In December 2024, a finance employee at a multinational firm in Hong Kong wired $25 million after a video call with what appeared to be the company's CFO and several colleagues. Every person on that call was a deepfake. The real CFO had never scheduled the meeting. This is what business email compromise looks like now — not the clumsy "Dear Sir" emails of a decade ago, but sophisticated, multi-channel social engineering that exploits trust, authority, and speed.

If you handle money, approve invoices, or manage vendor relationships, this post is for you. I'm going to break down exactly how BEC attacks work in 2025, why they remain the costliest cybercrime category tracked by the FBI, and what your organization can do starting today to cut exposure dramatically.

What Is Business Email Compromise, Really?

Business email compromise is a targeted social engineering attack where a threat actor impersonates a trusted party — usually an executive, vendor, or attorney — to trick someone into transferring funds or surrendering sensitive data. Unlike mass phishing campaigns that cast a wide net, BEC is surgical. The attacker researches your org chart, reads your public filings, and often compromises a real email account before making a move.

According to the FBI IC3 2023 Internet Crime Report, BEC accounted for $2.9 billion in reported losses — making it the single most expensive cybercrime type by adjusted dollar loss. That number dwarfs ransomware losses. And those are just the cases that get reported.

The $2.9B Lesson Most Organizations Learn Too Late

I've seen organizations invest heavily in endpoint detection, next-gen firewalls, and SIEM platforms while leaving their accounts payable team completely untrained on BEC tactics. That's like installing a vault door on the front of your building and leaving the loading dock wide open.

Here's the uncomfortable truth: business email compromise doesn't exploit software vulnerabilities. It exploits people. It exploits process gaps. It exploits the fact that your controller will prioritize a "CEO's urgent wire request" over double-checking through a separate channel.

The Verizon 2024 Data Breach Investigations Report found that the human element was involved in 68% of breaches. BEC is the purest expression of that statistic.

How Threat Actors Execute a BEC Attack in 2025

Phase 1: Reconnaissance

Attackers start by mining LinkedIn, company websites, SEC filings, press releases, and social media. They identify who reports to whom, who handles payments, and who's traveling. I've reviewed incidents where attackers monitored a CEO's Instagram for travel photos, then launched the attack while that CEO was on a 14-hour flight with no connectivity.

Phase 2: Account Compromise or Spoofing

The attacker either compromises a real email account through credential theft — often via a well-crafted phishing email — or spoofs a lookalike domain. A spoofed domain might swap one character: company.com becomes cornpany.com. If the attacker gains actual mailbox access, they'll create inbox rules to hide replies and buy themselves time.

Multi-factor authentication failures are a major enabler here. Adversary-in-the-middle (AiTM) phishing kits now steal session tokens in real time, bypassing traditional MFA. This is why phish-resistant MFA — hardware keys, passkeys — matters more than ever.

Phase 3: The Ask

The request comes at the worst possible time. End of quarter. Friday afternoon. During an acquisition. It's always urgent, always confidential, and always from someone with authority. Common scenarios include:

  • CEO fraud: "Wire $180,000 to this account for a confidential acquisition. Don't discuss with anyone."
  • Vendor impersonation: "Our banking details have changed. Please update your records and send the next payment here."
  • Attorney impersonation: "I'm handling a sensitive legal matter for your CEO. Time-critical wire needed."
  • Payroll diversion: "Please update my direct deposit to this new account" — sent from a compromised employee mailbox.

Phase 4: Money Movement

Once the wire goes out, attackers move fast. Funds typically hop through multiple domestic accounts, then overseas — often to banks in Hong Kong, Nigeria, the UK, or Eastern Europe. The FBI's Recovery Asset Team (RAT) has a narrow window to freeze funds, and that window shrinks every hour.

Why Traditional Email Security Doesn't Stop BEC

Your secure email gateway catches malware attachments and known phishing URLs. That's necessary but nowhere near sufficient. Most BEC emails contain no malicious links, no attachments, and no malware. They're just text. A polite, well-written email from what appears to be your CEO asking for a wire transfer will sail through every spam filter on the market.

This is why security awareness training isn't optional — it's a core technical control. Your people are the detection layer for BEC, and they need to be trained, tested, and retrained consistently. Organizations that run regular phishing awareness training for their teams see measurable reductions in click rates and successful social engineering attacks.

7 Concrete Steps to Defend Against Business Email Compromise

1. Implement Out-of-Band Verification for All Financial Requests

Every wire transfer, ACH change, or vendor banking update must be verified through a separate communication channel. If the request came by email, pick up the phone. Call the number you already have on file — never the number in the email. This single control would prevent the majority of BEC losses I've investigated.

