In 2020, the FBI's Internet Crime Complaint Center received 19,369 business email compromise complaints. The adjusted losses? A staggering $1.8 billion — making BEC the single most financially devastating cybercrime category in the FBI IC3 2020 Internet Crime Report. That's more than ransomware, more than personal data breaches, more than any other category by a wide margin. And it's getting worse every year.
If you manage finances, approve wire transfers, or handle sensitive data at your organization, this post is for you. I'm going to break down exactly how these attacks work, show you real incidents, and give you specific steps to stop them — because the typical advice of "be careful with email" isn't cutting it.
What Is Business Email Compromise, Exactly?
Business email compromise is a targeted social engineering attack where a threat actor impersonates a trusted figure — usually a CEO, CFO, vendor, or attorney — to trick an employee into transferring money, sharing credentials, or disclosing sensitive data. Unlike mass phishing campaigns that blast thousands of mailboxes, BEC attacks are surgical. They target specific people with carefully researched, highly convincing messages.
There's no malware attachment. No suspicious link. Just a well-crafted email that looks like it came from someone you trust. That's what makes BEC so dangerous and so effective — it bypasses almost every technical security control you have in place.
The FBI categorizes BEC into five main types: CEO fraud, account compromise, false invoice schemes, attorney impersonation, and data theft. Each one exploits trust and urgency to override your employees' judgment.
The $1.8 Billion Problem No One's Talking About
Ransomware dominates the headlines. I get it — locking hospitals out of patient records makes for compelling news. But here's what I've seen over and over: business email compromise quietly drains organizations of far more money than ransomware ever has.
The FBI IC3 reported $29.1 million in ransomware losses in 2020. BEC? $1.8 billion. That's roughly 62 times more. Yet most organizations I work with spend the vast majority of their security budget on endpoint protection and almost nothing on BEC-specific training and controls.
The Verizon 2020 Data Breach Investigations Report confirmed that social engineering — the backbone of BEC — was involved in 22% of all breaches. The median loss per BEC incident was around $80,000 according to the same report. For small and midsize businesses, that can be an existential event.
How a BEC Attack Actually Unfolds
Step 1: Reconnaissance
The threat actor researches your organization. LinkedIn profiles, press releases, SEC filings, social media — all of it is fair game. They identify who handles money, who reports to whom, and when key executives will be traveling or unavailable. I've seen attackers monitor compromised mailboxes for weeks before making their move.
Step 2: Impersonation or Account Takeover
The attacker either spoofs an email address (making it look like it came from your CEO) or, worse, compromises the actual account through credential theft. Account takeovers are increasingly common because they're nearly impossible for the recipient to detect. The email genuinely comes from the real address.
Step 3: The Ask
The fraudulent email arrives with a specific, urgent request. It might be a wire transfer to a "new vendor." It might be a request for W-2 forms for all employees. It might be updated banking details for an existing supplier. The common thread is urgency — "I need this done before end of day" — combined with authority.
Step 4: Exfiltration
The money moves. The data gets sent. By the time anyone realizes what happened, the funds have been routed through multiple accounts — often internationally — and are effectively gone. The FBI notes that BEC funds are frequently laundered through accounts in Hong Kong and China, though domestic accounts are increasingly used as well.
Real BEC Incidents That Should Keep You Up at Night
In 2019, the city of Ocala, Florida lost $742,000 to a BEC attack. A threat actor impersonated a construction company and sent fraudulent bank account information. The city wired the payment to the attacker's account instead of the legitimate contractor. This wasn't a failure of technology — it was a failure of process.
Toyota Boshoku Corporation, a subsidiary of Toyota, lost $37 million in 2019 when attackers used a business email compromise scheme to convince a finance executive to change wire transfer information. Thirty-seven million dollars, gone because of a single convincing email.
And it's not just money. In 2016, attackers used BEC to steal W-2 tax data from companies including Snapchat. The phishing email appeared to come from the CEO requesting payroll information. An employee complied. Every employee's personal tax data was compromised. That's a data breach with long-term consequences — identity theft, tax fraud, and massive liability.
Why Traditional Email Security Doesn't Stop BEC
Here's what actually happens in most organizations I assess: they have a spam filter, maybe an email gateway, and they assume they're covered. They're not.
BEC emails typically contain no malicious attachments and no malicious URLs. They're plain text. Your secure email gateway scores them as clean because, technically, they are clean — there's nothing to detect. The attack is pure social engineering.
