Table of Contents

Business Email Compromise How Scammers Trick Your Team Into Wiring Money

Picture of CyberDuo
CyberDuo

An email comes in from your CEO. She is traveling, a deal is closing, and she needs you to wire $48,000 to a new vendor today. The tone is right, the signature is right, and she asks you to keep it quiet until the announcement. So you send it. Two days later you find out she never sent that email, and the money is gone.

That is business email compromise, or BEC, and it is one of the most expensive cybercrimes in the world. According to the FBI’s Internet Crime Complaint Center, BEC drove $2.77 billion in reported losses in 2024 alone across more than 21,000 complaints, making it the second costliest category of cybercrime. The losses are concentrated where the money and the businesses are, with California reporting the highest total losses of any state. Here is how the scam works, why it slips past your security tools, and how to stop your team from becoming the next number in that report.

What BEC actually is

Business email compromise is fraud built on impersonation. An attacker poses as someone your team trusts, an executive, a vendor, a lawyer, or a client, and uses that trust to trick an employee into sending money or changing payment details.

What makes BEC different from the cyberattacks people picture is what it does not include. There is usually no malware, no malicious attachment, and no suspicious link to click. It is pure social engineering. The attacker is not breaking your technology, they are manipulating your people, and that is exactly why it works so well.

Why it gets past your security

Most email security tools were built to catch the obvious stuff: spam, viruses, and links to bad websites. A BEC email has none of those. It is often just plain text, sent from a real or convincing address, asking for something that sounds like a normal business request.

It exploits three things every workplace has: trust in authority, the routine of paying invoices and processing requests, and urgency that pushes people to act before they think. A message that says “I need this done in the next hour and I am about to board a flight” is engineered to short-circuit the part of your brain that would otherwise pause and verify.

The problem is getting worse, not better. Generative AI now lets attackers write flawless, professional emails that perfectly match the tone of a real executive or vendor, with no typos or awkward phrasing to give them away. Security researchers tracked a 54% jump in BEC attack volume between 2023 and 2024, and the AI-written ones are far harder to spot by eye.

The common plays

BEC shows up in a handful of recognizable forms:

Executive fraud. A message that appears to come from the CEO or CFO asking for an urgent wire transfer, often with a request for secrecy. The authority plus the urgency is the whole trick.

Vendor and invoice fraud. This is the scariest version. An attacker compromises a real vendor’s email account, then emails you from their genuine address saying their banking details have changed and future payments should go to a new account. Because the email is truly from your vendor, nothing looks wrong. You pay the next legitimate invoice straight into the criminal’s account.

Payroll diversion. An email pretending to be an employee asks HR or payroll to update their direct deposit information, redirecting their paycheck to the attacker.

Closing and wire fraud. Common in real estate, escrow, and any deal with a large scheduled payment, where attackers insert fake wiring instructions at the moment money is supposed to move. Law firms handling client funds and transactions are a frequent target.

In every case, the pattern is the same: a trusted sender, a believable request, a sense of urgency, and a payment that goes to the wrong place.

How to protect your business

There is no single product that stops BEC, because it targets people and process, not just technology. The businesses that beat it layer three kinds of defense.

Process controls, the most important layer. Verify every payment request and every change to banking details out of band, meaning through a channel other than the email itself. Call the person back on a phone number you already have on file, never the number in the email. Require dual approval for wire transfers above a set amount. Put a written callback policy in place so verifying is the default, not the exception. This one habit, confirming by phone before money moves, prevents the majority of BEC losses.

Technical controls. Turn on multifactor authentication everywhere, so a stolen password alone cannot take over a mailbox. Configure email authentication, SPF, DKIM, and DMARC, to make your domain harder to spoof. Deploy advanced anti-phishing and impersonation protection. Flag external emails so a message that looks internal but is not stands out. And monitor for suspicious mailbox forwarding rules, which are a telltale sign that an account has already been taken over and is being quietly watched.

Your people. Regular security awareness training and simulated phishing tests teach your team to recognize the pressure tactics and to slow down on money requests. The goal is a culture where pausing to verify an urgent wire is normal and expected, not an insult to the boss.

If it happens to you, move fast

Speed is everything in BEC recovery. If a fraudulent transfer goes out, contact your bank immediately to try to halt or reverse it, then report it to the FBI at ic3.gov. The FBI’s Recovery Asset Team has had real success freezing fraudulent transfers when victims report quickly, but that window is measured in hours and days, not weeks. The faster you act, the better your odds of getting the money back.

How we help

Stopping BEC is exactly the kind of layered work that sits at the intersection of IT and security, which is what we do. We harden Microsoft 365 against account takeover, configure email authentication and impersonation protection, monitor for the malicious mailbox rules that signal a compromise through our in-house 24/7 SOC, and run ongoing security awareness training so your team is the strong link instead of the weak one. This is core protection for any business that moves money by email, and it matters most for financial services firms and law firms, where a single wire can be six figures.

If you run one of the many businesses around Los Angeles that move money by email every week, reach out. We will review how your team handles payment requests, close the gaps an attacker would target, and put the controls in place before someone tests them. You can see more of our approach on our cybersecurity services page.

Talk to our team