What is Business Email Compromise
Business email compromise is the targeted email fraud that impersonates executives, vendors, and partners to redirect payments or steal data. Learn the five subtypes, three named cases, and the eight-layer defense framework that finance and security teams deploy in 2026.
By Dmytro Koziatynskyi Last reviewed
BEC is the single largest cybercrime category by reported dollar loss
Business email compromise (BEC) is a targeted email fraud in which an attacker impersonates an executive, a vendor, or a trusted counterparty to redirect a payment, exfiltrate sensitive data, or gain a foothold inside a financial workflow. BEC rarely uses malware. The payload is identity itself: a spoofed sender, a hijacked mailbox, or a lookalike domain that slips through secure email gateways because no link, attachment, or executable is involved. The attack lives or dies on social engineering against finance, accounts payable, payroll, HR, and legal staff.
The FBI Internet Crime Complaint Center logged 21,489 BEC complaints in 2023 with $2.9 billion in adjusted losses, making BEC the single largest category of reported cybercrime loss by dollar value. Verizon's 2024 Data Breach Investigations Report notes that pretexting (the social-engineering tactic that underpins most BEC) more than doubled in volume across recent reporting cycles. The Anti-Phishing Working Group recorded 4.7 million phishing attacks in 2023, and BEC is the financially motivated subset of that volume that targets workflow trust rather than mailbox compromise as an end in itself.
BEC splits into five operational subtypes, each tracked separately by the FBI and by industry threat intel teams. CEO fraud impersonates a senior leader to pressure a subordinate into a wire or gift-card purchase. Vendor invoice fraud (sometimes called vendor email compromise or VEC) hijacks a real supplier thread and inserts a change-of-bank-details message at the right point in the payment cycle. Attorney impersonation arrives as a confidential, urgent legal pretext during a real transaction window. Payroll diversion targets HR staff with a request to change an employee's direct-deposit account. Data-theft BEC asks HR or finance for W-2 rosters, employee PII, or tax documents, then resells the data into synthetic-identity fraud rings.
Attacker tradecraft jumped a generation in 2024. Voice cloning models trained on a 30-second sample from a podcast or earnings call now produce convincing CFO voicemails, and live-face video deepfakes ran in production during the Arup $25 million wire fraud confirmed in February 2024. Adversary-in-the-middle phishing kits like Evilginx and EvilProxy are now the standard mailbox-takeover precursor for BEC, harvesting post-MFA session cookies that defeat SMS, push, and TOTP. If you are a buyer reading this page, you almost certainly already run DMARC and an annual phishing module. The expensive BEC attacks (the eight-figure ones) walk through that stack. The rest of this page covers the modern attack chain, three named incidents, the defense framework that actually works, and the role-based exercise approach that builds the verification reflex finance teams need.
How a BEC attack unfolds
Mailbox compromise or lookalike domain registration
The attacker gets access to a real business identity through one of three paths. They register a lookalike domain using homoglyphs (rn for m, paypa1 for paypal, an extra hyphen, or a different top-level domain), spoof a sender and gamble that DMARC is not enforced at p=reject, or take over a real mailbox through an adversary-in-the-middle phishing campaign that harvests the post-MFA session cookie.
Mailbox takeover is the highest-fidelity option because every later message arrives from the legitimate domain with valid DKIM signatures. The 2023 0ktapus and Scatter Swine campaigns supplied the BEC pipeline with hundreds of compromised SaaS and finance mailboxes through this path.
Reconnaissance inside the mailbox or thread
Once inside, the attacker reads quietly. They map vendor relationships, payment cadences, approval matrices, executive travel calendars, out-of-office windows, and the language patterns the target uses with each counterparty. The dwell time is often weeks. Attackers create silent inbox rules that forward every invoice, every payment confirmation, and every wire instruction to an external address, sometimes routing through a freshly created subfolder named Archive or RSS to hide from casual review. The reconnaissance phase is where data-theft BEC and vendor invoice fraud diverge from CEO fraud: the former prepares an exfiltration list, the latter prepares a single high-value wire moment.
Pretext crafting and thread injection
The attacker drafts a pretext that exploits authority, urgency, and confidentiality. For vendor invoice fraud, they wait for a real invoice to arrive, then inject a 'we have updated our banking details, please use the new IBAN for the upcoming draw' message into the active thread.
For CEO fraud, they send a short, urgent message ('Are you at your desk? I need a confidential favor') that escalates once the target replies. For attorney impersonation, the message references an active deal and asks the target not to discuss the request with anyone else.
