered to call the CEO and say "I got a wire request — just verifying before I process," you've built a human firewall that no phishing simulation score can fully capture.
Train your people. Verify every financial request through a second channel. Deploy MFA. Authenticate your email. These aren't expensive, complex projects. They're the basics — and they stop the vast majority of BEC attacks cold.
The $2.9 billion lost to business email compromise last year didn't disappear through zero-day exploits or nation-state hacking tools. It was stolen with polite emails and a sense of urgency. The fix starts with treating every unusual request as suspicious until proven otherwise.