Business email compromise explained
What business email compromise (BEC) is, how it works, and the steps every small business can take to prevent it.
Business email compromise — often shortened to BEC — is one of the most financially damaging types of cybercrime. The FBI reports that BEC causes billions of dollars in losses each year, and small businesses are among the most common victims.
Unlike many scams, BEC doesn't rely on technical hacking. It relies on impersonation and trust.
Quick summary
Business email compromise is when an attacker impersonates someone you trust — your CEO, a supplier, a lawyer — to trick you or your team into sending money or handing over credentials. The best defenses are: verify any unusual financial request by phone (using a number you already have), turn on two-factor authentication on all email accounts, and set a clear policy that payment details are never changed based on an email alone.
How BEC works
BEC attacks usually follow one of a few patterns:
The boss impersonation
An email appears to be from your CEO or owner — using either their real account (if it has been compromised) or a spoofed address that looks almost right.
The message asks for something urgent: a wire transfer, purchasing gift cards, or sharing login credentials. It says to keep the matter confidential and to act quickly.
The urgency and secrecy are deliberate — they are designed to bypass your normal caution.
The supplier payment redirect
An attacker monitors a supplier's email (often by compromising their account) and watches for an upcoming payment. At the right moment, they send an email — from the supplier's real address, or a convincing fake — saying the bank account details have changed.
The business pays the invoice to the new account — and the money is gone.
The lawyer/accountant impersonation
Before a business transaction (acquisition, real estate deal, legal settlement), attackers intercept or fake communications from a lawyer or financial professional, redirecting funds at the critical moment.
Why BEC is so effective
It does not use malware or technical exploits. The tools are simply email and social engineering.
- The emails often come from real, compromised accounts — so no spam filter catches them
- Attackers research the business before striking: they know names, relationships, and pending deals
- The requests are designed to match things that actually happen in the business
- Urgency and authority ("the CEO needs this now") are proven ways to override careful judgment
Prevention measures
Turn on two-factor authentication for all email accounts. The most common way attackers send BEC emails from a real account is by breaking into that account. 2FA makes this much harder. See How to set up two-factor authentication.
Establish a verbal verification policy for financial requests. Any request to transfer money, change bank details, or take financial action that comes via email must be confirmed by phone call — using a number already in your records, not one from the email.
Set a policy: payment details are never changed by email alone. This single rule stops the supplier payment redirect cold.
Train your team to recognize the patterns. Share examples. Make it safe for anyone to pause and say "this feels off — let me verify."
Enable email authentication records (SPF, DKIM, DMARC) on your domain. This makes it harder for attackers to spoof emails that appear to come from your own domain. Ask your email provider or ask us to set these up. See Email DNS records.
What to do if it has already happened
If you believe you or a team member has been targeted:
If money was transferred, contact your bank immediately and explain it was fraud. Speed matters — a reversal is sometimes possible within hours, much harder after that.
If credentials were shared, change passwords on every affected account right now. Enable 2FA if it wasn't on.
If the attack came through a real email account, that account may be compromised. Change its password, review recent sent messages, and check for any email-forwarding rules that shouldn't be there.
Report the fraud to the FBI's Internet Crime Complaint Center (IC3) at ic3.gov (US) or your country's equivalent authority.
Notify affected parties — your bank, any suppliers involved, your business insurance if applicable.
Act within hours, not days
Wire fraud is extremely time-sensitive. The sooner your bank is notified, the better the chance of recovering funds. Do not wait to gather information — call your bank first.
Checking for email rules planted by attackers
If an attacker had access to an email account, they sometimes set up forwarding rules to keep receiving your emails even after you change the password. Check for these:
- In Gmail: Settings → See all settings → Filters and Blocked Addresses and Forwarding and POP/IMAP
- In Outlook: Settings → Mail → Rules
- In Google Workspace admin: check for delegated access on the account
Delete any rules you didn't create. Revoke any delegated access you don't recognize.
Common questions
Related guides
- How to recognize phishing attempts
- Common email scams targeting businesses
- Two-factor authentication, explained
- What to do if an account is compromised
- Email DNS records
Need a hand?
Learn more
Common email scams targeting businesses
The most common email scams used against small businesses, explained in plain English so you and your team can recognize and avoid them.
Safe browsing habits for your team
Simple, practical habits that keep your whole team safer when browsing the web — no technical expertise required.