Large language models now draft the copy in fluent business English, customized to the target's role and current calendar, removing the broken-grammar signal defenders relied on for two decades.
Urgency, confidentiality, and authority pressure
BEC pretexts compress the decision window. Wire deadlines are framed as 'today before close of business,' confidentiality is invoked to stop the target from walking across the hall, and authority is borrowed from the impersonated executive or counterparty. Attackers time the message to known stress moments: the Friday afternoon before a long weekend, the day a real merger is announced, the morning after a quarter close, or during the executive's known travel window when out-of-band verification is harder. The 2024 generation chains channels: an email lands first, a vishing call follows within hours referencing the message, and (for high-value wires) a deepfake video call closes the trust loop.
Wire authorization or data exfiltration
The target authorizes the transfer or releases the data. For wire fraud, the funds route through a mule account, then through correspondent banking layers, often into cryptocurrency within 24 to 48 hours. The FBI Recovery Asset Team intervenes most successfully when notified within 72 hours, which is why time-to-report is the single most important defensive metric after the click happens. For data-theft BEC, the W-2 roster or employee PII export is exfiltrated and listed for sale on criminal marketplaces inside the same week. Payroll diversion attacks often go undetected until the affected employee notices a missing paycheck on the next pay date.
Exfiltration window and detection lag
BEC operations exploit the gap between authorization and detection. Silent mail-forwarding rules continue exporting copies of every confirmation, reply, and statement long after the wire clears. OAuth consent abuse persists access to Microsoft 365 or Google Workspace even after a password reset, because the consent grant survives password rotation. Median detection time for BEC, per Microsoft Digital Defense Report data, runs from days to weeks. The longer the lag, the lower the recovery rate: funds become unrecoverable once they convert to crypto or disperse across foreign banking layers, and the data, once sold, cannot be recalled.
Real-world BEC case studies
2024 Pepco Group €15.5M Hungarian wire fraud
Discount retail group Pepco confirmed in February 2024 that its Hungarian business unit lost approximately €15.5 million in a sophisticated phishing fraud during late February. The company described the attack as a fraudulent communication that resulted in transfers from the Hungarian operation, with no customer or employee data compromised. The loss was direct cash, transferred out of treasury operations through manipulated payment instructions. Pepco told the market that recovery was unlikely. The case is now studied as a clean example of the BEC pattern targeting finance teams with authority-based pretexts, and it illustrates how a single skipped callback verification can move eight-figure sums in a single morning even at a multinational with mature controls.
2024 Arup $25M deepfake video BEC chain
Engineering firm Arup confirmed in February 2024 that a finance employee in its Hong Kong office authorized 15 transfers totaling $25 million to attacker-controlled accounts after joining a video conference with what appeared to be the company CFO and several other staff. Every other participant on the call was a deepfake.
The pretext arrived first by email, the call closed the trust loop, and the wire was sent before any out-of-band verification could intervene. Arup said the staff member followed instructions from familiar faces and voices.
The case redefined the threat for finance and treasury teams: visual identity on a live call is no longer evidence, and BEC defense now has to assume that voice and face can both be synthesized for the duration of an authorization meeting.
2016 FACC €42M Austrian aerospace CEO fraud
Austrian aerospace parts manufacturer FACC AG (a supplier to Airbus and Boeing) disclosed in January 2016 that it had lost approximately €42 million in a CEO fraud BEC attack. An attacker impersonating CEO Walter Stephan emailed an entry-level finance employee with an urgent, confidential acquisition wire request. The transfer was processed before any callback verification ran.
FACC's supervisory board fired both CEO Walter Stephan and CFO Minfen Gu, and the company later sued both in civil court for failing internal-control duties.
The case is one of the largest pre-deepfake CEO fraud losses on record and a standard reference for board-level BEC governance, because it shows that BEC consequences extend beyond the wire itself into executive accountability and shareholder litigation.
How to defend against business email compromise
Enforce DMARC at p=reject with aligned SPF and DKIM
Quarantine mode lets spoofs through to user judgment. Reject mode tells receiving mail servers to drop unauthenticated mail outright before the inbox ever sees it. Publish DMARC records on every sending domain (primary, marketing, transactional, parked, regional), align SPF and DKIM with the From header, and review aggregate reports weekly. This is the cheapest control with the largest blast radius against the cousin-domain spoofing class that drives most CEO fraud and attorney impersonation attempts. Pair with brand indicators (BIMI) once DMARC is enforced, so legitimate mail carries a verified logo while spoofs do not.