2. Deploy Phish-Resistant MFA

FIDO2 security keys and passkeys resist AiTM phishing attacks that steal session cookies. CISA's MFA guidance is clear: not all MFA is equal. SMS codes and app-based push notifications are better than passwords alone, but they're vulnerable to token theft and MFA fatigue attacks. Upgrade your most targeted accounts — finance, HR, executive assistants — first.

3. Train Your Team with Realistic Phishing Simulations

Awareness training that consists of a once-a-year slide deck doesn't change behavior. You need ongoing, scenario-based phishing simulations that mirror real BEC tactics. Test your AP team with fake vendor banking change requests. Test your HR team with fake payroll diversion emails. Measure who falls for it, and train them again without shaming. A structured cybersecurity awareness training program builds the kind of reflexive skepticism that stops BEC in its tracks.

4. Enable External Email Banners

Configure your email system to prepend a visible warning on every message originating from outside your domain. It sounds simple, but it disrupts the attacker's impersonation play. When your controller sees "[EXTERNAL]" on an email claiming to come from the CEO, it triggers a moment of doubt — and that moment is everything.

5. Monitor Email Rules and Forwarding

When an attacker compromises a mailbox, the first thing they do is set up inbox rules to auto-delete or redirect replies. Audit mailbox rules regularly. Alert on new forwarding rules, especially to external addresses. This is a zero-trust principle in action: don't assume that because someone authenticated, everything they do is legitimate.

6. Implement DMARC, DKIM, and SPF

These email authentication protocols won't stop all BEC, but they make domain spoofing significantly harder. Set your DMARC policy to "reject" — not just "monitor." According to NIST, proper email authentication is a baseline hygiene control that every organization should have in place. Too many still don't.

7. Establish a "No Retaliation" Reporting Culture

People who fall for BEC often stay silent out of fear. That silence costs you the critical hours you need to recall a wire. Make it clear — in writing, from leadership — that reporting a suspicious email or even a successful scam immediately is expected and rewarded. The faster your incident response team learns about a fraudulent transfer, the higher the recovery rate.

What to Do If You've Already Sent the Money

Time is everything. Here's the sequence:

  • Contact your bank immediately. Request a wire recall or hold. Every minute matters.
  • File a complaint with the FBI IC3 at ic3.gov. If the wire was domestic and recent, the FBI's Recovery Asset Team may be able to freeze the receiving account.
  • Preserve all evidence. Don't delete emails, don't reset accounts yet. Screenshot everything, including full email headers.
  • Engage legal counsel and your cyber insurance carrier. Many policies cover social engineering losses, but notification windows are tight.

How Does Business Email Compromise Differ from Phishing?

Phishing is a broad category — mass emails designed to steal credentials or deliver malware to anyone who clicks. Business email compromise is a subset that specifically targets organizations for financial fraud through impersonation. BEC emails rarely contain malware. They rely on trust, authority, and urgency. A phishing email might say "Your password expires today — click here." A BEC email says "I need you to wire $240,000 to close this deal before 3 PM. I'm in a board meeting and can't talk."

The distinction matters because the defenses are different. Anti-malware tools catch phishing payloads. Only trained humans and tight financial controls catch BEC.

The Deepfake Dimension

The Hong Kong case I opened with isn't an outlier anymore. In 2025, threat actors are using AI-generated voice clones and video deepfakes to supplement email-based BEC. A finance director gets an email requesting a wire, then receives a follow-up phone call from someone who sounds exactly like the CFO confirming the request. The voice is synthetic.

This makes out-of-band verification even more critical — but it also means your verification method needs to be robust. Calling back on a known number is good. Using a pre-established code word for high-value transactions is better. Some organizations I've worked with now require in-person or secure video confirmation for any wire over a threshold amount.

BEC Is a Process Problem, Not Just a Security Problem

I keep coming back to this point because it's the one most organizations miss. You can have world-class email security, a mature SOC, and zero-trust network architecture — and still lose $500,000 to a BEC attack because your accounts payable process allows a single person to authorize a large wire based on an email alone.

Fix the process. Require dual authorization for all transfers above a defined threshold. Mandate callback verification. Build mandatory delays into high-value payment workflows. These aren't security tools — they're business controls. And they're your most effective defense against business email compromise.

The threat actors behind BEC are patient, well-funded, and increasingly sophisticated. But the controls that stop them aren't exotic. They're phone calls, training, verification procedures, and a culture that rewards healthy skepticism. Start there. Start today.