BreachExpress

Cybersecurity, explained for the rest of us.

Phishing & Scams

Business Email Compromise: How the Attack Works and Why It Succeeds

Margot 'Magic' Thorne@magicthorneJune 6, 202612 min read
Split screen showing legitimate CEO email header and spoofed version with subtle domain difference

Business email compromise sounds technical. It's not. It's a social engineering attack that works because people trust email from their boss.

The mechanism is simple: an attacker impersonates an executive, vendor, or trusted partner to trick an employee into authorizing a fraudulent wire transfer or sharing sensitive data. The email looks legitimate. The request sounds urgent. The employee complies. The money disappears.

The FBI's Internet Crime Complaint Center reports that BEC scams cost organizations roughly $2.9 billion in 2025, more than ransomware, tech support scams, and romance fraud combined. These aren't random attacks. They're targeted, researched, and executed with precision against specific employees at specific companies.

Here's how the attack works, why it succeeds, and what actually stops it.

The Reconnaissance Phase

BEC attacks start weeks or months before the fraudulent email arrives. The operators research your company structure, identify employees with payment authority, and study communication patterns. This isn't guesswork. It's methodical intelligence gathering.

They scrape LinkedIn for org charts, job titles, and reporting relationships. They monitor public filings, press releases, and social media to understand who reports to whom. They identify the CFO, the accounts payable manager, the executive assistant who handles the CEO's travel arrangements. They note who's traveling, who's on vacation, who just started a new role.

Some operators compromise an executive's actual email account through phishing or credential stuffing and monitor traffic for weeks without taking action. They read internal emails to learn communication styles, payment processes, and approval thresholds. They identify vendors, understand invoice formats, and wait for the right moment to strike.

The goal is to build a convincing impersonation. Not a generic phishing email that could target anyone, but a message crafted specifically for one employee at one company, referencing real projects, real vendors, and real people.

The Impersonation Mechanism

Once the research is complete, the attack moves to execution. The most common variant impersonates a senior executive requesting an urgent wire transfer.

The email comes from an address that looks almost identical to the real executive's email. The domain might be off by one character: ceo@company.co instead of ceo@company.com, or ceo@companyinc.com instead of ceo@company-inc.com. The display name shows the correct executive name, which is what most people see in their inbox. The signature block matches the executive's actual signature. The tone mirrors how that executive actually writes.

The request sounds plausible: a confidential acquisition that requires immediate payment to secure the deal, a vendor payment that needs to go out before the executive boards a flight, a time-sensitive legal settlement. The email creates urgency and discourages verification. "I'm in meetings all day, just handle this" or "The deal closes in two hours, we can't miss this window."

Another common variant impersonates a vendor with an updated payment address. The email references a real invoice, a real project, and a real relationship. It asks the accounts payable team to update their records and send future payments to a new account. The new account belongs to the attackers.

A third variant targets HR or payroll departments, impersonating an employee requesting a change to their direct deposit information. The email comes from what looks like the employee's personal email address, explaining that they're traveling or working remotely and need to update their banking details. The new account receives the next paycheck.

Why Technical Defenses Fail

BEC emails bypass most technical defenses because they contain no malware, no suspicious links, and no obvious red flags that spam filters recognize. The email is plain text or contains only a PDF that looks like a legitimate invoice. There's nothing for antivirus software to detect.

The sender's domain might be newly registered, but that's not unusual in legitimate business contexts. The email might fail SPF, DKIM, or DMARC authentication, but many legitimate emails from small vendors or individual senders also fail these checks, so they don't trigger automatic blocking.

Some organizations configure email gateways to flag external emails with display names matching internal executives, adding a warning banner that says "This email originated outside the organization." This helps, but attackers adapt by using slightly different display names or by compromising the executive's actual account, which makes the email genuinely internal.

The fundamental problem is that BEC exploits trust in hierarchies and processes, not technical vulnerabilities. An employee receives an email that appears to come from their CEO, using language and context that matches how their CEO actually communicates. The technical infrastructure sees a legitimate email. The employee sees an instruction from their boss.

The Pressure Tactics

BEC emails succeed because they create conditions that discourage verification. The urgency is artificial, but it feels real.

The email arrives during a busy period when the employee is juggling multiple priorities. It references a plausible business need. It implies that delay will cause significant harm: a lost deal, a damaged vendor relationship, a missed legal deadline. It suggests that the executive is unavailable for questions: in a meeting, on a flight, in a different time zone.

