The FBI's Internet Crime Complaint Center reported over $2.9 billion in losses from Business Email Compromise in a single year. The average victim is not a large corporation. It is a 12-person construction company, a dental practice, or a real estate office. Here is how it works and how to stop it.
What Business Email Compromise Actually Is
Business Email Compromise is a social engineering attack that uses email to trick employees into sending money or sensitive information to attackers. Unlike phishing attacks that go for passwords, BEC attacks go directly for wire transfers, payroll changes, or vendor payment redirects.
The FBI classifies it as the most financially damaging cybercrime category for businesses of all sizes. Average loss per incident is in the tens of thousands of dollars. Recovery rate is low because wire transfers are difficult to reverse.
The Three Most Common BEC Scenarios
The CEO Request. An employee in finance receives an email that appears to be from the company owner or CEO asking for an urgent wire transfer. The email looks real because the attacker either compromised the CEO's actual account or registered a near-identical domain (blackhount.com becomes b1ackhount.com). The employee wires funds to an attacker-controlled account.
The Vendor Redirect. An attacker monitors email communications between a business and one of its vendors, often after compromising one side of the relationship. At the right moment, they send an email (from a spoofed or compromised address) saying the vendor's payment instructions have changed. The next invoice payment goes to the attacker.
The Payroll Change. An attacker impersonates an employee and requests a change to their direct deposit account before payday. One or more paychecks go to the attacker before the fraud is discovered.
Why Small Businesses Are Hit Hardest
Large organizations have approval workflows, dual authorization on wire transfers, and dedicated finance staff trained to verify changes. Small businesses often have one person who both approves and initiates payments. That single point of failure is what attackers exploit.
The urgency tactics work better in small businesses too. When the email appears to come from the owner and says "I need this done before I land, do not call me," a loyal employee does not want to disrupt their boss's travel. That hesitation is engineered.
What Stops It
Verbal verification for financial changes. Any change to payment instructions or any wire transfer request should require a phone call to a known, pre-existing number to confirm. Not a reply to the email. A phone call. This single control stops nearly every BEC attack.
Dual authorization. Wire transfers above a threshold should require approval from two people. One person requests, a different person approves.
Email authentication (SPF, DKIM, DMARC). These technical controls prevent attackers from spoofing your domain in outbound emails. They do not stop compromised accounts, but they stop impersonation using fake domains. Blackhount's free assessment checks whether your domain has these configured correctly.
MFA on email accounts. If an attacker cannot get into your email account in the first place, the CEO Request scenario becomes much harder to execute. Enable MFA on every business email account today.
If It Has Already Happened
Call your bank immediately. Wire transfers can sometimes be recalled within 24 to 72 hours if you act fast. File a complaint with the FBI's Internet Crime Complaint Center (ic3.gov). File a police report for your cyber insurance claim. Then call us to understand how the attacker got in and close the gap.
Get a Free Security Assessment