Prior reconnaissance: the attacker studies the corporate website, LinkedIn and public records through OSINT to identify who orders payments, who approves them and which suppliers the company pays. The better the imitation of real workflows, the less suspicion it raises.
What is Business Email Compromise (BEC)
Business Email Compromise (BEC), often called CEO fraud, is a targeted scam in which the attacker impersonates an executive, a colleague or a supplier to get an employee with payment authority to execute a transfer or change the bank details on an invoice. It is not mass phishing: it is a prepared attack, with prior reconnaissance of the company, its organisation chart and its business relationships, and a tailor-made message that leans on authority, urgency and confidentiality. It is social engineering in its purest form: it needs no malware and no exploits, just a credible email at the right moment and a payments process that depends exclusively on email.
Why it matters
Because year after year it is the cybercrime category with the highest reported direct financial losses: the FBI's IC3 attributes billions of dollars annually to it, far ahead of ransomware, and the real figures are higher because many victims never report. It hits SMEs squarely: one convincing email to the finance team can wipe out a whole year's margin in an afternoon. BEC's effectiveness comes from what it lacks: with no malicious attachments, no links to fraudulent sites and no malware, technical filters have very little to analyse, and a well-written message from a lookalike domain — or from the genuinely compromised mailbox of a supplier — sails through unnoticed. Recent developments make it worse: language models remove the typos and clumsy phrasing that used to give scammers away, and voice deepfakes now let the "finance director" confirm the transaction over the phone. The good news is that the controls that stop it are organisational and cheap: out-of-band verification, dual approval of payments and a culture where questioning an urgent instruction is never penalised.
Key points
Sender impersonation: through domain spoofing, lookalike domains registered for the occasion or, in the most dangerous variant, from the genuinely compromised mailbox of an executive or supplier, with access to real threads and invoices.
Main variants: classic CEO fraud (the “director” orders an urgent, confidential transfer), vendor email compromise or VEC (the IBAN on a real invoice is altered) and payroll diversion (HR receives a request to change an employee's bank account).
No malware, no links: the typical BEC email is plain text and perfectly legitimate in the eyes of a filter. Antispam gateways and antivirus engines analyse attachments and URLs; against a message that contains nothing but a payment instruction, their detection capability is minimal.
Psychological levers: authority (the boss is asking), urgency (it must be paid today), confidentiality (tell no one, it is a private deal) and routine (just another invoice from the usual supplier). The goal is to make the victim act without triggering the normal procedure.
Controls that work: out-of-band verification of every account change or unusual instruction (a call to the known number), dual approval for payments above a threshold, DMARC at reject, multi-factor authentication on email and targeted training for the finance team.
Example: the confidential 240,000-euro transfer
Friday, 13:40. The treasury manager at an exporting company receives an email from the CEO, who is travelling at a trade fair: the company is about to close the acquisition of a small competitor and a 240,000-euro deposit must be sent today to the law firm brokering the deal; it is confidential and must not be discussed with anyone until the announcement. The tone is the CEO's usual one, the fair is mentioned correctly, and a supposed external lawyer is copied in, replying instantly to confirm the details. The sender's address uses a domain almost identical to the corporate one, registered 48 hours earlier. Time pressure, authority and secrecy do the rest: the transfer leaves before 15:00 and by Monday the money has already hopped through three intermediary banks.
The same attack fails against two cheap controls: a procedure requiring phone confirmation — on the number always used, not the one in the email — of any unplanned payment above 10,000 euros, and dual sign-off by two people for transfers of that size. Neither depends on the attacker's technology. From there, the technical and human layers add up: DMARC and lookalike-domain monitoring to detect the impersonation, a corporate email audit to rule out hidden forwarding rules and unauthorised access, and targeted training for the finance team with simulations of this exact fraud, because anyone who has seen it once in an exercise recognises it when it arrives for real.
Common mistakes
- Trusting the email filter to catch it. BEC is designed precisely so there is nothing for filters to analyse: no attachment, no link, no malware. The main defence is process (verification and dual approval), not the gateway.
- Verifying an account change by replying to the very email or calling the phone number it contains. If the message is fraudulent, the “confirmation” will be too. Verification only counts if it uses a previously known channel and contact.
- Assuming it only affects large corporations. Scammers automate reconnaissance and attack at volume: an SME with a single administrator and international payments is an easier target than a multinational with segregated treasury functions.
- Treating the incident as the employee's personal failure rather than a process failure. Punishing whoever fell for it guarantees the next attempt is not reported in time; without immediate notification to the bank and the police, the chances of recovering the money collapse.
- Believing DMARC and MFA solve the problem on their own. They are necessary, but they do not stop a lookalike domain registered yesterday or a real supplier whose mailbox has been compromised. Without out-of-band verification of payments, the financial link stays exposed.
Related services
This concept may be related to services such as:
Frequently asked questions
Why does BEC get past email filters?
Because it contains none of the elements filters know how to analyse: no malicious attachments, no links to fraudulent sites, no malware signatures. It is an apparently legitimate text message, often sent from a real domain — either similar to the corporate one or genuinely compromised. The most effective protections are contextual: external-sender banners, detection of newly registered domains and anomaly analysis of communication patterns.
What should I do if the transfer has already gone out?
Act in minutes, not days. Call the bank immediately to request a freeze or recall of the funds, notify the receiving bank if known, and report to the police, providing the original emails with full headers. In international transactions, the useful window is usually 24 to 72 hours before the money is split across mule accounts. If a cyber insurance policy exists, notify the insurer as well.
Are DMARC and multi-factor authentication enough to prevent BEC?
No. DMARC prevents exact forgery of your domain and MFA makes mailbox compromise harder, and both should be in place. But the attacker can use a lookalike domain registered the day before, or the legitimate mailbox of an already-compromised supplier, and no technical control validates that the payment instruction is genuine. The last line of defence is always procedure: out-of-band verification and dual approval.
What role do deepfakes play in this fraud?
They close off the informal verification route. Until recently, a phone call was enough to unravel the scam; today there are documented cases of executives' voices being cloned and even faked video calls used to confirm multi-million transfers. The answer is to strengthen the procedure, not abandon it: call back on a previously known number, use agreed passphrases for sensitive transactions and keep dual approval independent of the channel.