The power dynamic matters. Employees hesitate to question executives, especially when the request sounds urgent and the executive's tone suggests impatience. "I need this done now" carries implicit weight when it comes from someone three levels above you in the org chart. Pushing back feels like insubordination.

Some BEC emails explicitly tell the employee not to discuss the request with others: "This is confidential until the announcement" or "Don't mention this to anyone until the deal closes." This isolation prevents the employee from seeking a second opinion or running the request past a colleague who might recognize it as fraudulent.

The attackers understand these dynamics. They craft emails that exploit the natural human response to authority, urgency, and social pressure. The technical mechanism is email. The actual attack is psychological.

The Ocean's Eleven Problem

In Ocean's Eleven, Danny Ocean's crew doesn't break into the Bellagio vault through brute force. They study the security systems, identify the human operators, and manipulate the people who control access. The vault's technical defenses are irrelevant once you convince the guard to open the door.

BEC works the same way. The attackers don't need to crack encryption or exploit software vulnerabilities. They need to convince one person with payment authority that an email from the CEO is legitimate. Once that person initiates the wire transfer, the technical infrastructure executes the instruction exactly as designed.

The parallel runs deeper. Ocean's crew spends weeks planning, researching the target, and rehearsing the con. BEC operators do the same. They don't send random emails hoping someone clicks. They study the organization, identify the right target, and craft a message designed to exploit that specific person's role, responsibilities, and relationship to the impersonated executive.

The defense isn't better encryption or smarter spam filters. It's recognizing that the vault door is controlled by a person, and that person needs a process that can't be bypassed by a convincing email.

What Actually Stops BEC

The single most effective defense against BEC is verification through a separate communication channel. If an email requests a wire transfer, payment update, or sensitive data, you call the sender using a phone number from your company directory or a previously verified source. Not a number in the email. Not a number you find by searching online. A number you already have.

This simple step stops most BEC attempts immediately. The fraudulent email can't survive a phone call because the real executive didn't send it. The urgency collapses. The request disappears.

Organizations that implement this as a mandatory process see BEC attempts fail at the verification stage. The policy is straightforward: any payment request over a certain threshold, any change to vendor banking details, any request for sensitive data requires voice confirmation before action. No exceptions for urgency. No exceptions for executives.

Some organizations add a second layer: payment requests from executives must include a specific code word or phrase that's communicated through a separate channel and rotated regularly. If the email doesn't contain the current code, it's automatically flagged for verification.

Employee training helps, but only if it's specific. Generic "be careful with email" warnings don't work. Effective training shows employees actual BEC emails that targeted their industry, explains the specific tactics attackers use, and walks through the verification process step by step. The training includes scenarios: what do you do when the CEO emails you at 4:45 PM on Friday asking for an urgent wire transfer before Monday morning?

Technical controls provide a baseline. Email authentication (SPF, DKIM, DMARC) makes domain spoofing harder. External email warnings make it slightly more obvious when an email comes from outside the organization. But these are supplementary. The core defense is procedural: verify before you act.

Vendor Email Compromise

A common BEC variant targets the relationship between organizations and their vendors. The attacker compromises a vendor's email system, monitors correspondence, and waits for a legitimate invoice. When the invoice goes out, the attacker sends a follow-up email from the compromised account: "We've updated our banking information. Please send future payments to this new account."

The email comes from the vendor's actual domain. It references the real invoice. It sounds like routine administrative communication. The accounts payable team updates their records. The next payment goes to the attacker's account instead of the vendor's.

This variant is harder to detect because the email is genuinely from the vendor's infrastructure. The domain is correct. The sender is correct. The compromise is real, not spoofed.

The defense is the same: verify through a separate channel. When a vendor requests a banking change, you call them using a phone number from your existing records, not one in the email. You confirm that the request is legitimate before updating payment information.

Some organizations require vendors to submit banking changes through a secure portal rather than email, with multi-factor authentication and approval workflows. This adds friction, but it prevents email-based fraud.

The Recovery Window

If a BEC attack succeeds and a wire transfer goes out, recovery depends on speed. Wire transfers move money between banks almost instantly, but there's a narrow window where intervention is possible.

The first step is contacting your bank immediately. Most banks have fraud departments that can attempt to recall the transfer if you report it within hours. The success rate is low, but it's higher than zero. The longer you wait, the more likely the money has moved through multiple accounts and become unrecoverable.

The second step is filing a report with the FBI's IC3, which tracks BEC incidents and coordinates with financial institutions. The report won't get your money back directly, but it creates a record that law enforcement can use to trace the funds and potentially freeze accounts.

