TL;DR: Business Email Compromise is the #1 source of financial cybercrime losses globally. Per the FBI IC3 2025 report, BEC caused over $2.9 billion in adjusted losses in the United States alone in 2024 — more than ransomware, investment fraud, and tech support scams combined. BEC does not require malware, exploits, or technical sophistication. It requires a convincing email and a target with the authority to move money. Your firewall and endpoint detection will not save you.
Why BEC Outpaces Every Other Cybercrime Category
Ransomware gets the headlines. Breaches involving millions of stolen records get the press coverage. But when the FBI's Internet Crime Complaint Center (IC3) compiles annual losses across all reported cybercrime categories, Business Email Compromise consistently sits at the top — by a wide margin.
The 2025 IC3 report documented over $2.9 billion in BEC-adjusted losses in 2024 across more than 21,000 complaints. That figure represents only the cases that were both reported and substantiated — the actual total is meaningfully higher. For comparison, ransomware adjusted losses in the same period amounted to a fraction of that figure. Investment fraud and tech support scams, both frequently cited in cybercrime statistics, also fall well short of BEC losses.
The reason BEC consistently outperforms other attack categories on financial impact is structural: it targets the wire transfer process directly. Ransomware attackers demand payment after causing damage and must navigate cryptocurrency laundering. BEC attackers redirect legitimate wire transfers — money that was already moving, from a legitimate account, authorized by an employee who believed they were following normal procedures. By the time the fraud is detected, the funds have often cleared multiple intermediary accounts and crossed international borders.
| BEC Variant | Impersonation Target | Typical Victim | Attack Objective |
|---|---|---|---|
| CEO Fraud | CEO or CFO | Finance / AP team member | Urgent wire transfer |
| Vendor Email Compromise | Known vendor or supplier | Accounts payable | Redirect invoice payment |
| Account Compromise | Legitimate employee (real account) | Customers or partners | Redirect payment, steal data |
| Attorney Impersonation | Outside counsel or legal advisor | Executive or finance staff | Wire transfer during transaction |
| Data Theft / Payroll BEC | HR, payroll, or executive | HR or payroll admin | W-2s, PII, direct deposit redirect |
The Five BEC Scenarios the FBI Categorizes
1. CEO Fraud
The most widely recognized BEC variant. An attacker impersonates the organization's CEO, CFO, or another senior executive and emails a finance team member or accounts payable employee with an urgent request to wire funds. The email typically invokes confidentiality ("Don't discuss this with anyone until it clears"), urgency ("I need this done before the end of the business day"), and authority ("I'm authorizing this personally"). The target, conditioned by organizational culture to respond quickly to executive requests, processes the wire without following standard verification procedures.
CEO fraud is particularly effective against organizations where executives are known to send terse, direct emails and where finance staff fear appearing slow or uncooperative. The pretext often involves a "confidential acquisition," a "settlement payment," or a "last-minute vendor requirement" — scenarios where the urgency feels plausible and the secrecy request discourages the employee from consulting colleagues.
2. Vendor Email Compromise
The attacker either compromises a real vendor's email account or registers a lookalike domain closely resembling the vendor's actual domain (vendorname-billing.com, vendorname-ap.com, v3ndorname.com). They then email the target organization's accounts payable team with updated banking instructions — a new account number for future payments. If the AP team processes the change without out-of-band verification, subsequent legitimate invoice payments are wired directly to the attacker.
This variant is especially dangerous because it does not require any internal account compromise. The attacker needs only to identify the target's vendors (often listed in press releases, LinkedIn recommendations, or public filings), register a convincing lookalike domain, and send a single email. The loss is not one fraudulent wire — it is every subsequent payment to that vendor until the fraud is discovered, which is often measured in months.
3. Account Compromise
In this variant, the attacker gains actual access to a legitimate employee's email account — most commonly through phishing, credential stuffing, or purchase from an initial access broker. From inside the compromised account, the attacker monitors communications for payment-related conversations, then emails customers or business partners with fraudulent payment instructions. Because the email originates from the real account — correct domain, correct display name, actual conversation history — recipients have no technical indicator that anything is wrong.
Account compromise is also the entry point for thread hijacking (discussed below), which represents the highest-loss BEC technique in use today.
