Business Email Compromise

The Attack That Doesn't Need to Hack Anything

Most fraud prevention thinking is organized around technical intrusion — firewalls, endpoint security, multi-factor authentication. Business Email Compromise largely ignores all of it. The most financially damaging form of cyber-enabled payment fraud in the world today does not, in most cases, require the attacker to penetrate a network, plant malware, or exploit a software vulnerability. It requires only a convincing email and an AP or treasury function that processes what appears to be a legitimate instruction.

In 2024 alone, BEC losses totaled $2.77 billion across more than 21,000 reported incidents in the United States, making it the second-costliest category of cybercrime after investment fraud. Across the three-year period from 2022 through 2024, the FBI's Internet Crime Complaint Center documented nearly $8.5 billion in BEC losses. And those figures, as the FBI consistently notes, reflect only what is reported — organizations frequently absorb losses quietly rather than face reputational exposure or client backlash.

The Association for Financial Professionals' 2025 Fraud and Control Survey found that 63% of organizations experienced BEC in the prior year. For finance leaders, this is not background noise. It is the operating environment.

What BEC Is — and What It Is Not

Business Email Compromise is a targeted fraud scheme in which an attacker impersonates a trusted party — an executive, a vendor, a legal or financial adviser — to manipulate a payment decision. The impersonation is delivered by email: either through a spoofed address that mimics a legitimate one, a lookalike domain registered to deceive casual inspection, or — in the more sophisticated variants — an actual compromised email account belonging to the person being impersonated.

What BEC is not is a mass phishing campaign. Phishing casts a wide net; BEC is precision targeting. Attackers research their victims, monitor communications, and sometimes gain access to real email accounts to make their messages appear legitimate. They know the organizational hierarchy. They know who has payment authority, who approves wires, and who is inclined to defer to senior leadership without asking questions. They craft messages that fit the cadence and language of the organization's own internal communications. The result is an email that does not look like a fraud attempt — because it is designed, specifically, not to.

This is what makes BEC so consistently effective and so difficult to defend against with technical controls alone. At the heart of every BEC incident is social engineering. BEC will continue to be successful as long as there are people susceptible to psychological manipulation by cybercriminals.

The Five BEC Variants

The FBI and industry threat intelligence researchers categorize BEC into five primary operational subtypes. Each targets a different point of vulnerability in the payment and financial data workflow.

CEO Fraud (Executive Impersonation). The attacker impersonates a senior executive — most commonly a CEO or CFO — and contacts a subordinate, typically in finance or AP, with an urgent request: initiate a wire transfer, purchase gift cards, or provide sensitive financial data. The authority gradient is the weapon. The target is presented with what appears to be a direct instruction from leadership, often accompanied by language that discourages verification: "Don't loop anyone else in on this," or "I need this handled before end of day." The 2016 FACC case — in which an Austrian aerospace company lost €42 million to an executive impersonation attack that resulted in the dismissal and civil litigation of both the CEO and CFO — remains one of the canonical examples of this variant at industrial scale.

Vendor Invoice Fraud / Vendor Email Compromise (VEC). This variant, discussed in depth below, targets the vendor payment relationship. The attacker either impersonates a vendor or compromises an actual vendor email account, then inserts fraudulent payment instructions — typically a request to update banking information — into what appears to be a routine invoicing communication. VEC attacks rose 66% over the first half of 2024, with attackers exploiting supply chain relationships. VEC is the BEC variant most directly relevant to AP functions and is treated extensively in this article.

Attorney / Legal Impersonation. The attacker poses as legal counsel — the organization's own law firm, outside counsel on a pending transaction, or a regulatory authority — to create a confidential pretext for an unusual payment. The secrecy framing ("this is subject to attorney-client privilege," "do not discuss with others") serves the same purpose as urgency in CEO fraud: it discourages the verification that would expose the fraud.

Payroll Diversion. Rather than targeting vendor payments, this variant targets HR or payroll functions. The attacker — posing as an employee, often a recently onboarded one or a remote worker — requests a change to direct deposit banking information before a pay cycle. Because payroll changes typically involve smaller individual amounts and route through HR rather than AP, they are sometimes subject to less rigorous verification protocols. The cumulative exposure from multiple redirected payroll deposits can be substantial.