The third step is notifying the receiving bank. If the fraudulent transfer went to a U.S. bank, you can contact that bank's fraud department directly and request that they freeze the account. Some banks will cooperate, especially if you provide an IC3 report number and documentation of the fraud.

International transfers are harder to recover. Once money leaves the U.S. banking system, the legal and procedural obstacles multiply. Some countries have cooperative frameworks for fraud recovery, but many don't. The attackers know this, which is why BEC transfers often route through banks in jurisdictions with weak enforcement.

The practical reality is that most BEC losses are permanent. The attackers move money quickly through multiple accounts, convert it to cryptocurrency, or withdraw it as cash. By the time the victim realizes what happened, the trail is cold.

This is why prevention matters more than recovery. Once the wire transfer executes, your options narrow dramatically.

The Attorney Impersonation Variant

Some BEC attacks impersonate attorneys rather than executives. The email claims to represent the company's legal counsel in a confidential matter: a pending lawsuit, a regulatory settlement, a time-sensitive legal obligation. The request is for payment to resolve the matter before it escalates.

This variant works because employees assume legal matters are confidential and urgent. The email creates pressure not to discuss the request with others, which prevents verification. The employee sees a message from a law firm, assumes it's legitimate, and processes the payment.

The defense is the same: verify through a separate channel. If an attorney you've never worked with sends a payment request, you call your company's legal department or general counsel to confirm. If the email claims to be from your existing legal counsel, you call them using a number you already have.

Law firms are also targets. Attackers compromise attorney email accounts to send fraudulent payment instructions to clients, or they impersonate attorneys to trick clients into sending retainer payments to fraudulent accounts. Clients who receive unexpected payment requests from their attorney should verify through a phone call before acting.

The Payroll Redirect Variant

BEC attacks targeting HR and payroll departments impersonate employees requesting changes to direct deposit information. The email appears to come from the employee's personal email address, explaining that they need to update their banking details due to a closed account, a move, or a preference for a different bank.

The request looks routine. HR departments process direct deposit changes regularly. The email includes what appears to be the employee's personal information: name, employee ID, current address. The HR representative updates the system. The next paycheck goes to the attacker's account instead of the employee's.

This variant succeeds because the request seems low-risk. It's not a wire transfer for hundreds of thousands of dollars. It's a routine administrative task. The employee will notice eventually, but by then the money is gone.

Organizations prevent this by requiring in-person or voice verification for any banking changes. If an employee wants to update their direct deposit information, they visit HR in person, call from a verified phone number, or submit the request through a secure employee portal with multi-factor authentication. Email requests are not accepted, regardless of how legitimate they appear.

The Invoice Manipulation Variant

Another BEC variant involves intercepting and modifying legitimate invoices. The attacker compromises either the vendor's email system or the customer's email system, monitors invoice traffic, and alters invoices in transit to change the payment destination.

The vendor sends an invoice to the customer. The attacker intercepts it, modifies the banking details, and forwards the altered invoice from what appears to be the vendor's email address. The customer receives an invoice that looks identical to previous invoices from that vendor, processes payment, and sends money to the attacker's account.

This is harder to detect than other BEC variants because the invoice is real. The amount is correct. The project is real. The only change is the banking information, which most people don't scrutinize closely if the invoice otherwise matches their expectations.

The defense is procedural: verify banking information changes before processing payment. If an invoice from a regular vendor suddenly contains different banking details, you call the vendor using a number from your existing records to confirm the change before sending payment.

Some organizations maintain a database of verified vendor banking information and flag any invoice that contains different details. The flag triggers a verification process before payment is authorized.

The CEO Fraud Lifecycle

The most common BEC variant impersonates the CEO requesting an urgent wire transfer. The attack follows a predictable sequence.

First, the attacker researches the organization to identify the CEO's name, communication style, and typical requests. They identify the employee most likely to have authority to initiate wire transfers: the CFO, the controller, an accounts payable manager.

Second, they send a test email to gauge the employee's response. The test might be a benign request: "Are you at your desk?" or "I need you to handle something for me." If the employee responds, the attacker knows they're engaged and moves to the next phase.

Third, the attacker sends the fraudulent payment request. The email creates urgency, provides a plausible reason for the transfer, and discourages verification. The employee, having already engaged with what they believe is their CEO, processes the request.

The attack succeeds because each step builds on the previous one. The initial engagement establishes the conversation as legitimate. The urgency prevents the employee from questioning the request. The power dynamic makes pushing back feel risky.

