Business Email Compromise (BEC) is what the FBI calls the $50-billion problem. In 2024 alone, U.S. companies lost more than $2.9 billion to BEC scams — more than ransomware, more than consumer fraud combined. Most attacks don’t even involve malware. They’re pure social engineering. Here’s the full script, step by step, and the two controls any business can implement this week to shut it down.
The attack, step by step
Step 1: Recon. The attacker identifies your CEO, CFO, or controller on LinkedIn. They note the org chart, the accounting software you mention in case studies, and any vendors you’ve publicly announced. Often they go further — a breached mailbox elsewhere gives them real email threads to mimic.
Step 2: Spoofed sender. They register a lookalike domain — y0urcompany.com with a zero instead of an “o”, or yourcompany-accounting.com. They send email from this domain that looks exactly like mail from your CEO. Or they compromise the CEO’s actual mailbox via phishing and send from there.
Step 3: The ask. A message arrives at your accounts-payable team or a junior finance staffer: “Hi, I need you to process an urgent wire transfer. It’s for a confidential acquisition — please don’t discuss with anyone. The details are below. I’m in meetings all day, please text me when it’s done.”
Step 4: The follow-up. Urgency and authority do the work. The staffer doesn’t want to bother the CEO. They process the wire. By the time anyone discovers the transfer was fraudulent — often days later when the CEO mentions it in passing — the money is gone through a chain of intermediary accounts.
The vendor-payment variant
Equally common: an attacker compromises your vendor’s email (or yours) and sends a “bank details have changed — please route future invoices to this new account” message. Nothing urgent, nothing dramatic. Your AP team updates the record. The next invoice payment goes to the attacker. This variant often takes 3-6 months to notice.
Run any suspect message through our Business Email Compromise Checker — it scores the common BEC linguistic patterns in seconds.
The two controls that kill BEC
1. Out-of-band verification for every wire or banking change
Rule: no wire transfer or change of banking details is processed without a phone call to a known number. Not the number in the email. Not a number provided in the email. The number you already have — from the vendor’s website, their contract, your contacts list.
This single rule defeats every variant of BEC. The attacker has control of the email thread; they don’t have the real person’s phone. One two-minute phone call breaks the attack.
Document this as company policy. Make it mandatory. Train AP staff that they will never be in trouble for insisting on a verification call — they will be in trouble for skipping it.
2. DMARC at p=reject + domain-lookalike monitoring
DMARC prevents attackers from sending email that appears to come from your domain. If you have p=reject published, the fake “CEO” email never reaches your staff’s inbox — it’s rejected at the gateway. Check your current DMARC with our DMARC Checker.
Separately, monitor for lookalike domains. Services like DMARC.org, EasyDMARC, or even regular manual checks against our Fake Brand URL Detector surface the “y0urcompany.com” registrations that attackers spin up.
Train your team on the patterns
Every staff member who handles money or vendor data should recognize:
- Urgency — “I need this done right away”
- Secrecy — “Please don’t discuss with anyone”
- Authority — email appears to be from CEO, CFO, general counsel
- Banking change — “New account” in an otherwise-normal message
- Unreachable sender — “I’m in meetings, text when done”
- Slight domain difference — hover every From address and verify
If you were hit: the first hour matters
If a wire went out and you suspect BEC:
- Call your bank immediately. Ask for wire recall. If within 72 hours, there’s a meaningful chance of recovery.
- File a complaint with FBI IC3 at IC3.gov. FBI has a “financial fraud kill chain” that works across international correspondent banks.
- Notify the other party (vendor or customer) — they may be compromised too.
- Preserve evidence — full email headers, the original message (run through our Email Header Analyzer to extract metadata), any attachments.
- Change all relevant passwords and force MFA on all finance and exec accounts.
FAQ
My company is small — are we a target?
Yes. BEC attacks scale down — small businesses are easier to compromise and rarely have verification controls. The median loss for small businesses is $15k-$50k per incident. Worth more to the attacker than it sounds.
Can insurance cover BEC losses?
Some cyber policies cover social-engineering losses explicitly, many don’t. Check yours — look for “social engineering fraud” or “fraudulent instruction” coverage with an explicit sublimit. Our Cyber Insurance Readiness Tool covers the controls underwriters look for.
What about AI deepfakes over video?
Growing concern. In 2024, a Hong Kong finance worker wired $25M after a deepfake Zoom call with “the CFO.” The out-of-band verification rule still applies: even a live Zoom request for a wire needs a callback to a known number before execution.