4. Attorney Impersonation
Attackers impersonate outside legal counsel or legal advisors and contact executives or finance personnel during sensitive business transactions — mergers and acquisitions, real estate closings, litigation settlements, or regulatory matters. The legal context provides built-in justifications for urgency, secrecy, and unusual payment requests: attorneys routinely handle large wire transfers, routinely ask for confidentiality around sensitive transactions, and routinely communicate outside normal business hours during deal closings. This combination of credibility and established unusual-behavior norms makes attorney impersonation particularly effective against executives who might otherwise be skeptical.
5. Data Theft and Payroll BEC
Not all BEC attacks target immediate wire transfers. A significant subset targets HR and payroll staff to steal employee W-2 forms, social security numbers, and payroll data for use in tax fraud and identity theft. A separate payroll variant involves the attacker impersonating an employee and asking HR to update their direct deposit information to a new account — redirecting future paychecks to the attacker. These attacks are lower-value per incident than large wire frauds but are far easier to execute at scale and often go undetected until tax season.
How Attackers Execute BEC: The Full Kill Chain
Reconnaissance
BEC attacks begin long before any email is sent. Attackers spend days or weeks in reconnaissance, harvesting publicly available information to build a targeting profile of the organization. LinkedIn is the primary resource: it reveals the CFO's name and tenure, the AP team's structure, the names of key vendors and law firms, recent hires and departures, and the language and role titles the organization uses internally. Company websites often list leadership, press releases name business partners and advisors, and job postings reveal internal systems and processes.
This reconnaissance lets the attacker answer the critical questions: Who in finance has wire transfer authority? Who do they report to? What vendors does the company pay regularly? What business events (acquisitions, expansion, new contracts) might justify an unusual payment? The answers shape a pretext that feels completely plausible to the target.
Domain Spoofing and Lookalike Domains
For attacks that do not rely on a compromised account, the attacker must send email from an address that appears legitimate. Two techniques are common. Display name spoofing sets the visible sender name to "Jane Smith, CFO" while the actual sending address is an unrelated domain — exploiting the fact that most email clients show the display name prominently and hide the actual address. Lookalike domain registration goes further: the attacker registers a domain visually similar to the target or vendor's real domain (company-ap.com, compan1.com, company.co) and configures proper email infrastructure on it, often including valid SPF and DKIM records that cause the email to pass authentication checks.
Inbox Rules and Anti-Detection
When an attacker compromises a real email account, one of the first actions is creating inbox rules that automatically delete or redirect incoming messages. This prevents the account owner from seeing bounce-back messages, security alerts, or replies from fraud victims that might expose the attack. It also gives the attacker time to conduct the fraud before the account owner notices anything unusual. Microsoft 365 and Google Workspace both support inbox rules that execute server-side — the account owner sees nothing even if they are actively using the account during the attack.
Thread Hijacking
Thread hijacking is the most technically sophisticated and highest-loss BEC technique. After compromising a vendor's or partner's email account, the attacker monitors active email threads involving payment discussions. When a legitimate invoice or wire transfer is being approved — when the target is actively engaged in a real financial transaction with a real counterparty — the attacker injects into the existing thread from the compromised account, providing updated banking instructions. The email arrives in an existing conversation with full history, from the correct email address, appearing to be a routine update from a known contact. The social engineering is nearly invisible because there is nothing to engineer: the relationship and transaction are real.
Deepfake Audio Verification Bypass
As organizations have adopted out-of-band verification — calling the sender on a known number to confirm payment requests — attackers have begun using AI-generated voice cloning to defeat it. A target who calls their CFO's cell number to verify a wire request may reach a deepfake voice that confirms the request. Voice cloning requires only a few minutes of publicly available audio: earnings calls, conference presentations, podcast appearances, or YouTube videos. The technology is now accessible enough that it appears in BEC toolkits sold on cybercrime forums. Out-of-band verification remains the right control, but organizations must pair it with strict callback number policies — calling only pre-established numbers from your own contact records, never numbers provided in the suspicious email or in the callback call itself.
