What is Business Email Compromise?
A sophisticated scam where criminals impersonate executives, vendors, or business partners via email to trick employees into wiring money or sharing sensitive data — the FBI's most costly cybercrime category at $2.9 billion in annual losses.
Also known as: BEC, CEO Fraud, Email Wire Fraud, Vendor Email Compromise
Business Email Compromise is the most financially devastating cybercrime in the world — not ransomware, not data breaches, but carefully crafted emails that trick people into sending money.
How It Works
CEO Fraud
- Attacker spoofs or hacks the CEO's email account
- Sends urgent request to finance department: "Wire $150,000 to this account for an acquisition — keep it confidential"
- The urgency and authority prevent normal verification
Vendor Impersonation
- Attacker compromises or spoofs a vendor's email
- Sends a legitimate-looking invoice with updated banking details
- Company pays the invoice to the attacker's account instead of the real vendor
Payroll Diversion
- Attacker impersonates an employee emailing HR
- Requests a change to direct deposit information
- Employee's paycheck is redirected to the attacker's account
Lawyer Impersonation
- Attacker poses as an attorney handling a confidential deal
- Creates urgency around closing a transaction
- Pressures the victim to wire funds immediately
Scale
| Year | FBI-Reported BEC Losses |
|---|---|
| 2020 | $1.87 billion |
| 2021 | $2.39 billion |
| 2022 | $2.74 billion |
| 2023 | $2.95 billion |
BEC is the #1 cybercrime by financial loss — exceeding ransomware, data breaches, and all other categories combined.
Why It's So Effective
- No malware required — pure social engineering
- Targets human trust — emails come from known contacts
- Urgency and authority prevent verification
- Wire transfers are irreversible — once sent, money is gone within hours
- AI is making it worse — large language models generate perfect, contextual emails
Prevention
- Mandatory verbal verification for all wire transfers and payment changes
- Multi-person approval for transactions above a threshold
- Email authentication — Implement DMARC, DKIM, and SPF (checked as part of our Privacy Audit)
- Slow down — BEC exploits urgency; build deliberate delays into financial processes
- Train employees — Regular phishing awareness training
- Verify banking changes through established channels, never through the email requesting the change
Related Terms
AI-Powered Phishing
Phishing attacks enhanced by artificial intelligence that can generate highly personalized, grammatically perfect social engineering messages at scale — making them far harder to detect than traditional phishing.
Credential Harvesting
The practice of collecting login credentials through phishing pages, data breaches, malware, or social engineering.
Deepfake Fraud
The use of AI-generated synthetic video or audio to impersonate real people for financial fraud — including fake video calls with executives to authorize wire transfers, fabricated evidence in legal proceedings, and identity verification bypasses.
Phishing
A social engineering attack where attackers impersonate legitimate entities through fake emails, websites, or messages to trick victims into revealing sensitive information like passwords, credit card numbers, or personal data.
Social Engineering
Psychological manipulation techniques used to trick people into revealing confidential information or performing actions that compromise security. Social engineering exploits human trust rather than technical vulnerabilities.
Have more questions?
Use our guided flow to get the right next privacy step for Business Email Compromise.
Open Guided Flow