How Business Email Compromise (BEC) Works
Business Email Compromise attacks follow a deliberate, multi-stage process that relies on research, impersonation, and urgency rather than malware or exploits. Understanding the attack chain is the first step to dismantling it. Unlike automated fraud that can be blocked by rules, BEC is human-engineered — every step is designed to bypass both technical controls and human intuition.
Reconnaissance
The attacker researches the target organisation — studying LinkedIn profiles, company websites, press releases, and social media to identify key personnel, vendor relationships, financial processes, and ongoing business events (such as mergers or new supplier contracts).
Email Account Compromise or Spoofing
The attacker either compromises a legitimate email account through credential theft (see account takeover) or registers a lookalike domain that mimics the trusted sender. Spoofed domains often swap characters that look similar — 'rn' for 'm', or adding a hyphen — to avoid detection at a glance.
Trust Establishment
In some campaigns, the attacker lurks inside a compromised inbox for days or weeks, reading email threads and learning communication style, tone, and ongoing negotiations before acting. This makes subsequent fraudulent messages nearly indistinguishable from legitimate ones.
The Fraudulent Request
The attacker sends a carefully crafted email — typically impersonating a CEO, CFO, or known vendor — requesting an urgent wire transfer, a change to bank account details, or sensitive payroll or tax information. The message often invokes urgency, confidentiality, or authority to suppress the recipient's instinct to verify.
Fund Transfer or Data Exfiltration
An employee, believing the request is legitimate, initiates the payment or hands over the data. Funds are typically wired to accounts controlled by the attacker — often overseas — and quickly moved through multiple accounts or converted, making recovery difficult.
Discovery and Response
The fraud is usually discovered during routine reconciliation — sometimes days later. By this point, funds may already be beyond reach. Victims must immediately notify their bank and report to authorities to maximise recovery chances.
Why Business Email Compromise (BEC) Matters
BEC is not a niche threat — it is the single highest-loss cybercrime category reported to law enforcement globally. For payment professionals and ecommerce operators, BEC represents a systemic risk that sits at the intersection of human behaviour and financial infrastructure. The financial impact dwarfs most other fraud types because successful attacks often target large, one-time transfers rather than small repeated transactions.
According to the FBI's Internet Crime Complaint Center (IC3), BEC schemes caused $2.9 billion in adjusted losses in the United States alone in 2023, accounting for the largest share of total cybercrime losses that year. Globally, the Cybersecurity and Infrastructure Security Agency (CISA) estimates BEC has caused over $50 billion in cumulative losses since 2013. A 2023 Verizon Data Breach Investigations Report found that social engineering attacks — the foundation of BEC — were involved in 17% of all breaches, with the median amount transferred in pretexting incidents reaching $50,000.
These figures underscore why BEC cannot be treated as an IT problem alone. It is a financial controls problem, a vendor management problem, and a culture problem that demands cross-functional response.
BEC vs. General Phishing Losses
While phishing affects more organisations by volume, the average loss per BEC incident is orders of magnitude higher — often $100,000+ per event compared to a few hundred dollars for credential phishing. BEC's precision targeting is what drives its outsized financial damage.
Business Email Compromise (BEC) vs. Phishing
BEC and phishing are frequently confused, but their mechanics, targets, and defences differ significantly. Understanding the distinction helps security and finance teams apply the right controls.
| Dimension | Business Email Compromise (BEC) | Phishing |
|---|---|---|
| Target | Specific individuals in finance, HR, or executive roles | Broad, often untargeted populations |
| Payload | No malicious link or attachment — pure social engineering | Malicious link, attachment, or credential-harvest page |
| Goal | Fraudulent wire transfer or sensitive data | Credential theft, malware installation |
| Detection difficulty | Very high — passes most email filters | Moderate — signature-based tools catch many variants |
| Average loss per incident | $100,000+ | Hundreds to low thousands |
| Technique | Impersonation, urgency, authority | Spoofed branding, fake login pages |
| Primary defence | Out-of-band verification, payment controls | Email filtering, MFA, security training |
Both attack types exploit human trust and are rooted in social engineering. However, BEC's lack of technical indicators means it evades many automated defences that stop phishing effectively.
Types of Business Email Compromise (BEC)
BEC is not a single attack pattern — it encompasses several distinct variants, each targeting a different business process. Attackers select their approach based on the target organisation's structure and vulnerabilities.
CEO Fraud (Executive Impersonation): The attacker poses as the CEO or another senior executive, emailing a finance employee with an urgent, confidential request to wire funds. The authority gradient discourages the recipient from questioning the request or following standard approval procedures.