The Technology Gap: Why Your Email Security Won't Catch Most BEC
Organizations often assume that deploying DMARC, a Secure Email Gateway, and an advanced anti-phishing platform provides strong BEC protection. These controls are necessary — but they address a different threat model than the one BEC attackers actually use.
The gap: DMARC/DKIM/SPF prevent domain spoofing of your own domain. They do not prevent lookalike domain attacks, display name spoofing, or email sent from legitimately compromised third-party accounts. Most BEC attacks arrive from technically legitimate mail servers that pass every authentication check. Secure Email Gateways are designed to detect malware and malicious links — BEC emails contain neither.
DMARC with a p=reject policy is still a critical control. It prevents an attacker from sending email that appears to originate from exactly your domain — stopping direct impersonation of your CFO using your actual domain. But it does nothing to stop an email from [email protected] with the display name "Jane Smith, CFO" — because that email comes from a different domain entirely, one the attacker owns and has properly configured.
Lookalike domain detection — available in advanced email security platforms — addresses this gap by flagging emails from domains that are visually or phonetically similar to your trusted senders. Display name impersonation controls match the visible sender name against your internal directory and flag emails where the display name matches a known executive but the sending address does not. These controls help, but they generate false positives and require tuning, and sophisticated attackers rotate through new domains faster than blocklists update.
The uncomfortable truth is that when a vendor's real email account is compromised, or when an attacker uses a lookalike domain with correct branding and plausible pretext, the email will frequently reach the inbox and look completely legitimate to the recipient. Technology reduces the volume of BEC attempts that reach employees. It cannot eliminate the ones that do — and one successful BEC email to the right person can result in a seven-figure wire.
Real BEC Incidents: What Actual Losses Look Like
City of Rockford, Illinois: $500,000 Construction Contractor Fraud
In a publicly documented case, the City of Rockford, Illinois lost approximately $500,000 when a BEC actor impersonated a construction contractor working on a city project. The attacker sent an email to the city's accounts payable department requesting a change to the banking information on file for the contractor. The city's AP team processed the banking change without independent verification. Subsequent progress payments for the legitimate construction project were wired to the attacker's account. The fraud was discovered only when the real contractor followed up on overdue payments weeks later. By then, the funds had moved through multiple accounts. Recovery was partial.
This case illustrates the vendor email compromise pattern at its most basic: no malware, no technical exploitation, no compromised account — just a spoofed email requesting a banking change, and an AP process without mandatory verification controls.
Manufacturing Firm: $1.75 Million via Thread Hijacking
A mid-sized manufacturing company lost $1.75 million in a thread hijacking attack targeting an active vendor relationship. The attacker compromised the vendor's email account and monitored correspondence for approximately three weeks without taking any action. When a large equipment purchase was in the final stages of approval — with both sides actively emailing about payment timing — the attacker injected into the existing thread from the vendor's real account, explaining that the vendor had recently changed banking providers and providing new wire instructions. The manufacturing company's AP team, seeing a familiar contact in an existing thread about a real transaction, processed the wire. The attacker had set up inbox rules on the compromised vendor account that deleted the real vendor's subsequent payment-related emails, preventing the discrepancy from surfacing for several days. By the time the real vendor called to inquire about payment, the funds had cleared international wires.
Process Controls: The Most Important Defense Layer
Every serious BEC prevention framework leads with the same conclusion: process controls stop BEC more reliably than technology controls, because BEC attacks are designed specifically to evade the technology layer. The following controls are non-negotiable for any organization that initiates wire transfers.
Mandatory Out-of-Band Verification for Banking Changes
Any request to change vendor banking information — account number, routing number, bank name, or beneficiary — must be verified by calling the vendor on a phone number sourced independently from your own records. Not the number in the email. Not the number in the signature block of the email requesting the change. A number from your original vendor onboarding documentation, from the vendor's public website, or from a prior known-good communication. This single control defeats the vast majority of vendor email compromise attacks. If the change is real, the vendor will confirm it. If the call reaches someone who cannot confirm it, the change does not happen.
Dual Approval for Wire Transfers Above Threshold
No single employee should have the unilateral authority to initiate and approve a wire transfer above a defined threshold — typically $10,000 to $25,000 depending on the organization's normal transaction volume. Dual-approval requirements mean that a BEC actor who successfully deceives one employee still requires a second employee to authorize the transfer. This dramatically increases the difficulty of CEO fraud and vendor impersonation attacks, because the attacker must either compromise two employees simultaneously or find a way to bypass the second approval — which usually requires a much more elaborate pretext.
