Business email compromise attacks, or BEC scams, are on the rise around the world, causing immense losses for businesses. Scammers target businesses of every size and across all verticals. It’s crucial to understand what a BEC scam looks like and what types of BEC scams there are, so you can protect your company.
What is the Definition of Business Email Compromise?
Business email compromise (BEC) is a type of scam where cybercriminals trick business employees into sending money or information. It’s highly targeted, with scammers putting in a lot of effort to impersonate a senior colleague and/or hack into the company’s email system.
How Does a BEC Attack Work?
Scammers spend a lot of time investigating their target, to make the BEC attack more convincing. They typically focus on mid-level employees, like HR managers or finance managers, who are used to following requests from higher-up colleagues to send a payment.
Most BEC attacks take place over email, but they can also take place over the phone, through text messages, and sometimes even through video calls. Attackers often hack into someone’s work email account, so that the request appears to come from inside the company, or spoof the email domain so that it looks legitimate. Sometimes BEC attacks incorporate social engineering and spear-phishing tactics by including tailored details and personal messages.
Usually, the attackers send a request that seems completely ordinary and legitimate, like changing the payment details on a supplier’s account or updating an employee’s banking information. Most BEC attacks aim to steal money, but sometimes they try to get sensitive data that they can use for identity fraud, to make their requests for money transfers more convincing, or to carry out further BEC attacks.
Some BEC attacks impersonate external parties, like a vendor, a legal consultant, or a bank employee, but the goal is the same: to trick the victim into sending funds to the wrong address.
What Do You Normally See in a BEC Attack?
Like other scams, BEC attacks usually include an element of urgency. They generally also try to prevent the victim from getting in contact with the purported sender, because then the victim would discover that the request is a scam. They might impersonate the CFO and say that he can’t respond because he’s in a meeting, or pretend to be a vendor and say that they can’t answer the phone because they are on vacation.
BEC attacks rarely include links, images, or attachments, and almost never involve malware. A BEC attack typically impersonates someone with authority, like the CFO or CEO, and includes very precise instructions about where to send money or data,
What are Common Types of BEC Scams?
What is CEO/CFO Fraud?
The most common type of BEC scam is when attackers pretend to be the CFO or CEO. They usually target someone in the finance department to instruct them to send a payment using a particular set of bank details.
What is Email Account Compromise?
Criminals hack into an employee’s real work email account (sometimes using credentials that were stolen in a phishing attack). Then they use that account to send fake payment requests to other companies, or to steal the credentials of a higher level account so they can use it for CEO fraud.
What are False Invoice Schemes
Also called vendor email compromise (VEC), this is when scammers pretend to be one of the company’s legitimate suppliers. They send a fake invoice with fraudulent account details, or email the payer to ask them to update their information with new – fraudulent – payment details.
What is Attorney Impersonation or Bank Impersonation?
This is when scammers pose as a lawyer working on sensitive matters who asks for an invoice to be paid, or a bank employee who informs the victim that a payment didn’t go through and they need to try again using fraudulent details.
Scammers might use fake legal documents or banking credentials to make the request more convincing. These kinds of attacks are usually timed around major events like mergers and acquisitions or a very large payment that was made to or from the company account.
What is Payroll Diversion?
This type of BEC attack focuses specifically on employee payroll deposits. The scammer targets employees in the finance department, posing as a colleague who has changed their bank details and asking the finance department to deposit their paycheck in the new account.
The Global Impact of BEC Scams
According to the FBI’s Internet Crime Report, the number and cost of BEC attacks in the U.S. have stayed roughly stable over the last three years, but at a very concerning level of over 21,00 incidents. The Arctic Wolf 2025 threat report logged BEC attacks as the second most common type of attack, comprising 27% of all cyber incidents and affecting 70% of all organizations.
Other reports indicate that BEC attacks are rising. Eye Security found that BEC incidents surged 44% between 2023 and 2024, while SureFire Cyber charted a 30% rise in attacks in March 2025 and Fortra noted a 37% increase in attacks from May to June 2025.
Participants in the AFP (Association of Financial Professionals)’s 2025 survey cited BEC attacks as the top method of fraud that they encountered. According to Abnormal Security, the average organization had a 70% chance of receiving at least one BEC attack per week in 2024.