Organizations disrupt this sequence by training employees to recognize the pattern and by implementing verification requirements that can't be bypassed by urgency or authority. The CEO can ask for a wire transfer, but the policy still requires voice confirmation before the transfer executes.

What to Do If You Suspect BEC

If you receive an email that might be a BEC attempt, the first step is to stop. Don't respond. Don't click any links. Don't open any attachments. Don't initiate the requested action.

The second step is to verify through a separate channel. Call the person who supposedly sent the email using a phone number from your company directory or a previously verified source. Explain what you received and ask if they sent it. If they didn't, you've just stopped a BEC attack.

The third step is to report it. Forward the email to your IT or security team so they can investigate whether the sender's account was compromised, whether other employees received similar emails, and whether technical controls need adjustment. If the email impersonated an external party, notify that organization so they can investigate a potential compromise of their systems.

If you already initiated a wire transfer based on a BEC email, the fourth step is immediate escalation. Contact your bank's fraud department, file an IC3 report, and notify your organization's leadership and legal team. The faster you act, the better your chances of recovery.

The psychological pressure to comply with what appears to be a legitimate request from an executive is real. Recognizing that pressure as part of the attack is the first step toward resisting it.

The Long-Term Defense

BEC attacks succeed because they exploit trust, urgency, and hierarchy. The long-term defense is building organizational processes that can't be bypassed by a convincing email.

That means mandatory verification for payment requests, regardless of who sends them. It means training employees to recognize the tactics attackers use and empowering them to question requests that feel wrong. It means creating a culture where verification isn't seen as distrust, but as a routine safeguard.

It also means accepting that email is not a secure channel for authorizing financial transactions. Email was designed for convenience, not authentication. Treating it as a trusted medium for high-value decisions creates the vulnerability that BEC exploits.

Organizations that treat BEC as a procedural problem rather than a technical problem see better results. The solution isn't a smarter spam filter. It's a policy that says "we verify before we act," enforced consistently across the organization, with no exceptions for urgency or authority.

The attackers are patient, methodical, and adaptive. They study your organization, identify your weak points, and craft attacks designed to exploit specific people in specific roles. The defense has to be just as deliberate.

Flowchart showing payment verification steps with phone call confirmation highlighted
→ Filed under
business email compromiseemail fraudsocial engineeringwire transfer fraudexecutive impersonationphishing
ShareXLinkedInFacebook

Frequently asked questions

BEC is a social engineering attack where scammers impersonate executives or vendors to trick employees into authorizing fraudulent wire transfers or sharing sensitive data. The emails look legitimate because attackers research the company structure and communication patterns first.
BEC targets specific employees with decision-making authority over payments or data. Regular phishing casts a wide net. BEC emails are personalized, contain no malware or suspicious links, and exploit trust in internal hierarchies rather than technical vulnerabilities.
BEC exploits human psychology, not technology. The emails arrive during busy periods, use urgent language that discourages verification, and leverage power dynamics that make employees hesitant to question executives. Technical defenses like spam filters don't catch them because they contain no malicious code.
Verify payment requests through a separate communication channel. If an email asks for a wire transfer, call the sender using a number from your company directory, not one in the email. This simple step stops most BEC attempts cold.
Recovery is difficult but possible if you act within hours. Contact your bank immediately to request a recall, file an FBI IC3 report, and notify the receiving bank. The longer you wait, the more likely the money has moved through multiple accounts and become unrecoverable.

You might also like

Close-up of hands inspecting a card reader at a gas pump, checking for loose components and unusual devices
Phishing & Scams

Card Skimmers: Spotting Them at Gas Stations and ATMs

Walk through the physical inspection process to spot card skimmers at gas pumps and ATMs. Here's what to check, what each sign means, and how to protect yourself.

12 min · Margot 'Magic' Thorne · Jun 5

Side-by-side comparison of iPhone and Android screens showing identical phishing email with different platform security responses
Phishing & Scams

Phishing on iPhone vs Android: What Actually Happens When You Click

iPhone and Android handle phishing differently after you click. Here's what each platform protects, what stays vulnerable, and what you need to do next.

12 min · Margot 'Magic' Thorne · May 30

A phone screen showing a friendly text conversation next to a fake cryptocurrency investment platform interface
Phishing & Scams

Pig Butchering Scams: How Fake Relationships Drain Bank Accounts

Pig butchering scams build trust over weeks or months, then manipulate victims into fake investment platforms. Here's how the fraud works and how to recognize it.

12 min · Margot 'Magic' Thorne · Jun 4