What is Business Email Compromise (BEC)?

Business email compromise, or BEC, is a targeted fraud in which attackers impersonate an executive, employee, or trusted vendor over email to redirect wire transfers, payroll deposits, or invoice payments into accounts they control. Unlike commodity phishing or ransomware, BEC relies almost entirely on social engineering: spoofed domains, compromised mailboxes, and carefully timed requests. No malicious attachment, no exploit, nothing for an endpoint agent to catch.

That is also why it is so expensive. The FBI Internet Crime Complaint Center (IC3) has consistently ranked BEC as the single highest-loss corporate cybercrime category, reporting roughly $2.7 to $2.9 billion in adjusted annual losses in recent years, and cumulative losses since 2013 above $50 billion globally.

The main variants

BEC is not one attack but a family of closely related schemes.

The most recognizable is CEO fraud: the attacker impersonates a chief executive emailing the finance team with an "urgent and confidential" wire request, often timed to coincide with travel or a live M&A deal. Vendor invoice fraud, also called supplier swap, involves compromising or spoofing a known supplier and sending a legitimate-looking invoice with updated banking details.

Payroll diversion targets HR with a request from a "current employee" to reroute their direct deposit. Attorney impersonation leans on urgency around legal settlements. Real estate wire fraud intercepts closing-cost transfers between buyers, title companies, and escrow agents, a category the FBI has repeatedly warned consumers about.

The attack chain

A successful BEC begins with reconnaissance. Attackers harvest organizational charts from LinkedIn, identify finance approvers, and study writing style from public filings or leaked threads. They then either register a look-alike domain (swapping an "rn" for an "m," or using a different top-level domain) or compromise a real mailbox through credential phishing and mailbox rules that silently forward and delete.

Once inside, the attacker waits.

Real invoice discussions and payment handoffs happen on their own schedule, and the attacker injects themselves into the thread at the critical moment. The money leaves through a network of mule accounts, usually passing through domestic banks first before being layered into cryptocurrency or routed overseas within hours.

Landmark cases

• Facebook and Google (2013 to 2015): Lithuanian national Evaldas Rimasauskas impersonated hardware supplier Quanta Computer and tricked the two companies into wiring more than $100 million combined. He was extradited to the U.S. and sentenced to five years in prison.
• Toyota Boshoku (2019): The Japanese auto parts supplier disclosed a $37 million loss after a BEC attack targeting its European subsidiary.
• Scoular Company (2014): The Nebraska-based commodities trader lost $17.2 million after an attacker impersonated the CEO during a confidential "acquisition."
• Arup (2024): The British engineering firm lost roughly $25 million in Hong Kong after a finance employee joined a video call in which every other colleague, including the CFO, was a deepfake. It is the clearest public example so far of BEC moving from text into AI-generated voice and video.

Defenses that actually work

Because BEC exploits trust rather than software flaws, defenses have to combine email authentication, process controls, and human training. Enforcing DMARC, DKIM, and SPF with a reject policy dramatically reduces spoofing of owned domains. Phishing-resistant multi-factor authentication, ideally FIDO2 security keys, prevents the mailbox takeovers that power the most damaging variants.

Process is where most organizations lose the fight.

Any change in banking details should require out-of-band verification through a callback to a known number. Large wires should sit behind dual approval. "Urgent and confidential" should register as a red flag rather than a directive. Communication and content platforms can add another layer by surfacing BEC-adjacent signals: newly registered look-alike domains, impersonation language, and suspicious links appearing in user-facing channels.