Data Theft BEC. This variant does not seek a direct payment; it seeks information that enables future fraud. Requests for W-2 rosters, employee banking records, vendor master data, or tax identification numbers are common. The stolen data is used to file fraudulent tax returns, target employees for follow-on fraud, or inform more precisely targeted impersonation attacks.

Vendor Email Compromise: The BEC Variant That Hits AP Hardest

VEC deserves particular attention in this series because it sits directly at the intersection of BEC and the vendor payment relationship — the core subject of the articles that follow on vendor impersonation fraud and phony bank account change scams. Understanding where BEC ends and those adjacent threats begin is essential for finance leaders building a coherent prevention architecture.

In VEC, the most sophisticated form of BEC, the perpetrator has compromised the vendor's email account itself. They do not need to spoof anything.

VEC is distinguished from other BEC variants by one critical feature: the attacker operates from, or convincingly mimics, an actual vendor's email identity. In the most sophisticated form of the attack, the attacker has compromised the vendor's email account itself. They do not need to spoof anything. They are writing from the vendor's real address, within the vendor's real email thread history, with access to the vendor's real invoices, payment schedules, and correspondence with the target organization.

Once attackers have successfully infiltrated a vendor's mailbox, they can mimic the speech pattern of the impersonated individual and study the company's financial processes and schedule. They then scan for upcoming payment transactions to reach out to either the local finance department or the target organization, leading to a payroll or payment diversion attack where the payment is redirected to the attacker's bank account.

The practical implication is significant: the standard advice to "verify the sender's email address" provides no protection when the attacker is actually using the correct address. The verification that matters is not of the email identity but of the banking instruction — and it must be conducted through an entirely independent channel.

A 2023 case involving a European manufacturing company illustrates the operational sophistication of VEC at its most damaging. An attacker compromised a regional finance director's mailbox and monitored invoice workflows between the firm and one of its key suppliers. After identifying a recurring payment schedule, the attacker inserted themselves into a genuine thread using the compromised account, provided a legitimate-looking PDF with updated banking instructions registered to an offshore entity, and the wire was approved without a callback. The fraud was discovered weeks later during routine reconciliation, long after the funds had moved through multiple holding accounts and crypto rails.

The Facebook and Google case — still among the largest documented BEC losses — followed a similar vendor impersonation model. Lithuanian fraudster Evaldas Rimasauskas posed as Taiwan-based Quanta Computer and deceived both Facebook and Google out of more than $100 million collectively, a case that resulted in his conviction by a U.S. court.

The Relationship Between BEC and the Adjacent Fraud Categories

Readers of this series will notice that several of the topics covered in subsequent articles — vendor impersonation fraud, phony bank account change scams — share mechanics with BEC. That overlap is real and intentional; the fraud taxonomy does not divide as neatly as an article series requires. A brief navigation guide:

BEC is the delivery mechanism. Vendor impersonation and account change fraud are often the objectives. In most VEC attacks, the attacker's goal is to redirect a vendor payment — which is accomplished either by impersonating the vendor (covered in the Vendor Impersonation article) or by fraudulently changing banking information on record (covered in the Phony Bank Account Change article). BEC is how those objectives are pursued through the email channel.

The article Vendor Impersonation Fraud addresses the full range of impersonation attacks — including those that arrive by phone, postal mail, or through fictitious vendor creation during onboarding — not only email-based approaches. It examines the reconnaissance that enables impersonation, the indicators that distinguish a legitimate vendor communication from a fraudulent one, and the vendor authentication protocols that defend against it.

The article Bank Account Change Scams goes deep on the specific control failure that enables the most costly BEC and VEC outcomes: the absence of independent verification protocols for banking information changes. It addresses what those protocols should look like, how they should be enforced, and what the case record shows about organizations that have them versus those that do not.

The article AI-Driven Payment Fraud Threats addresses how generative AI, deepfake audio and video, and automated social engineering tools are amplifying all of the above — making BEC attacks more convincing, VEC harder to detect, and the traditional human-judgment safeguards increasingly unreliable.

