Business Email Compromise (BEC)
A targeted fraud in which an attacker impersonates an executive, supplier, or counsel to redirect a legitimate payment — historically the single most financially damaging cybercrime category.
Business Email Compromise (BEC) is a targeted fraud in which an attacker impersonates a trusted party — the CEO, an outside counsel, a known supplier — to redirect a payment that the victim already expects to make. There is no malware, often no link, and frequently no MFA bypass: the attack succeeds by exploiting authority, urgency, and approval-chain gaps. The FBI Internet Crime Complaint Center (IC3) consistently reports BEC as one of the highest-loss cybercrime categories, with cumulative reported losses well above USD 50 billion since 2013.
Three patterns dominate:
- CEO / executive impersonation. A fake message from the CEO to a finance controller, late on a Friday: “wire EUR 480k to the law firm handling the acquisition, keep it confidential.” Often paired with vishing or deepfake voice cloning for the confirmation call.
- Supplier IBAN change. A long-standing supplier’s email is compromised (or spoofed); a “new bank details” note arrives just before the next invoice; subsequent invoices land in the attacker’s account for weeks before detection.
- Payroll diversion. An “I changed banks, please update direct deposit” message from a spoofed employee account, often during a known payroll window.
Defining properties:
- No malicious payload. Email-security gateways tuned for links and attachments often pass BEC traffic untouched.
- Authority and urgency. The lure invokes hierarchy and deadlines — the exact two pressures that suppress the verification reflex.
- Process-aware. Attackers do reconnaissance on payment cycles, approval thresholds, and out-of-office calendars before pulling the trigger.
- Recovery is rare. Funds are split across mule accounts within hours; only the FBI’s Financial Fraud Kill Chain catches a fraction of cross-border BEC wires.
The defensive lever is procedural and behavioral, not technical: a mandatory out-of-band callback for any payment-detail change or out-of-pattern wire, drilled often enough — through spear-phishing simulations and finance-targeted nudges — that “verify on the known number” is the automatic move, not an exception requested by an inconvenient policy.
Related terms
- PhishingA social-engineering attack that impersonates a trusted entity to trick a person into surrendering credentials, money, or access — by email, SMS, voice, QR code, or OAuth consent.
- Spear-phishingA targeted phishing attack crafted for a specific person or small group, using public OSINT to reach a credibility that bulk phishing cannot achieve.
- Social engineeringManipulating a person — rather than exploiting a software flaw — to obtain credentials, money, or access; the umbrella category under which phishing, vishing, and BEC sit.
- Deepfake voice cloningUse of AI-generated synthetic voice — and increasingly video — to impersonate a known executive or colleague during a fraud attempt.
- Vishing (voice phishing)Phishing delivered over a voice call — increasingly combined with an email pretext and, since 2023, with AI-cloned voices of executives and colleagues.