In the pantheon of cyber threats, Business Email Compromise (BEC) stands out as both one of the most financially devastating and, paradoxically, one of the least publicized. BEC is a sophisticated form of email fraud where attackers impersonate a trusted party (such as a CEO, vendor, or lawyer) to trick an organization into transferring money or disclosing sensitive information. Unlike flashy ransomware or data breaches, BEC scams often involve no malware or network intrusion. It is simply cunningly crafted emails and the manipulation of people. As a result, they usually slip under the radar of many traditional security tools. However, the impact on the business can be catastrophic. The FBI’s Internet Crime Complaint Center bluntly calls BEC “the $55 billion scam,” citing over $55 billion in reported global losses from 2013 to 2023.
Why Business Email Compromise Is So Prevalent and Dangerous
At its core, BEC exploits trust in business communications and processes. Attackers study how companies operate. The study examines who initiates wire transfers, identifies the suppliers and customers, and analyzes how executives write emails. Then they insert themselves at the worst possible moment. They compromise a real email account or register a lookalike domain to pose as a CEO urgently requesting a wire transfer, or as a vendor sending updated bank account details for an invoice. Because the emails contain no malware and appear contextually legitimate, they bypass basic email security filters. Endpoint protection and even many secure email gateways fail to stop BEC attacks. Primarily because BEC emails typically lack malicious links or attachments that those tools know to flag. The email content looks routine – it’s the fraudulent intent behind it that causes the damage.
BEC is shockingly common. The FBI’s latest annual cybercrime report shows BEC was the 7th most reported cybercrime by number of incidents (21,832 complaints in 2024), but 2nd in terms of total money lost. It’s a high-dollar, lower-volume crime. Even if not every company experiences a BEC attempt, those that do can suffer outsized losses. Surveys confirm the ubiquity of the threat: 64% of businesses faced BEC attacks in 2024. And those are just the attacks we know about. Many companies do not report attacks due to embarrassment or because the company quietly absorbed the loss.
No industry or size of company is exempt. Criminal rings target large multinational enterprises, where a single successful impersonation can yield seven or eight figures. But they also target small businesses and non-profits, which attackers often perceive as softer targets due to weaker controls. The scam scales to the target.
The Mounting Costs of Business Email Compromise
Financially, business email compromise is often the single costliest type of cyberattack organizations face. A successful ransomware incident might force a payoff of a few hundred thousand dollars or cause downtime losses in the low millions. Still, a single well-executed BEC can drain a comparable amount in hours. The median fraudulent wire transfer attempt is in the tens of thousands. But there are plenty of examples in the millions.
In early 2024, a BEC ring victimized the British engineering firm Arup using deepfake videoconferencing to impersonate the CFO, leading an employee to transfer $25 million to attacker-controlled accounts. Few companies can lose such sums without severe repercussions. Even with smaller dollar losses, organizations rarely recover all their money. The funds quickly move through international banks or cryptocurrency exchanges. Law enforcement can sometimes freeze or recover a portion if the organization alerts them immediately. But even minor delays mean the money is gone.
Beyond direct financial loss, the secondary fallout from a business email compromise incident can be significant. If attackers tricked employees into releasing employee or client data (for instance, persuading HR to send payroll files or tax forms), your organization now faces a data breach with potential regulatory and legal consequences. There’s also reputational damage: suppliers, clients, or investors might question your internal controls. In some cases, companies have had to restate financials or absorb one-time charges to reflect unrecoverable losses, which can hit stock prices and executive credibility.
Cyber insurance may cover some losses, but many policies impose lower sub-limits or stringent conditions on social engineering fraud. Insurers often require specific anti-BEC controls, like verified call-back procedures, as a prerequisite for claims.
How Business Email Compromise Attacks Work (and Evolve)
Business email compromise techniques continuously adapt to defenses. Initially, many attackers used simple spoofing in BEC scams, sending emails from lookalike domains. (e.g., @m1crosoft.com instead of @microsoft.com). Users became more wary, and companies started filtering obvious fakes. In response, attackers shifted to compromising real email accounts through phishing or malware. If attackers hack a CEO’s or vendor’s email account, the BEC email originates from the legitimate address, making it virtually impossible for recipients to recognize foul play.
Attackers commonly combine business email compromise phishing with account takeover of the sender’s account. Recipients can’t know the email isn’t genuine. Attackers also carefully time and contextualize their emails. They often strike when key personnel are traveling or unreachable (e.g., the CEO is abroad, making it difficult to contact and verify). They insert themselves into ongoing finance conversations (e.g., hijacking an invoice discussion with new payment instructions). Some even wait for moments like end-of-quarter pressure, when large transfers are standard and urgency is expected.
We’re also seeing the integration of multi-channel social engineering in BEC. Email may be the initial entry point, but the scam can be reinforced with subsequent phone calls or text messages. Attackers have been known to call finance staff, posing as the CEO or a lawyer, to add legitimacy to the emailed instructions, leveraging voice-changing technology or deepfake audio to sound convincing. According to one report, 30% of organizations saw vishing (voice phishing) incidents where fraudsters impersonated executives or officials over the phone in coordination with email scams. This blended approach can fluster employees: an urgent email followed by a call from “the boss” is a one-two punch that’s hard to doubt in the moment.
The Executive’s Role – Managing the Risk
For the C-suite, business email compromise is not just an “IT problem” – it’s a business continuity and risk management problem. Unlike a virus that IT can quarantine, a BEC scam involves people and process breakdowns. Executives must ensure that financial controls and verification procedures are robust and effective. A CEO or CFO can institute a policy that “I will never ask you to wire money solely based on an email; if you get a request like that, you must verify by phone or Teams.” And importantly, they must stick to that rule themselves.
Many companies enforce strict dual-approval and callback requirements for any transaction above a threshold, and leadership must explicitly enforce these policies to overcome the cultural hurdle of “the boss’s orders.” It’s also wise for leaders to foster a culture where questioning unusual requests is encouraged, not frowned upon. Remember, human error accounts for ~74% of breaches and social engineering for ~50% of security incidents. Reducing those errors through process and culture is squarely a leadership issue.
On the technology side, executives should champion investments in email security and identity management that specifically address BEC (more on those in the Consideration section). Simple measures like enabling multifactor authentication on email accounts can thwart many account takeover attempts. Email warning banners that flag external messages or potential spoofing can help alert users. But technology alone won’t stop BEC; well-trained people and robust processes are equally (if not more) important.
Don’t Ignore Incident Readiness
Organizations often overlook incident readiness. If, despite everything, a BEC incident slips through, are you prepared to respond? Do you know whom to call at your bank to attempt a recall? Is your cyber insurance contact info handy? Do employees know to inform management immediately, without fear, if they realize they might have been duped? Having a practiced response plan for BEC can dramatically limit the damage (the FBI’s IC3 can assist in freezing funds if notified quickly).
Business Email Compromise is a clear and present danger — arguably the costliest cyber threat today in terms of direct financial impact. Its low-tech nature (no obvious malware or network breach) makes it challenging to detect, and its reliance on social engineering makes it a company-wide concern. By raising awareness of BEC at the executive level, we set the stage for proactive measures.