BEC attacks aren’t just prevalent, they are also very expensive. The FBI calculates that BEC attacks cost over $2.77 billion in losses, making it the second most expensive cybercrime. Australia reported almost $84 million in losses in the 2023-2024 financial year, and the international Anti-Phishing Working Group (APWG) noted that the average amount requested in BEC attacks in Q2 2025 was $83,099, a 97 percent increase from the prior quarter.
Business Email Compromise Trends
It’s not surprising that BEC attacks are increasingly incorporating AI-generated text. By mid-2024, an estimated 40% of BEC attacks were generated by AI, and that’s only continuing to rise. The rise of AI has made it much easier for criminals to create convincing emails that mimic the individual’s writing style. Sometimes they even use deepfakes to impersonate someone’s voice on the phone, and on rare occasions to impersonate people in a video call.
Although all industries are at risk from BEC attacks, some are more vulnerable than others. Manufacturing companies are prime targets, with 92% of companies reporting attacks in 2024. The healthcare sector is also at high risk, as the U.S. Health Sector Cybersecurity Coordination Center (HC3) warned. Other targeted industries include energy, retail, utilities, and real estate.
Why are BEC Attacks Hard to Detect?
BEC attacks succeed largely because they exploit the trust that already exists between colleagues and business partners. CFO and CEO fraud leverage the authority that goes with these roles, making it less likely that an employee would question them. Most BEC requests seem reasonable and normal, like an employee changing their bank details or a CFO requesting that a payment is sent to a known supplier.
For banks, the challenge is even greater, because they receive what looks like a normal transaction request from a legitimate customer. Amounts aren’t usually higher than usual, and scammers try to follow regular payment methods and patterns so that they don’t arouse suspicion. Banks have limited visibility into the customer’s communication context or intent, which restricts their suspicion even more.
Additionally, BEC scammers generally use legitimate credentials like someone’s real email account, sometimes even inserting themselves into ongoing threats in a tactic called conversation hijacking. Scam emails don’t usually contain malware or links, which means they don’t trigger alerts from traditional security tools.
What’s more, BEC attacks tend to impersonate the sender very effectively. That’s partly thanks to AI, which makes it much easier for criminals to mimic the individual’s writing style. Sometimes they even use deepfakes to impersonate someone’s voice on the phone. Scammers also spend time studying business processes and activities, to time their request with regular payments or when they know the CEO/CFO is traveling.
How Can You Protect Against BEC Attacks?
Protecting your organization against BEC attacks requires a multi-pronged approach, including employee training, technical defenses, and process controls.
Employee awareness training should be carried out regularly to teach employees to spot red flags in email wording, examine email domains carefully for misspellings or other characters, and to always slow down and think before replying to urgent requests.
Technical controls should include:
- Implementing email authentication protocols like SPF, DKIM, and DMARC
- Using AI and ML-powered email filtering solutions
- Enforcing phishing-resistent multi-factor authentication
- Block access based on conditions like geographic location, risk scores, and unfamiliar devices
- Use admin-enforced policies to log and block forwarding to external domains
Process controls should cover strictly enforcing verification procedures for payment requests and changes to payment details, including dual-approval workflows for payments. High risk decisions should never be approved solely over email.
What Can Banks Do to Protect Customers from BEC-Related Losses?
Although banks are limited in their ability to prevent BEC attacks, there are steps they can take to help protect customers and reduce their exposure to BEC-related losses.
- Stronger payment controls that require protections such as dual authorization, MFA, and call-back or out-of-band verifications for new beneficiaries or changes to wire and ACH recipient details.
- Real-time anomaly detection using AI or behavioral monitoring to flag unusual amounts, timings, destinations, or beneficiary changes.
- Delayed or staged settlement for high-risk payments or first-time transactions;
- Real-time customer alerts about account changes and outgoing payments, engaging the customer in short questionnaires about the transaction;
- Information sharing with law enforcement agencies and other banks about known BEC attack patterns, best practices, and trends;
- Improved customer education about BEC red flags and verification best practices;
- Easily accessible communication channels to enable customers to report BEC attacks quickly;
- Dedicated BEC response teams to freeze or recover funds quickly.