Callback Procedures and Verification Scripts
Finance teams should have documented callback procedures for any executive payment request received outside normal channels — particularly email requests marked urgent or confidential. The procedure is simple: call the executive on their known cell or office number and verbally confirm the request before processing. This takes two minutes and has a 100% detection rate for impersonation attacks. The organizational challenge is cultural: finance staff are often hesitant to "bother" the CFO with a verification call, particularly when the email is framed as urgent and confidential. Making the callback a written policy — a requirement, not an option — removes the social pressure and gives employees cover.
Vendor Change Freeze Periods
Implement a mandatory freeze period between a banking change request and its activation — typically 3 to 5 business days. During the freeze period, a second verification contact is made to the vendor, and the AP team confirms the change in a separate communication from the original request. This window defeats time-pressured BEC attacks ("process this before end of day") and provides a review period during which anomalies are more likely to be noticed.
Payroll Change Verification
Any request to change an employee's direct deposit information should trigger a verification call to the employee on their HR-recorded number — not a reply to the email — plus manager notification. Payroll BEC relies on HR teams processing direct deposit changes through normal email channels without independent confirmation. A short verification call eliminates the attack vector entirely.
Technical Controls That Reduce BEC Exposure
Process controls are the primary defense, but technical controls reduce the volume of convincing BEC emails that reach employees in the first place. The following controls should be implemented and maintained.
DMARC Enforcement (p=reject)
Publish a DMARC record with p=reject for your organization's domain. This prevents direct spoofing of your domain in email — an attacker cannot send email that appears to originate from @yourcompany.com. Many organizations publish DMARC with p=none (monitoring only) and never progress to enforcement, leaving the protection inactive. Move to p=quarantine and then p=reject as part of a planned rollout, using DMARC reporting to identify legitimate mail sources that need to be added to your SPF record before enforcement. Also implement BIMI (Brand Indicators for Message Identification) — it associates your logo with authenticated email, providing a visual indicator that helps recipients distinguish genuine communications from lookalikes.
External Email Banners
Configure your email platform to prepend a visible banner or tag to all email originating outside your organization ("EXTERNAL EMAIL — do not click links or provide credentials unless you are certain of the sender's identity"). This creates a consistent visual cue that helps employees notice when an email claiming to be from an internal executive is actually arriving from outside the organization. It is a low-cost control with meaningful impact on CEO fraud attacks using external domains.
Impersonation Protection and Lookalike Domain Detection
Most enterprise email security platforms (Microsoft Defender for Office 365, Google Workspace with third-party SEG) offer impersonation protection rules that flag emails where the display name matches an internal user but the sending address does not. Enable and tune these rules. Separately, enable lookalike domain detection to flag email from domains that are phonetically or visually similar to your trusted sender list — catching [email protected] before it reaches AP staff.
Conditional Access and MFA for Email
Require MFA for all email account access, with conditional access policies that block login from unexpected geographic locations or unmanaged devices. Most account compromise that enables thread hijacking begins with a phished credential. MFA raises the bar significantly — attackers must either defeat MFA (through adversary-in-the-middle phishing kits or push bombing) or find another credential source. Combine MFA with session token protection policies that prevent refresh token theft, which is increasingly used to bypass MFA after initial authentication.
How Phishing Simulations and Social Engineering Pentests Reveal BEC Exposure
Documented policies and technical controls tell you what your organization is supposed to do. A social engineering assessment tells you what your organization actually does when confronted with a realistic BEC scenario.
BEC-focused social engineering assessments test the layers where BEC attacks succeed or fail. Email security testing validates whether lookalike domains, display name spoofing, and impersonation attempts are caught by your email platform or delivered to the inbox. Pretext simulations send realistic CEO fraud and vendor banking change requests to targeted employees, measuring whether recipients follow verification procedures or process the request directly. Phone-based verification testing confirms whether employees who receive a spoofed wire request actually call back on a verified number — or call the number provided in the suspicious email. Employee reporting testing measures how quickly the security team is notified when a suspicious email is received.