Dual authorization and callback verification on a known internal number
Write a one-page policy that requires a callback to a published internal directory number before any wire change, banking detail update, new vendor onboarding, payroll edit, or roster export, regardless of the inbound channel. The callback number must come from the corporate directory, not from the email signature or any contact detail in the inbound message. Adopt a code-word or challenge-phrase system for high-value finance requests so deepfake voice and video cannot complete the chain alone. Rehearse the policy with finance, AP, HR, and the help desk every quarter. The 2024 Arup loss and the 2016 FACC loss were both preventable by this single control.
Separate the approver from the executor
The person who authorizes a wire must not be the person who releases it. Build segregation of duties into the treasury workflow, the AP system, and the payroll platform. For wires above a board-set threshold, require dual sign-off with timestamped audit trail, and route an automatic notification to a third reviewer (CFO, treasurer, or controller) for high-value transfers. This control caught at least one published BEC attempt in 2023 because the second approver noticed that the new beneficiary IBAN sat in a country where the vendor had no banking relationship. Single-approver workflows are the single most common control gap in published BEC post-mortems.
Visible external-sender banners in the mail client
Tag every external message with a clear visual banner ('External: this message originated outside YourCo') in Outlook, Gmail, and the mobile mail apps. Train staff to treat any 'reply from CEO' or 'reply from vendor' thread that carries the external banner as suspicious, especially when the display name matches an internal leader. Combine with a first-contact warning for new external senders. The banner is the cheapest UI nudge that survives AI-generated copy quality, because it does not depend on the user spotting a linguistic tell. It surfaces the protocol-level fact that the sender is not part of the corporate identity boundary.
Monitor for silent mail-forwarding rules and OAuth consent abuse
Silent inbox rules that forward every invoice, payment confirmation, or wire instruction to an external address are the single most common BEC persistence mechanism. Enable Microsoft 365 audit logging or Google Workspace alerting on new forwarding rules, especially rules created via PowerShell, EWS, or the Graph API rather than the web UI. Pair with an OAuth consent governance policy that requires admin approval for any third-party app requesting Mail.Read, Mail.Send, or full mailbox scopes. Persistent OAuth tokens survive password rotation and MFA reset, which is why consent monitoring is a separate control surface from credential hygiene.
Deploy phishing-resistant MFA (FIDO2 and passkeys)
Hardware-bound keys (YubiKey, Titan, platform passkeys on iOS and Android) cannot be phished by adversary-in-the-middle proxies. The cryptographic challenge is bound to the legitimate domain, so a fake login page cannot complete the handshake. Move every employee from SMS, push, and TOTP to FIDO2 or platform passkeys, starting with finance, AP, payroll, HR, executives, and IT help desk. Cloudflare publicly credited mandatory hardware keys with stopping the 2022 Scatter Swine campaign at its perimeter, which prevented dozens of downstream BEC attacks the same kit had enabled at peer companies.
Lookalike domain monitoring and registrar takedowns
Subscribe to a domain monitoring service (DomainTools, RiskIQ, Cloudflare Brand Protection, or an in-house DNS feed) that alerts on new registrations resembling your primary, regional, and product domains. Build a takedown runbook with your registrar and your hosting provider that can pull a lookalike within 24 hours of detection. Pre-register the most obvious homoglyph variants of your primary domain yourself; the cost of $10 a year per defensive registration is trivial compared with one BEC loss. Maintain an internal allowlist of known-good vendor domains so the AP team can flag any first-contact change of payment instructions from a domain not on the list.
Quarterly wire-fraud response drills
Run a tabletop exercise every quarter that walks finance, IT, legal, and the SOC through the first two hours after a suspected BEC wire. Who calls the bank to recall the wire? Who files with the FBI IC3 portal? Who freezes the affected endpoint and rotates credentials? Who notifies the board and the cyber insurer? The FBI Recovery Asset Team has the highest success rate when notified inside 72 hours, so the drill should specifically rehearse the 24-hour and 48-hour decision points. Pair with a published policy that names the specific bank fraud line, the IC3 URL, and the law firm that handles wire-fraud recovery, so no one has to look those up under pressure.
