Business Email Compromise (BEC) isn’t “just phishing.” It’s criminals impersonating someone you trust (such as an executive, a vendor, even YOU) to quietly reroute money or sensitive information. The emails look normal. The timing feels urgent. And a single missed verification step can move real dollars out the door.
What is BEC (Business Email Compromise)?
BEC is a scam that leverages your existing relationships and processes. An attacker studies your org (public websites, LinkedIn, vendor invoices), then either spoofs an email address or gets into a real mailbox. Next comes a believable request:
“We’ve changed banks and need your updated billing information”
“Please wire the deposit today so we can start work on our project”
“Keep this confidential and send W-9s and the attached ACH form”
If no one verifies the change outside the email thread, the money goes to the attacker’s account and is quickly laundered.
Because hackers may actually have access to the email account in this type of hack, these requests can be difficult to spot with typical “phishing” red flags.
Other examples of BEC include:
- Executive / “CEO” fraud: a fake message from a leader authorizing a rush payment from their actual email address.
- Vendor / Invoice fraud: a real vendor thread is hijacked, and the next invoice’s bank details are swapped.
- Domain look-alikes: yourcompany-pay.com instead of yourcompany.com.
- Conversation hijacking: criminals reply inside an existing email chain after a mailbox takeover.
Why Businesses Should Treat BEC as a Board-Level Risk
The dollars are real and rising. The FBI’s Internet Crime Complaint Center logged $16.6 billion in total reported internet-crime losses in 2024 (up 33% year over year) with BEC consistently among the costliest categories.
Human decisions sit at the center of this problem. Verizon’s 2025 Data Breach Investigations Report notes that roughly six in ten breaches still involve a human element which is the exact terrain where BEC operates (approvals, payments, and verification).
Scammers also keep their infrastructure simple. Analysis of BEC activity in 2025 shows the majority of attacks originate from free webmail accounts like Gmail rather than purpose-built malicious domains which is one reason content filters alone can’t stop every attempt.
How a Typical BEC Attempt Plays Out (and Where to Stop It)
Typically, the bad actor will follow these steps to carry out the scam:
- Recon: An attacker maps who approves payments and which vendors you use.
- Impersonation or Takeover: They send from a look-alike address or a compromised mailbox.
- The Ask: A believable, time-sensitive request to change bank details or wire funds.
- Cash-out: Funds land in a “mule” account and move again within minutes making it difficult to recover at this point.
Your best interception point is step 3: the ask. If the request touches money or identity, verify it out-of-band by calling the vendor or executive using a number you already trust, not the number or link inside the email.
The 3 Controls That Prevent Most BEC Losses
1) Make verification non-negotiable.
Any change to payment details or a rush transfer requires a callback to a known phone number and a second approver. This simple habit defeats the core BEC trick: changing where the money goes.
2) Raise the bar on account sign-ins (especially for email).
Use phishing-resistant MFA (passkeys/security keys) for executives, finance, and IT admins. It dramatically reduces account takeovers that enable thread hijacking and silent inbox rules.
3) Authenticate your domain and enforce it.
Set up SPF, DKIM, and DMARC and move to a reject policy after a short monitoring period. This won’t stop every attempt, but it does block direct domain spoofing and gives you visibility into anything suspicious.
Quick Risk Prevention Checklist
▢ Verify any banking change with a phone call to a known number.
▢ Require two approvals for wires and new beneficiaries.
▢ Turn on passkeys/use physical security keys for executives, finance, and admins.
▢ Move DMARC settings to → reject after monitoring alignment for a few weeks.
If you want to rely on a partner with deep cybersecurity expertise to help address this risk to your business, Harbor IT has you covered.
