Threat Glossary

What is business email compromise (BEC)?

Business email compromise (BEC) is a targeted fraud in which an attacker impersonates a trusted party — typically an executive, vendor, or colleague — to deceive an employee into transferring money or sensitive data. When the impersonated party is the CEO, it’s often called “CEO fraud.”

BEC is one of the costliest categories of cybercrime, causing billions in losses annually — and it usually involves no malware at all. It weaponizes authority and routine: an urgent email that looks like it’s from your boss or a known supplier, asking for a wire transfer or a change of banking details. Because it exploits trust rather than technology, awareness and process are the real defenses. Here’s how it works.

How BEC attacks work

A BEC attack unfolds in stages:

  • Research. The attacker studies the organization — who approves payments, who reports to whom, how invoices flow — using public info, social media, and leaked data.
  • Access or impersonation. They either compromise a real mailbox (via phishing or a leaked password) or spoof a look-alike domain that reads correctly at a glance.
  • The request. Posing as an executive or vendor, they send a plausible, urgent request — wire a payment, change a supplier’s bank account, or send employee tax forms.
  • The pressure. They add secrecy and time pressure (“I’m in a meeting, handle this quietly and quickly”) to short-circuit normal checks.
  • The payout. Funds are wired to a mule account and moved quickly, often overseas, making recovery difficult.

Common BEC variants

  • CEO fraud. Impersonating a senior executive to order an urgent wire transfer.
  • Vendor / invoice fraud. Impersonating a supplier to redirect a legitimate payment to a new (attacker-controlled) bank account.
  • Payroll diversion. Posing as an employee to change direct-deposit details.
  • Attorney or acquisition fraud. Impersonating legal counsel around a confidential, time-sensitive deal to justify secrecy.

Why BEC is so effective

BEC succeeds because it looks completely normal. There’s no suspicious attachment to flag — just a well-written email invoking authority and urgency, often from a real, compromised account. Attackers frequently start with a leaked executive password or a phishing foothold, then watch email threads for weeks to time their request perfectly. The personal details that make the impersonation believable often come from data brokers and past breaches.

How to protect yourself

Concrete steps you can take today to reduce your exposure.

Verify payment changes out-of-band

Confirm any wire request or change of bank details by phone using a known number — never a number or reply-address supplied in the email itself.

Require dual approval for transfers

Mandate a second authorizer for wires above a threshold so no single email can move money.

Watch for look-alike domains

Attackers register domains that differ by a character. Scrutinize the sender address on any financial request.

Secure executive mailboxes

Protect the accounts most likely to be impersonated with strong, unique passwords and phishing-resistant two-factor authentication.

Reduce executive data exposure

Remove leaders’ personal details from data brokers and rotate breached credentials so attackers can’t easily research or hijack their identities.

Train the whole team

Everyone who can move money or data should know the pattern: urgency, secrecy, and a change to payment details are the classic red flags.

Frequently asked questions

What is the difference between BEC and phishing?

Phishing is the broad technique of using deceptive messages to trick people. Business email compromise is a specific, targeted use of it aimed at organizations — impersonating an executive or vendor to redirect payments or data. BEC often uses phishing to gain the initial access, then exploits trust and process to commit fraud.

How can I protect my company from BEC?

Verify any payment or bank-detail change through a separate, known channel; require dual approval for wire transfers; secure executive email with strong authentication; reduce leaders’ exposed personal data; and train staff to recognize the urgency-plus-secrecy pattern.

What should I do if we’ve fallen victim to a BEC scam?

Act immediately: contact your bank to attempt a recall of the wire, report it to law enforcement (in the U.S., the FBI’s IC3), preserve the emails as evidence, reset any compromised accounts, and review who else may have received similar requests. Fast reporting improves the chance of recovering funds.

See what’s exposed about you — free

Attackers start with the data that’s already public: your leaked passwords, your breached accounts, and your address on data-broker sites. Run a free scan to see exactly what’s out there about you — then remove it.

The first scan is free with no signup. Broker removals are filed as your authorized agent under CCPA and state-equivalent law. Your results are private to you — we never sell your data.