Business Email Compromise: $50B Scam Hitting Finance Teams

Business email compromise (BEC) is the multi-billion-dollar scam category that disproportionately targets finance teams. The mechanic is deceptively simple — attackers impersonate a trusted party (CEO, vendor, customer) to redirect a wire transfer, change banking information, or extract payment for fake invoices. There's no malware involved, no novel exploit, just social engineering that exploits process gaps. The dollar losses are enormous and growing. Here's how BEC actually works and the specific controls that stop it.

The Two Main BEC Variants

Most BEC attacks fall into one of two patterns:

CEO/executive impersonation — attacker spoofs or compromises the email account of a senior executive and sends a finance team member an urgent request for wire transfer, gift card purchase, or change to vendor banking details. The urgency, the executive's apparent authority, and the request feeling time-sensitive override the normal verification process.

Vendor invoice fraud — attacker either compromises or convincingly spoofs a real vendor email account and notifies the customer that the vendor has changed banking details. Subsequent payments meant for the vendor go to the attacker. This pattern often runs for multiple invoice cycles before detection because the vendor itself doesn't notice the missing payments until late.

Why BEC Is So Effective

Several factors make BEC unusually effective compared to other attack categories:

• Bypasses technical security controls — no malware to detect, no malicious URL to block. The email content is the attack.
• Exploits legitimate business pressure — finance teams already operate under time pressure; "urgent CEO request" feels normal
• Targets process gaps — businesses without strong verification procedures for financial changes have no defense layer to catch the manipulation
• Hard to recover funds — once a wire is sent, recovery options diminish rapidly. Often the funds are gone within hours.
• Low-tech, high-margin — attackers don't need sophisticated capabilities to execute BEC at scale, just patience and process discipline

The Controls That Actually Stop BEC

Technology helps but process is more important. The controls in priority order:

• Out-of-band verification for financial changes — any change to wire instructions or vendor banking details requires verification by phone (using a previously-known phone number, not one from the requesting email) before execution. Single most effective BEC control.
• Dual-approval workflow for wire transfers — two people authorize any wire above a threshold. The threshold should be low enough to cover the BEC dollar range; "above $10,000" doesn't help if BEC attempts come in for $9,500
• Mandatory time delays on new payee additions — new payee setups don't process the same day as creation; this provides time for the legitimate party to notice if their email was compromised
• DMARC, SPF, DKIM email authentication — properly configured email authentication reduces (but doesn't eliminate) spoofing attempts
• Anti-phishing email filters with BEC-specific detection — modern Defender for Office 365, Proofpoint, and similar tools specifically detect BEC patterns (executive impersonation, financial language, unusual sender behavior)
• MFA on executive and finance email accounts — phishing-resistant MFA prevents credential-compromise-based account takeover
• Training that emphasizes verification over vigilance — finance teams trained that "verify before acting on financial changes" is non-negotiable

What Doesn't Help

A few approaches that are popular but don't actually stop BEC: phishing simulation exercises that focus on "spot the red flag" don't transfer to BEC (the red flags don't help when the message is authentic-seeming and the impersonation is convincing). "Just be more careful" as a directive doesn't change outcomes under time pressure. Generic security awareness training without specific BEC scenarios doesn't change finance team behavior.

If It Happens

If BEC is detected after a fraudulent transfer has been initiated, the recovery window is short. Immediate actions: contact the receiving bank to attempt a wire recall, file an IC3 complaint with the FBI (which can sometimes coordinate funds recovery), notify the cyber insurance carrier, and engage incident response to assess whether the email environment itself was compromised vs. spoofed. The faster these actions happen, the better the recovery prospects — measured in hours, not days.

The cost of BEC prevention is dramatically lower than the cost of even a single successful BEC incident. If you'd like to scope BEC defensive controls for your business, a free assessment can identify the priority gaps.