My IP Help

Business Email Compromise

Also known as: BEC, CEO fraud, invoice fraud

A targeted fraud in which an attacker impersonates an executive or trusted vendor over email, convincing an employee to wire money, change bank details, or share sensitive data.

Last updated:

What is BEC?

Business email compromise (BEC) is a targeted fraud that uses email impersonation to trick a company employee into authorizing a fraudulent wire transfer, rerouting an invoice payment, or handing over sensitive information. Unlike bulk phishing, BEC is low-volume and high-value — each campaign is tailored to a specific company, with attacker reconnaissance on org charts, vendor lists, and pending payments. The FBI's Internet Crime Complaint Center has reported BEC as the single most costly category of cybercrime for years running, with over $50 billion in reported losses between 2013 and 2024.

Common BEC patterns

  • CEO fraud — a spoofed executive email instructs a finance employee to send a wire "urgently and confidentially," usually timed to when the real executive is traveling
  • Invoice fraud — the attacker compromises a real vendor inbox, finds a pending invoice, and sends the customer updated "bank details" that route to the attacker's mule account
  • Payroll diversion — the attacker impersonates an employee and asks HR to reroute their direct-deposit to a new bank account
  • W-2 / data theft — an impersonated executive asks HR or finance for employee tax records

How BEC evades detection

BEC rarely contains malicious attachments or links, so legacy email security (sandboxing, URL rewriting) does not flag it. Detection relies on sender-authentication checks (SPF/DKIM/DMARC), anomaly detection on wire-transfer requests, mandatory out-of-band verification for new bank details, and IP reputation on the sending server — compromised-inbox and lookalike-domain senders frequently originate from hosting ASNs with abuse history.

Check the IP behind a suspicious email before you wire money with our IP abuse report checker.

Frequently Asked Questions

BEC is consistently the single most expensive category of cybercrime tracked by the FBI's Internet Crime Complaint Center, with reported losses exceeding $50 billion globally between 2013 and 2024. It outranks ransomware, romance scams, and tech-support fraud combined in dollar terms, even though the number of incidents is far smaller — each successful BEC averages well over $100,000 in losses.
They mine LinkedIn for org charts and reporting structures, scrape company websites for executive names and bios, search press releases for upcoming deals or vendor announcements, and buy breach data containing internal email signatures. For invoice fraud, they often compromise a real vendor's inbox first and monitor it silently for weeks to learn the customer's payment patterns before injecting a fraudulent message.
Phishing is a bulk attack with malicious links or attachments, sent to large lists, looking for any victim. BEC is targeted social engineering at one company, almost always plain text with no link or attachment, asking for a wire transfer or data — not a credential. BEC bypasses traditional email security because there is nothing technical to detect; the only red flag is the unusual request itself.
Yes — most cyber-insurance policies include "social engineering fraud" or "funds transfer fraud" coverage, but it is usually sublimited (often capped at $250K-$1M, far below total cyber coverage), requires proof of out-of-band verification controls, and frequently denies claims when the company failed to call back using a previously known number. Many policies also exclude losses where the wire was authorized by an employee, even if deceived.
Out-of-band verification means confirming a payment instruction through a channel different from the one that delivered the request — typically a phone call to a number from your existing records, not one supplied in the suspicious email. It is the single most effective BEC defense because it forces the attacker to compromise two independent channels at once. Most BEC playbooks now require it for any new bank-detail change or wire over a set threshold.
Back to glossary