Vendor or Supplier Impersonation: The attacker impersonates a known supplier or partner, sending updated banking details and requesting that future payments be redirected. This is particularly effective because the communication fits naturally into existing invoice workflows.
Attorney Impersonation: Attackers pose as legal counsel, often referencing time-sensitive matters like acquisitions or litigation settlements that demand confidentiality and speed. This variant exploits the authority and urgency associated with legal proceedings.
Payroll Diversion: HR or payroll employees receive requests — ostensibly from other employees — to update direct deposit account information. The fraudulent account receives the next payroll cycle before the fraud is detected.
Account Compromise (EAC): Rather than spoofing, the attacker takes over a legitimate employee's email account and uses it to send fraudulent requests from a real, trusted address. This variant is the hardest to detect because the email originates from a genuine account with a full legitimate history.
Data Theft BEC: Instead of requesting money, attackers request sensitive data — W-2 forms, employee PII, or customer records — which are then used in follow-on fraud schemes or sold on criminal marketplaces.
Best Practices
Preventing BEC requires layered defences that address both the technical email infrastructure and the human decision-making layer where these attacks ultimately succeed.
For Merchants
Establish a strict out-of-band verification policy for any payment instruction change, new payee addition, or banking detail update. This means calling the vendor or executive on a phone number sourced independently — not from the email itself — before processing the transaction.
Implement dual-approval workflows for wire transfers above a defined threshold. No single employee should be able to authorise and execute a large payment unilaterally, regardless of who is requesting it.
Conduct regular security awareness training that includes BEC-specific scenarios. Employees in finance, HR, and procurement are highest-risk and should receive targeted training with simulated BEC exercises, not just generic phishing tests.
Work with your finance team to establish payment freeze windows: a defined period (e.g., 24 hours) before any new payee wire transfer is processed, giving time for out-of-band verification without creating operational friction.
Monitor vendor and partner communications for signs of compromise. If a known contact suddenly changes communication tone, requests urgency, or asks for new banking details, treat it as a potential authorized push payment fraud scenario and verify before acting.
For Developers
Configure DMARC, DKIM, and SPF on all company domains — including subsidiary and legacy domains that are no longer used for sending email. Unused domains without email authentication records are prime candidates for BEC spoofing.
Integrate AI-powered email security tools (Microsoft Defender for Office 365, Google Workspace DLP, or third-party solutions like Abnormal Security) that detect anomalous sender behaviour, lookalike domains, and unusual communication patterns.
Enforce MFA on all business email accounts, including shared mailboxes. Credential phishing is the leading pathway into legitimate email accounts used for EAC-style BEC attacks.
Build internal tooling that flags payment requests arriving via email — particularly those referencing urgency, confidentiality, or account number changes. Routing these through a secondary approval channel reduces reliance on individual employee judgment under social pressure.
Implement fraud detection rules on outbound wire transfers at the bank or treasury management system level: flag first-time payees, amounts above threshold, international destinations, and requests outside business hours for manual review.
Common Mistakes
Relying solely on email security tooling. BEC emails often contain no malicious links, no attachments, and no known threat signatures. Organisations that assume their email filter will catch BEC attacks consistently discover otherwise. Technical controls must be paired with procedural verification.
Verifying via the same email thread. A common response to a suspicious payment request is to reply to the email asking for confirmation. If the attacker controls the inbox or has spoofed the address, they will simply confirm the fraudulent request. Always verify through a separate, independently sourced channel.
Treating BEC as a pure IT problem. Finance and operations teams own the payment workflows that BEC exploits. Effective prevention requires finance leadership, not just security teams, to own and enforce payment verification policies.
Overlooking domain lookalikes. Organisations secure their primary domain but neglect subsidiary domains, regional variants, or legacy domains. Attackers register these unclaimed lookalikes and use them to send convincing BEC emails that pass basic sender checks.
Delayed incident reporting. Every hour between a fraudulent wire transfer and bank notification reduces recovery probability. Many organisations spend critical hours conducting internal investigations before contacting the bank. The correct order is: notify the bank immediately, then investigate.
Business Email Compromise (BEC) and Tagada
BEC attacks frequently target payment instructions and vendor banking details — the exact flows that pass through payment orchestration platforms. Tagada's payment orchestration layer can serve as a structural control point that reduces BEC exposure for merchants routing payments through it.
Because Tagada centralises payment routing and vendor payout configurations, merchants can enforce a policy that all banking detail changes must be made inside the Tagada dashboard — never via email instruction alone. This removes the most common BEC attack vector (emailed bank detail changes) from the payment workflow entirely. Combined with role-based access controls and audit logs on payee configuration, Tagada provides an auditable, tamper-resistant record that makes BEC-style redirection attacks significantly harder to execute without detection.