How RansomLeak trains finance teams to spot BEC
RansomLeak runs immersive, scenario-based exercises rather than recorded videos and static quizzes. The signature drill for this threat is the business email compromise exercise, which drops the learner into a finance-team seat with a realistic wire-instruction-change thread, a lookalike vendor domain with a single-character homoglyph, urgency cues tied to a real payment cycle, and a confidentiality directive from a CEO-impersonating sender. The scenario forces a real decision under realistic pressure: authorize the change, ask for documentation, or escalate through callback verification. Each ending surfaces the cues missed and the verification step that would have caught the actual attack pattern.
Coverage extends across the BEC subtypes and the chained-channel variants that defined 2024. The whaling-with-a-deepfake exercise puts learners inside the Arup pattern with a spoofed email, a cloned-voice voicemail, and a deepfake video call requesting a wire. The vishing exercise drills the voice-channel pretext that often precedes or follows a BEC email. The callback phishing exercise covers the reverse-vishing variant where the inbound message asks the target to call a number that routes to an attacker. The spear-phishing and social engineering exercises build the underlying verification reflex against targeted pretexts that defeat generic awareness training.
Every exercise ships as a SCORM 1.2 and SCORM 2004 package so it drops into Cornerstone, Workday Learning, Docebo, SAP SuccessFactors, or any standards-compliant LMS without integration work. Programs are scoped by role rather than blasted to all-staff: finance and AP get BEC, vendor invoice, and deepfake-wire scenarios; HR and payroll get data-theft BEC and payroll diversion drills; executives and their assistants get whaling and deepfake video. The result is a verification reflex that transfers across email, SMS, voice, and video, measured by reporting rate and time-to-report rather than click rate alone, and refreshed monthly to track attacker tradecraft as it shifts.
How does business email compromise work, and why is it the biggest cybercrime loss category?
Business email compromise (BEC) is targeted email fraud in which an attacker impersonates an executive, vendor, or partner to redirect a payment or exfiltrate data. BEC rarely uses malware. The payload is identity itself, delivered through spoofed senders, hijacked mailboxes, or lookalike domains. The FBI IC3 reported $2.9 billion in adjusted BEC losses across 21,489 complaints in 2023 — the single largest cybercrime loss category by dollar value.
BEC splits into five subtypes the FBI tracks separately. CEO fraud pressures a subordinate into a wire. Vendor invoice fraud hijacks a real supplier thread and inserts a change-of-bank-details message. Attorney impersonation uses a confidential legal pretext. Payroll diversion targets HR. Data-theft BEC asks for W-2 rosters. Named cases include the 2024 Arup $25M deepfake chain and the 2016 FACC €42M aerospace CEO fraud.
Defense layers technical and human controls. Technical: DMARC at p=reject with aligned SPF and DKIM, phishing-resistant MFA, monitoring for silent mail-forwarding rules and OAuth consent abuse, lookalike domain takedowns. Human: dual authorization with callback verification on a known internal number, external-sender banners, and quarterly wire-fraud drills covering FBI IC3 filing inside the 72-hour Recovery Asset Team window.
Recommended exercises
Scenario-based simulations from the 100+ catalogue.
Business Email Compromise
Drops finance teams into a realistic wire-instruction-change thread with a lookalike vendor domain, urgency cues, and a CEO-impersonation confidentiality directive.
Try the exerciseWhaling With a Deepfake
Puts executives and their assistants inside the 2024 Arup pattern with a spoofed email, cloned-voice voicemail, and deepfake video call requesting a $25M-style wire.
Try the exerciseSpear Phishing
Drills detection of the targeted reconnaissance-driven pretexts that often precede BEC mailbox takeover, the pattern that bypasses generic awareness training.
Try the exerciseVishing
Covers the voice-channel pretext that increasingly chains with BEC email pretexts, including the cloned-voice CFO voicemail variant common in 2024 wire fraud.
Try the exerciseCallback Phishing
Drills the reverse-vishing variant where the inbound BEC email asks the target to call a number that routes to an attacker posing as a vendor or banker.
Try the exerciseSocial Engineering
Builds the underlying pause-and-verify reflex against authority, urgency, and confidentiality pressure that every BEC subtype exploits regardless of channel.
Try the exerciseFurther reading
Deeper guides on adjacent topics.
Related glossary terms
Quick definitions for the terms in this pillar.
Frequently Asked Questions
What security leaders ask about this threat.
What is business email compromise?
Business email compromise (BEC) is a targeted email fraud in which an attacker impersonates an executive, a vendor, or a trusted partner to redirect a payment, exfiltrate sensitive data, or gain a foothold inside a financial workflow. BEC rarely uses malware. The payload is identity itself: spoofed senders, hijacked mailboxes, or lookalike domains that slip through secure email gateways because no link or attachment is involved.
