Business Email Compromise - BEC for short - doesn't get the headlines that ransomware does. There are no dramatic locked screens, no countdown timers, no panicked phone calls to IT. BEC is quiet. Professional. And according to the FBI's latest figures, it caused $2.9 billion in reported losses last year alone.
The real number is almost certainly much higher, because many victims never report it.
How BEC Actually Works
The mechanics are deceptively simple. An attacker gains access to - or convincingly impersonates - a business email account. They then use that access to manipulate people into sending money or sensitive information.
The most common variants:
CEO fraud. An attacker impersonates a senior executive and emails the finance team with an urgent payment request. "I need you to wire £45,000 to this account for the acquisition we discussed. Handle this personally and keep it confidential until the announcement."
Invoice manipulation. The attacker intercepts a legitimate invoice - or creates a convincing fake - and changes the bank details. The client pays what they think is a legitimate invoice, and the money vanishes.
Account compromise. The attacker actually breaks into an email account (usually via phishing or credential stuffing) and operates from it. They read ongoing conversations, understand relationships and deal flows, and strike at exactly the right moment with exactly the right message.
Why It Works So Well
BEC exploits trust, not technology. The emails are well-written, contextually appropriate, and come from - or appear to come from - trusted sources. There's no malware to detect, no suspicious attachments, no obviously malicious links. Just a persuasive email from someone you trust asking you to do something that seems reasonable.
The amounts are often calibrated to be large enough to be profitable but small enough to avoid triggering fraud alerts. And the urgency is always carefully crafted: time pressure combined with confidentiality requirements that discourage the recipient from verifying through other channels.
The Email Infrastructure Defence
BEC prevention starts with making impersonation difficult:
DMARC with strict policy. When your domain has DMARC set to "reject," emails that fail authentication are blocked. An attacker can't send emails that appear to come from your domain - they'll be rejected before delivery.
Two-factor authentication. This prevents the "account compromise" variant entirely. Even if an attacker gets a password, they can't access the account without the second factor.
Email encryption. Encrypted email in transit prevents the interception of messages that attackers need for their reconnaissance phase.
Access logging. If an account is compromised, detailed access logs help detect unauthorised access quickly - before the attacker has time to study conversations and plan their attack.
The Human Layer
Technology alone won't stop BEC. You also need a culture where verifying unusual requests is normal, not insulting. A simple policy - "any payment change or unusual financial request must be verified by phone" - would prevent the majority of BEC attacks overnight.
But that policy only works if your email infrastructure makes impersonation hard in the first place. Otherwise, the "verified" email looks legitimate enough that nobody thinks to call.
BEC is growing because it works. Making it not work requires both the right technology and the right habits. Start with the infrastructure, and the habits become much easier to maintain.
