What Is Business Email Compromise?
Business Email Compromise — BEC — is a category of targeted fraud in which attackers impersonate a trusted person or organization over email to deceive employees into taking a harmful action: wiring money, disclosing credentials, redirecting payroll, or handing over sensitive data. Unlike traditional spam or phishing campaigns, BEC attacks involve no malware, no malicious links, and often no content that would look suspicious to a standard spam filter. They are, in the purest sense, social engineering delivered by email.
The FBI's Internet Crime Complaint Center has ranked BEC among the most financially damaging forms of cybercrime for several consecutive years. Reported losses consistently exceed $2.5 billion annually in the United States alone — and that figure represents only crimes that were reported. Security researchers estimate actual losses are three to five times higher, since many organizations quietly absorb BEC losses rather than report them publicly.
What makes the trend line alarming is that the attacks are getting more sophisticated as the tools to create them get cheaper. Generative AI has eliminated the grammatical errors and awkward phrasing that once gave social engineering emails away. Today's BEC emails are indistinguishable from real correspondence, written in the exact tone and vocabulary of the person being impersonated.
The Four Main Types of BEC Attack
CEO Fraud
In a CEO fraud attack, the attacker impersonates a senior executive — the CEO, CFO, or another C-suite member — and emails a financial employee or controller with an urgent wire transfer request. The email often creates time pressure ("I'm in a meeting and need this done before close of business") and explicitly discourages verification ("Don't call me, I'll be unreachable, just process it"). The target is typically someone who is accustomed to acting quickly on executive requests.
The attacker may use a lookalike domain (acme-corp.com instead of acmecorp.com), a display name spoof (the email shows "Jane Smith, CEO" but comes from a free webmail account), or — in the most sophisticated cases — an actually compromised executive account.
Vendor Impersonation
Attackers research a company's supplier relationships — which is often easy from public sources, LinkedIn, or a prior breach — and then impersonate a vendor with a plausible "banking detail change" request. The message arrives on what appears to be the vendor's letterhead (copied from the vendor's website), claims their bank has changed, and provides new wire details. Accounts payable teams, accustomed to processing vendor invoices, often comply without escalating for verification.
Payroll Diversion
In payroll diversion attacks, an attacker impersonates an employee and contacts HR or the payroll department with a request to update their direct deposit information. The request is usually made just before a payroll cycle. The impersonation is simple — the attacker just needs to know the employee's name, their manager's name, and perhaps their employee ID, all of which may be available from a breach database or public profile.
Attorney Impersonation
Attackers impersonate lawyers, claiming to represent the company in a sensitive legal matter that must be kept confidential. The confidentiality requirement is deliberate — it's designed to prevent the target from discussing the request with colleagues or management who might flag it as suspicious. The attacker typically requests an urgent wire transfer for a settlement, acquisition, or regulatory payment.
Why BEC Attacks Bypass Traditional Spam Filters
Traditional spam filtering is built around a few core assumptions: spam comes in high volume, uses known bad IPs, contains suspicious content patterns, and is sent to many recipients at once. BEC attacks violate every one of these assumptions.
- Low volume. A BEC campaign targeting your company might consist of a single email. Volume-based detection sees nothing unusual.
- Clean infrastructure. Attackers sending from lookalike domains use reputable sending infrastructure — often legitimate cloud email services — that has no blacklist history.
- No spam phrases. There are no keywords like "click here," "free offer," or "Nigerian prince." The email reads like normal business correspondence.
- No links or attachments. Many BEC attacks are pure text. There's no URL to check against a phishing database, no attachment to scan for malware.
A spam filter tuned for bulk unsolicited email is nearly blind to BEC. The attack bypasses every heuristic that was designed for a completely different threat model.
How to Detect BEC: Header Anomaly Analysis
Because BEC content looks legitimate, detection has to focus on the authentication layer — the metadata about where the email actually came from, rather than what it says.
From/Reply-To Mismatch
A common BEC technique is to set the visible From address to a trusted name while setting the Reply-To header to an attacker-controlled address. To the recipient, the email appears to be from their CEO. But when they hit Reply, their response goes to the attacker's account. This mismatch between the displayed From header and the Reply-To header is a reliable indicator of suspicious intent and should trigger a warning or quarantine.
Envelope From vs. Header From Mismatch
SMTP has two distinct concepts of "from": the envelope sender (used by mail servers for bounce routing) and the header From (what email clients display to users). Legitimate email from a domain typically has these aligned. Display name spoofing attacks — where an email claims to be from "Jane Smith <ceo@yourcompany.com>" but actually originates from a different domain — show up as mismatches between these two values.
Lookalike Domain Detection
BEC attackers frequently register domains that visually resemble the target company's domain: acme-corp.com, acmecorp.net, acm3corp.com. Effective detection compares the sending domain against a known list of your organization's domains and flags messages from domains with high string similarity. A Levenshtein distance of 1 or 2 from a known domain is a strong signal.
SPF and DKIM as a First Layer
Publishing strict SPF and DKIM records for your own domains prevents attackers from sending email that appears to originate from your domains. SPF specifies which IP addresses are authorized to send on behalf of your domain; DKIM cryptographically signs outgoing messages so recipients can verify the signature. Together, they make it much harder to impersonate you to your own customers or partners.
But SPF and DKIM only protect you from being impersonated — they don't protect your employees from receiving spoofed emails that impersonate others. For inbound BEC protection, you need anomaly detection on incoming headers, not just authentication enforcement on outgoing mail.
What Else to Add
Header anomaly detection and authentication enforcement are the technical layer. The non-technical layer matters just as much:
- Out-of-band verification for financial requests. Any wire transfer request received by email should require a phone call to a known number to confirm — not a reply to the email, and not a call to a number provided in the suspicious email itself.
- Dual-approval for payroll changes. No single HR staff member should be able to change direct deposit information without a second approval.
- Domain monitoring. Services that alert you when lookalike domains are registered give you advance warning before an attack is launched.
- DMARC with a reject policy. Publishing a DMARC record with
p=rejecttells receiving mail servers to reject messages that fail SPF and DKIM checks for your domain, drastically reducing successful impersonation of your domain to external targets.
BEC is ultimately a social engineering problem with a technical attack surface. The most effective defenses combine authentication infrastructure, anomaly detection, and human process controls. No single layer is sufficient on its own, but the combination makes a successful attack dramatically harder to execute.