Even multi-factor authentication, which I absolutely recommend implementing, doesn't fully solve this. MFA protects against credential theft for your own accounts, but it does nothing when an attacker spoofs an external vendor's address or compromises the vendor's email system directly. You're trusting the identity on the other end, and that trust is exactly what BEC exploits.
How to Actually Defend Against Business Email Compromise
Build a Human Firewall Through Training
Your employees are the attack surface for BEC. Technical controls alone won't save you. You need specific, scenario-based security awareness training that teaches people to recognize the red flags: urgency, authority, changes to payment details, and out-of-band requests.
Generic annual compliance training doesn't work. I've seen it fail repeatedly. What does work is continuous, realistic phishing awareness training designed for organizations that includes BEC-specific phishing simulation exercises. When your accounting team has practiced handling a fake CEO wire transfer request, they're far less likely to fall for the real thing.
Implement Verification Procedures That Can't Be Bypassed by Email
This is the single most effective control against BEC, and it costs you nothing but process discipline. Require out-of-band verification for any financial transaction over a set threshold. That means a phone call to a known number — not a number provided in the email — to confirm any wire transfer, any change to payment details, any new vendor setup.
Write it into your accounting policy. Make it non-negotiable. The city of Ocala could have prevented their $742,000 loss with a single phone call.
Deploy DMARC, DKIM, and SPF
These email authentication protocols won't stop every BEC attack, but they make domain spoofing significantly harder. DMARC (Domain-based Message Authentication, Reporting and Conformance) tells receiving mail servers what to do when an email fails authentication checks — reject it, quarantine it, or let it through.
According to CISA's guidance on email security, implementing DMARC at enforcement (p=reject) is a critical step for federal agencies and a best practice for every organization. If you haven't configured DMARC for your domain yet, you're letting attackers send emails that appear to come from your organization.
Flag External Emails
Configure your email system to add a visible banner or tag to any email originating from outside your organization. This simple control makes it immediately obvious when an email claiming to be from your CEO actually came from an external address. Most major email platforms support this natively. It takes minutes to implement and dramatically reduces the success rate of spoofed internal emails.
Monitor Email Rules and Forwarding
When attackers compromise a mailbox, one of the first things they do is set up forwarding rules to copy emails to an external address — and auto-delete certain messages so the victim doesn't see them. Regularly audit mailbox rules across your organization. Look for rules that forward to external addresses, delete messages from specific senders, or move messages to obscure folders.
Adopt Zero Trust Principles
Zero trust isn't just a network architecture concept. Apply it to email communications, especially financial ones. Never trust a request simply because it came from a recognized email address. Verify independently. Assume compromise. This mindset shift is fundamental to defeating BEC because the entire attack depends on implicit trust.
What Should You Do If You've Been Hit?
Speed matters. If you discover a fraudulent transfer, contact your bank immediately and request a recall. The FBI's Recovery Asset Team (RAT) has a success rate of approximately 74% for BEC incidents reported within 72 hours — but that number drops fast after that window closes.
File a complaint with the FBI IC3 at ic3.gov. Include every detail: email headers, account numbers, dates, amounts, and any communication with the attacker. Then engage your incident response team — or outside counsel if you don't have one — to determine whether the attacker still has access to compromised accounts.
Change credentials for any compromised accounts. Audit all email forwarding rules. Notify affected parties if personal data was involved. And document everything for potential regulatory reporting obligations.
Building Long-Term Resilience Against BEC
Business email compromise isn't going away. The FBI has tracked year-over-year increases since it began specifically tracking BEC in 2015. The attacks are evolving, too — threat actors now use compromised email accounts within trusted supply chains, making detection even harder.
The organizations that successfully defend against BEC share three characteristics: they train continuously, they enforce strict verification procedures, and they assume every financial request could be fraudulent until verified.
If your team hasn't gone through dedicated cybersecurity awareness training that covers BEC scenarios specifically, you're running on luck. And luck has a documented expiration date — about $80,000 worth, on average.
Start with your finance and HR teams. They're the primary targets. Run tabletop exercises where you walk through a realistic BEC scenario. Test your verification procedures under pressure. Find the gaps before a threat actor finds them for you.
Because the next fraudulent wire transfer request is already being drafted. The only question is whether your people will recognize it.