Business Email Compromise (BEC): A Guide for Small Businesses

Business Email Compromise (BEC) is the highest-loss cybercrime category according to the FBI. In 2024, BEC accounted for over $2.9 billion in reported losses. Unlike ransomware, BEC doesn't require malware — just sophisticated social engineering.

How BEC Works

BEC criminals research a target company, understand its payment processes and key personnel, then either compromise a real email account or create a convincingly fake one to impersonate an executive, vendor, or client.

Common BEC Variants

CEO Fraud

An email appearing to come from the CEO or CFO instructs an employee to transfer funds immediately to a new account — often with urgency and a request for secrecy.

Vendor Impersonation

An email from a "known vendor" requests that future payments be directed to a new bank account. The account belongs to the criminal.

Employee Payroll Fraud

An email to HR or payroll appears to be from an employee requesting a direct deposit change to a new account controlled by the criminal.

Attorney/Lawyer Impersonation

Scammers impersonate lawyers handling a "confidential" transaction requiring immediate wire transfer.

Prevention for Small Businesses

1. Implement a call-back verification policy for any payment change request — call the requester on a known number, not the one in the suspicious email.
2. Enable multi-factor authentication on all email accounts.
3. Set up email authentication (DMARC, DKIM, SPF) to reduce email spoofing.
4. Train employees to recognize social engineering tactics.
5. Require dual authorization for wire transfers above a threshold.

Sources: FBI IC3 Annual Report 2024; CISA; Cybersecurity & Infrastructure Security Agency.