ScamVerify
Menu
Business professional working on laptop in office
Scam TypesMarch 2, 2026- Leo

Business Email Compromise (BEC): The $2.7 Billion Scam Explained

TLDR

Business Email Compromise (BEC) is when an attacker impersonates a company executive, vendor, or business partner via email to trick employees into transferring money or sensitive data. The FBI reports BEC caused $2.7 billion in losses in a single year, making it the highest-dollar cybercrime category. Unlike mass phishing, BEC targets specific individuals with customized emails.

How BEC Differs from Regular Phishing

FeatureMass PhishingBEC
TargetThousands of random peopleSpecific individual at a company
PersonalizationGeneric ("Dear Customer")Uses real names, roles, projects
GoalSteal login credentialsWire transfer or data theft
Technical sophisticationFake website + linkEmail spoofing or account compromise
Average loss$200-$500 per victim$125,000+ per incident
VolumeMillions of emailsOne carefully crafted email

The Five BEC Attack Types

Type 1: CEO Fraud

The attacker impersonates the CEO or CFO and emails a finance team member:

"I need a wire transfer processed today for an acquisition we are closing. This is confidential - do not discuss with others. I'll send the details shortly."

The urgency, authority, and secrecy prevent the employee from verifying through normal channels.

Type 2: Vendor Invoice Manipulation

The attacker compromises or spoofs a vendor's email and sends a modified invoice with the attacker's bank account details:

"Please note our banking information has changed. All future payments should be directed to the following account..."

Type 3: Account Compromise

An employee's actual email account is compromised (often through phishing). The attacker monitors emails, learns business patterns, and then sends requests from the real account.

Type 4: Attorney Impersonation

The attacker poses as a law firm handling a time-sensitive legal matter:

"This is regarding a confidential legal matter. We need an immediate wire transfer to hold funds in escrow. Time is of the essence."

Type 5: Data Theft

Instead of requesting money, the attacker asks HR for employee W-2 forms, payroll data, or personally identifiable information.

The Domain Infrastructure

ScamVerify™ URLhaus data reveals which domain types are used in BEC infrastructure:

TLDMalicious DomainsBEC Relevance
.com59,876Most common for spoofed business domains
.org3,996Used for institutional/nonprofit impersonation
.net4,000Used for IT/technology vendor impersonation

The 3,996 malicious .org domains are particularly relevant to BEC because .org carries an institutional credibility signal. An email from legal@company-name.org appears more authoritative than the same from a .com or other TLD.

BEC attackers also register lookalike domains: company-name.com vs cornpany-name.com (m replaced with rn) or company-narne.com (n and r swapped).

Red Flags for BEC

  1. Urgent wire transfer request from a senior executive
  2. "Keep this confidential" or "do not discuss with others"
  3. Changed banking details from a known vendor
  4. Email sent outside normal business hours or from an unusual device
  5. Slight variation in email address (one character different from the real address)
  6. Pressure to bypass normal approval processes
  7. Reply-To address that differs from the From address

How to Protect Your Business

Technical Controls

  • Enable DMARC with a reject policy on your domain
  • Configure SPF to authorize only your legitimate sending servers
  • Enable DKIM signing for all outbound email
  • Require two-factor authentication on all email accounts
  • Use email security tools that flag external emails and lookalike domains

Process Controls

  • Dual authorization for all wire transfers above a threshold
  • Verbal verification (call the requester on a known number) for any change in payment details
  • Out-of-band confirmation for any unusual financial request, regardless of who it appears to come from
  • Training for all employees who handle financial transactions or sensitive data

FAQ

Why is BEC so much more expensive than other scams?

BEC targets businesses with significant financial resources and the ability to move large sums quickly. A single successful BEC attack on a mid-size company can net $100,000 or more. The FBI reported one case involving a $60 million fraudulent transfer.

Can email authentication (SPF/DKIM/DMARC) prevent BEC?

It helps significantly but does not eliminate the risk. DMARC prevents direct domain spoofing (someone sending as your-company.com from an unauthorized server). However, attackers can register lookalike domains (your-cornpany.com) and configure proper authentication on those domains. Use ScamVerify's email checker to analyze suspicious emails.

What should I do if my company falls victim to BEC?

  1. Contact your bank immediately to request a wire recall (time is critical - within 24 hours)
  2. File a complaint with the FBI's IC3 (ic3.gov)
  3. Contact your insurance provider if you have cyber insurance
  4. Preserve all email evidence
  5. Engage a cybersecurity firm to investigate the compromise

Photo by Christin Hume on Unsplash

Related Articles

Computer code displayed on screen
How-To Guides

How to Read Email Headers to Detect Spoofing

February 27, 2026 - Leo

Online payment transaction on laptop screen
Scam Types

PayPal and Venmo Phishing Emails: How to Tell Real from Fake

March 2, 2026 - Fannie

Smartphone screen showing application notifications
How-To Guides

How to Spot a Phishing Email: 10 Elements to Check Every Time

February 25, 2026 - Fannie

Check any phone number, website, text, email, document, or QR code for free.

Instant AI analysis backed by millions of federal records and real-time threat data.

Check Now