The article Internal Payment Fraud Risks addresses the insider dimension, including the scenarios in which BEC attacks succeed partly because insiders — wittingly or not — provide the information that makes impersonation credible, or because weak internal controls create the gaps that external attackers exploit.

This article focuses on BEC and VEC as defined phenomena: what they are, how they work, and what the primary prevention controls look like. The downstream specifics are addressed where they belong, in the articles that follow.

Why BEC Works: The Psychological Architecture of the Attack

Understanding why BEC succeeds is as important as understanding what it is. The attack model is not random; it is engineered to exploit specific, predictable features of organizational behavior.

Authority bias. People defer to apparent authority, particularly in hierarchical organizations. A request that appears to come from the CEO, the CFO, or outside legal counsel carries implicit authorization that subordinates are conditioned to respect — and, in some organizational cultures, to act on without question. BEC attacks exploit this directly.

Urgency as a control override. BEC attackers create elaborate pretexts to explain urgency, compressing the time available for verification. "This wire must go today or we lose the deal." "Legal has advised this must be kept confidential until closing." The fraud actor understands that urgency is the most reliable way to cause a target to skip the verification step that would prevent loss.

Contextual plausibility. The most effective BEC attacks are not generic. They reference real transactions, real vendor relationships, real organizational events. Modern threat actors conduct extensive research to determine how best to execute attacks, leveraging information on LinkedIn, SEC disclosures, and even the target organization's website to create convincing emails. An attacker who has monitored a vendor's email thread for weeks knows what invoice is outstanding, what the payment terms are, and what tone the relationship uses. That knowledge makes the fraudulent instruction indistinguishable — on its surface — from a legitimate one.

Trust in familiar channels. Email is the primary channel for business communication, which means it is also the primary channel through which AP functions receive payment instructions. The trust that has been built in email as a reliable medium is the trust that BEC exploits. The attack does not create a new vulnerability; it exploits an existing one.

Prevention and Controls

BEC prevention is primarily procedural and structural, not technical. Email security tools — DMARC, DKIM, SPF authentication, anti-spoofing filters, secure email gateways — are necessary and should be implemented, but they are not sufficient. The most sophisticated VEC attacks, in which the attacker is writing from a genuinely compromised vendor account, are invisible to technical email security. Prevention depends on process.

Out-of-Band Verification for Payment Instructions. Any payment instruction that arrives by email — new payee setup, change to banking information, non-routine wire request — should require verification through an independent channel before action is taken. "Independent" means a channel that the attacker does not control: a phone call to a number independently sourced (not from the email requesting the change), a secure portal confirmation, or an in-person confirmation. The verification must be out-of-band; replying to the email to confirm the email is not verification.

This single control is the most consistently effective defense against BEC. It also appears, in the fraud case record, as the control most frequently absent in organizations that suffer loss.

Verified Callback Protocols for Vendor Banking Changes. When a vendor requests a change to banking information — by any channel, including email — the protocol should require a mandatory callback to a phone number maintained in the organization's own vendor master file, not to a number provided in the change request. The callback must confirm the change with a known contact at the vendor before the update is entered into the system. Platforms such as VendorInfo are specifically designed to manage this process: providing secure vendor portals through which banking information changes are submitted and verified, with audit trails that document the verification chain. This removes the human judgment variable from what is otherwise a high-risk manual process.

Segregation of Duties and Dual Authorization. No single individual should have the ability to both update vendor banking information and initiate a payment to that vendor. Dual authorization requirements for wire transfers and high-value ACH payments mean that a single compromised email account — or a single employee making a bad judgment call — cannot complete a fraudulent payment without a second reviewer who can catch the anomaly. This control caught at least one published BEC attempt in 2023 because the second approver noticed that the new beneficiary account was registered in a country where the vendor had no banking relationship.

Payment Instruction Change Freezes. A simple but effective structural control: once a change to vendor banking information is submitted, freeze payments to that vendor for a defined period — typically 24 to 72 hours — before the change takes effect. This creates a window for the legitimate vendor to notice and report discrepancies in their own account before funds are diverted.