The results of these assessments consistently reveal the same categories of findings: employees who follow company policy for routine transactions bypass verification for "executive requests" due to social pressure; AP teams that know the callback procedure skip it when the email creates sufficient urgency; email security controls that catch generic phishing miss targeted, low-volume BEC emails that were specifically crafted to evade them.
What testing reveals: The gap between documented procedure and actual behavior is almost always larger than organizations expect. A company that trained all finance staff on BEC verification procedures six months ago will often find that 40-60% of employees still process a realistic CEO fraud request without completing an out-of-band call — because the social dynamics of the scenario create pressure that training did not simulate.
Assessment findings drive targeted improvements: updated procedures for specific scenarios the testing exposed, targeted training for the individuals and teams with the highest failure rates, technical control tuning based on which email characteristics bypassed detection, and executive sponsorship of the verification procedures that protect the organization from the highest-loss attacks.
Incident Response: The First Hour After a BEC Wire
If you suspect that a wire transfer was made in response to a BEC attack, the speed of response in the first hour determines whether any recovery is possible. Funds move quickly through international banking chains. Once they clear a domestic correspondent bank and reach a foreign institution, recovery is significantly more difficult.
Step 1: Call Your Bank Immediately
Do not send an email. Do not file a ticket. Call your bank's wire operations center directly and request an emergency wire recall. US banks participate in the Financial Fraud Kill Chain (FFKC), a protocol coordinated by FS-ISAC that enables rapid freeze and recall of fraudulent wires when the request is made quickly. The FFKC has a meaningful success rate when activated within the first 24-72 hours — with the highest recovery rates coming from requests made within the first 60 minutes. Have your wire reference number, sending account, receiving account, and wire amount ready before you call.
Step 2: File a Complaint with the FBI IC3
File an IC3 complaint at ic3.gov immediately. The FBI's Financial Crimes Unit coordinates with domestic and international banking regulators through the FFKC and can initiate fund freezes at receiving institutions when cases are reported quickly. Include all available details: full email headers, wire details, timeline of events, and any identifying information about the fraudulent account. Even if recovery is not possible, the report feeds law enforcement intelligence that supports broader BEC investigations.
Step 3: Preserve All Evidence Without Modification
Do not delete, forward, or modify any emails involved in the fraud. Export full email headers (not just the visible display) from every message in the chain. Document the complete timeline — when the first contact was made, when the wire was authorized, when the fraud was suspected — with timestamps. If the attack involved a compromised vendor account, notify the vendor immediately so they can revoke the attacker's access and prevent additional damage. Do not attempt to "reply back" to the fraudulent email or contact the attacker — preserve the evidence chain intact.
Step 4: Conduct a Root Cause Review
Once the immediate response actions are complete, conduct a structured post-incident review to identify which process or technical control failed and what changes would prevent recurrence. The goal is not to assign blame but to close the specific gap the attacker exploited. In the large majority of BEC incidents, the root cause is a missing or bypassed process control — a verification step that was documented but not followed. The review should update procedures, retrain affected staff, and implement monitoring to verify that the updated controls are being followed.
BEC Defense: A Prioritized Control Checklist
- Mandatory out-of-band verification for any new or changed banking instructions — call on a known number, not one from the email
- Dual approval for all wire transfers above your defined threshold
- Callback procedure for all executive payment requests received outside normal channels
- Vendor banking change freeze period with secondary verification before activation
- Payroll direct deposit verification — call HR-recorded number for any change request
- DMARC p=reject on your primary domain and all sending domains
- External email banners configured for all email originating outside your organization
- Impersonation protection rules flagging display-name matches from external senders
- Lookalike domain detection in your email security platform
- MFA required for all email access with conditional access policies
- Inbox rule monitoring — alert on rules that auto-delete or redirect email, particularly to external addresses
- Annual social engineering assessment testing BEC-specific scenarios against finance and HR staff
Test Your Organization's Defenses Against BEC
Lorikeet Security's social engineering assessments test whether your employees, processes, and email security controls would stop a real BEC attack before money moves. Book a consultation to discuss phishing simulations, email security assessments, and security awareness training.
