Some of the most expensive attacks on businesses involve no malware at all. There is no virus to detect, no file to quarantine. There is just an email: a convincing one, and a payment that goes to the wrong place. This is business email compromise, or BEC, and the FBI considers it one of the costliest cybercrimes affecting businesses.

What business email compromise is

The FBI's Internet Crime Complaint Center (IC3) defines BEC as a scam that targets businesses performing transfers of funds. An attacker either compromises a real email account or convincingly impersonates one, then uses it to request a payment, a change of banking details, or sensitive information.

Because the request comes from a trusted name, your CEO, a vendor, a client, and contains no malicious attachment, traditional security tools often see nothing wrong.

What it looks like

BEC scams take a few familiar forms:

  • The executive request. An email that appears to come from the owner or CFO asks an employee to urgently send a wire transfer or buy gift cards.
  • The vendor swap. A supplier you really work with emails new banking details for their next invoice, except the email is from an attacker, and the next payment goes to them.
  • The invoice redirect. A genuine-looking invoice arrives with payment instructions that have been quietly altered.
  • The payroll change. A message "from an employee" asks HR to redirect their direct deposit to a new account.

The common thread is money movement plus pressure. The attacker wants you to act quickly and skip your normal checks.

How to stop it

BEC is defeated by process, not just technology.

  • Verify payment changes out of band. Any request to send money or change banking details gets confirmed by phone, using a number you already have, never a number or link from the email itself. Make this a firm rule, not a judgment call.
  • Require a second approval for wire transfers and vendor banking changes above a set amount.
  • Slow down on urgency. Train staff that "urgent and secret" is itself a warning sign. A real executive will not mind a verification call.
  • Protect email accounts with MFA. Many BEC scams begin with a genuinely compromised mailbox. Multi-factor authentication makes that much harder.
  • Watch for look-alike domains. Attackers register addresses that differ by one character. Email-authentication tools and filtering help flag them.

If money has already gone

Act fast. The FBI advises contacting your bank immediately to request a recall of the funds, and filing a report with IC3 at ic3.gov as soon as possible. Quick reporting genuinely improves the odds of recovery.

The takeaway

BEC works because it exploits trust and routine, not software flaws. The defense is a simple, non-negotiable habit: money moves only after verification through a trusted channel. Build that into how your business operates and the scam stops working.

If you would like help putting payment-verification controls and email protection in place, the Flexnet Networks team can set that up with you.

Sources