BEC sits inside the broader phishing umbrella but targets workflow trust rather than mailbox compromise as an end in itself. The attack lives or dies on social engineering against finance, accounts payable, payroll, HR, and legal staff who control payment release and data access.
How much does BEC cost businesses?
The FBI Internet Crime Complaint Center logged 21,489 BEC complaints in 2023 with $2.9 billion in adjusted losses, making BEC the single largest category of reported cybercrime loss by dollar value. Average single-incident loss runs above $130,000, but individual cases have moved tens of millions in a single wire.
Recent published losses include the 2024 Arup $25 million deepfake-enabled wire fraud in Hong Kong, the 2024 Pepco Group €15.5 million Hungarian operation loss, and the 2016 FACC €42 million Austrian aerospace CEO fraud that resulted in the firing and civil litigation of both the CEO and CFO.
What are the 5 types of BEC?
The FBI tracks five operational BEC subtypes. CEO fraud impersonates a senior leader to pressure a subordinate into a wire or gift-card purchase. Vendor invoice fraud (also called vendor email compromise or VEC) hijacks a real supplier thread and inserts a change-of-bank-details message at the right point in the payment cycle. Attorney impersonation arrives as a confidential urgent legal pretext during a real transaction window.
Payroll diversion targets HR staff with a request to change an employee's direct-deposit account, often timed before payday. Data-theft BEC asks HR or finance for W-2 rosters, employee PII, or tax documents, then resells the data into synthetic-identity fraud rings. Each subtype has a different target role, a different timing window, and a different exfiltration path.
How is BEC different from phishing?
Phishing is the broad category of fraudulent message attacks that impersonate a trusted source. Bulk phishing fires one generic template at millions of inboxes and counts on a tiny conversion rate. BEC is the financially motivated subset of phishing that targets finance, AP, payroll, and HR staff with payment-redirection or data-theft pretexts.
The mechanical difference matters: most BEC messages carry no link, no attachment, and no malware payload, which is why secure email gateways and URL sandboxing pass them through. Defense shifts from technical filtering to identity verification, workflow segregation, and out-of-band callback policies. The same DMARC and MFA controls apply, but human verification carries more weight against BEC than against generic phishing.
Does MFA stop BEC?
Traditional MFA (SMS codes, push prompts, TOTP authenticator apps) does not stop the mailbox-compromise variant of BEC. Adversary-in-the-middle kits like Evilginx, Modlishka, and EvilProxy proxy the real login flow, so the user types a real password and approves a real MFA prompt while the kit harvests the post-authentication session cookie. The attacker replays the cookie, the session is live, and the BEC pipeline gets a fresh hijacked mailbox.
Phishing-resistant MFA (FIDO2 hardware keys and platform passkeys) does block this path. The cryptographic challenge is bound to the legitimate domain, so a fake login page cannot complete the handshake. MFA alone does nothing against the spoofed-sender or lookalike-domain variants of BEC, which is why DMARC, callback verification, and dual authorization remain core BEC controls regardless of MFA posture.
What should an organization do if hit by BEC?
Move inside the 72-hour FBI Recovery Asset Team window. Call the originating bank's fraud line immediately and request a wire recall; speed matters because funds disperse into correspondent banking layers and crypto within 24 to 48 hours. File with the FBI IC3 portal at ic3.gov so the Recovery Asset Team can coordinate with receiving banks on freeze orders. Notify the cyber insurer per policy terms, often inside 24 hours.
In parallel, freeze the affected endpoint, rotate credentials and OAuth consents, audit the mailbox for silent forwarding rules, and preserve forensic logs. Engage outside counsel and incident response for regulatory notification timelines (GDPR Article 33 inside 72 hours if EU personal data is involved, plus state-by-state breach notification in the US). Run a post-incident review against the dual-authorization and callback-verification policy to identify the specific control gap that allowed the wire to clear.
Sources & further reading
Primary sources cited above and adjacent guidance.
- Internet Crime Report 2023 (BEC losses) — FBI Internet Crime Complaint Center (IC3)
- Business Email Compromise — Public Service Announcement I-091924 — FBI IC3
- Avoiding Social Engineering and Phishing Attacks — CISA
- 2024 Data Breach Investigations Report — Verizon
- NIST SP 800-177 Rev. 1: Trustworthy Email — NIST
Train Your Team Against This Threat
Book a 30-minute walkthrough. We will scope the exercise sequence and rollout timeline.