Training Calibrated to the Actual Attack. BEC training that focuses only on "suspicious emails" sets the wrong target. The defining characteristic of a sophisticated BEC attack is that the email does not look suspicious. Training should focus on the trigger conditions — any change to banking information, any request that includes unusual urgency, any instruction that discourages verification — rather than on the visual indicators of phishing. Staff should be explicitly told, and regularly reinforced, that no amount of apparent authority or urgency justifies skipping verification. The AFP's survey data is instructive: a 2024 study found that managers were more likely than frontline staff to fall for BEC lures, reflecting a pattern in which seniority correlates with a reduced tolerance for appearing to question authority. Training must reach every level.

Email Authentication Protocols. DMARC (Domain-based Message Authentication, Reporting, and Conformance) at enforcement level, combined with DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework), makes it significantly harder for attackers to spoof an organization's own domain in outbound attacks. These protocols do not prevent VEC attacks using compromised legitimate accounts, but they eliminate a large category of lower-sophistication spoofing attempts and should be implemented as a baseline.

Anomaly Detection and Payment Monitoring. Unusual payment patterns — a new banking record for an established vendor, a wire request outside normal business hours, a payment to a beneficiary in an unexpected geography — should trigger exception review rather than routine processing. AP automation platforms and ERP systems can be configured to flag these conditions automatically. The detection function does not replace the verification protocol, but it provides a second line of defense when a fraudulent instruction makes it further into the process than it should.

The Professional Dimension: Training, Certification, and Organizational Readiness

BEC is not a problem that technology alone will solve, and it is not a problem that a single policy update addresses once and then eliminates. It is an ongoing adversarial challenge that requires finance and AP functions to maintain a continuous posture of informed vigilance.

AP and procurement professionals are human, and humans are, unfortunately, often a weak link in BEC attacks, and fraud more generally. Specialized training focused on vendor onboarding, information management, and the controls that defend against fraud at the vendor relationship level strengthen that link. And in an environment where BEC and VEC attacks are specifically engineered to exploit gaps in vendor information management processes, professional training in those processes is a direct fraud mitigation investment.

A vendor portal platform addresses the operational infrastructure dimension, built specifically to secure the vendor onboarding and banking information management processes with automated bank account ownership verification, TIN verification, OFAC and sanctions screening and secure form submission workflows. In the BEC and VEC context, such a platform’s significance is that it removes the most exploitable step in the payment fraud chain — the manual handling of vendor banking information — and replaces it with a controlled, auditable, independently verified process.

If It Happens: Response and Recovery

Speed is the only variable that improves recovery outcomes in BEC incidents. Wire fraud and ACH redirect attacks are, once funds have settled, largely irrecoverable through private action — the money moves fast, through multiple accounts, and often across international banking systems that do not cooperate readily with U.S. recovery efforts. The FBI's Internet Crime Complaint Center operates a Financial Fraud Kill Chain process through which reported BEC incidents can, in some cases, result in recovery of funds if reported within 72 hours of the fraudulent transfer. That window is narrow, and it closes fast.

Immediate steps upon suspecting a BEC event: contact the originating financial institution immediately to request a recall; file an IC3 complaint at ic3.gov within 24 hours; preserve all email records, including headers; notify senior management and legal counsel; and engage forensic resources to determine the scope of any email account compromise.

The incident response capacity should be documented in advance, not improvised at the moment of discovery. Finance leaders who have pre-established relationships with their bank's fraud response team, legal counsel, and a forensic firm will recover faster and lose less than those who are making first contact under crisis conditions.

The Bottom Line

BEC is the pre-eminent payment fraud threat facing finance and AP functions today, and it is getting more sophisticated — not less. In just the first quarter of 2025, BEC attacks spiked by 30%. AI is making the attacks more convincing and more scalable. The procedural controls that prevent them are well understood and consistently effective. The gap, in almost every documented loss case, is not knowledge of what to do — it is the organizational discipline to do it under the pressure of routine operations and manufactured urgency.

The articles that follow address the specific fraud variants that BEC most commonly enables: vendor impersonation, banking information fraud, internal scheme facilitation, and AI amplification. Each builds on the framework established here. Together, they provide the comprehensive picture that AP and finance leaders need to defend the disbursement function — and the organization's cash — against the most consequential fraud threat in the current environment.