What Is Business Email Compromise (BEC)? — 2026 Guide
Business email compromise is the highest-dollar-value cybercrime category tracked by the FBI — ahead of ransomware, data theft, and all other email fraud. Here is exactly how it works, what the five main variants look like, and how to protect against it.
What Is Business Email Compromise?
Business email compromise (BEC) is a category of targeted email fraud in which an attacker impersonates a trusted person — an executive, vendor, lawyer, or colleague — to manipulate a victim into taking a high-value action: usually authorizing a fraudulent wire transfer, changing payment details, or disclosing sensitive data.
Unlike mass phishing campaigns that cast a wide net hoping for any victim, BEC attacks are surgically targeted. Attackers research specific organizations, identify the right people to impersonate and the right targets to approach, and craft individually tailored emails designed to convince one specific person to take one specific action.
Why BEC is especially dangerous
BEC attacks typically contain no malicious links and no attachments. They pass authentication checks (SPF, DKIM, DMARC). They come from domains that have no spam history. Standard email security tools are largely blind to them. The attack is entirely social — it exploits trust, authority, and urgency rather than technical vulnerabilities.
5 Types of BEC Attacks
CEO / CFO Fraud
Also called: executive impersonation, whaling
An attacker impersonates the CEO, CFO, or another senior executive and emails an employee (typically in finance or accounts payable) requesting an urgent wire transfer. The email appears to come from the executive's address — or a convincing lookalike domain — and often references a real business deal or acquisition to add legitimacy.
Example email language:
"I'm in a board meeting and need a $47,000 wire sent to close a vendor deal by EOD. Treat this as confidential. I'll explain when I'm out — please handle now."
Vendor Impersonation
Also called: payment redirection fraud
The attacker impersonates a known supplier or vendor and notifies the accounts payable team that the vendor's bank account details have changed. Future payments are redirected to an account the attacker controls. The fraud may not be discovered until the real vendor complains about non-payment — sometimes months later.
Example email language:
"Please update our banking details for future invoices. Our bank has changed and all payments should now go to the following account..."
Account Compromise
Also called: email account takeover
The attacker obtains actual access to a legitimate email account — usually via phishing or credential stuffing from a data breach. They then use the real account to communicate with colleagues, clients, or partners. This is the hardest BEC variant to detect because the emails genuinely originate from a trusted account.
Example email language:
No tell-tale domain mismatch — the attack comes from the real address of a colleague whose credentials were stolen.
Attorney / Lawyer Impersonation
Also called: legal impersonation fraud
The attacker impersonates a law firm involved in a pending transaction and contacts the target about a "confidential legal matter" requiring immediate fund transfer. The legal context and confidentiality instructions are designed to prevent the target from discussing the request with colleagues before acting.
Example email language:
"This is regarding a confidential acquisition under NDA. Per legal requirements, this transfer must be completed by close of business today. Contact me directly, not through internal channels."
Real Estate Wire Fraud
Also called: mortgage closing fraud
Buyers in a real estate transaction are emailed with "updated wire transfer instructions" for the closing payment — redirecting the down payment or full purchase price to an attacker-controlled account. Losses are often in the hundreds of thousands of dollars for a single transaction. Recovery after a wire transfer is extremely difficult.
Example email language:
"The title company has updated their banking information. Please use the following wire details for the closing funds due Friday."
How BEC Bypasses Spam Filters
The reason BEC is so costly is that the attacks evade the defenses organizations have invested in. Understanding why they bypass filters is essential for building better defenses.
No malicious URLs
Most email security tools scan links for known malicious destinations. BEC emails typically contain no links at all — they rely entirely on social engineering to prompt action via phone or reply.
No malicious attachments
Attachment scanning catches malware, but BEC attacks deliver their payload through plain text. A convincing email with no attachment passes virtually every automated check.
Legitimate-looking domains
Well-executed BEC uses either the real compromised domain or a lookalike registered specifically for the attack (e.g., company-corp.com instead of company.com). These domains often have valid SPF, DKIM, and DMARC records that pass authentication checks.
No prior attack history
Unlike mass phishing campaigns, BEC attacks are one-to-one. The sending domain has no spam history, the email content is unique, and there are no matching signatures in threat databases.
Red Flags of a BEC Attack
While BEC attacks evade automated detection, humans can learn to recognize the behavioral patterns that make every BEC variant work.
Wire transfer or payment instruction change from a sender you know, received by email only
Request for urgent action with instructions not to verify through normal channels
Email domain that is one character different from a known contact (company-corp.com vs company.com)
Display name matches a known contact but the reply-to address is different
Request for W-2 forms, employee data, or gift cards — especially with urgency language
Unusual timing: executive requesting a transfer while "traveling" or "in meetings"
Pressure to keep the transaction confidential from colleagues
Payment amount that is just below an authorization threshold requiring additional approvals
What Gorganizer Detects
Gorganizer's scoring engine includes dedicated BEC detection signals built into the header, sender, and body analysis modules:
- →Wire-transfer language: emails containing payment instruction change language combined with urgency markers and executive-name patterns
- →Vendor impersonation: banking-detail-change language from senders with no prior relationship to the account
- →CEO whaling signals: executive role keyword matching against display names and subject lines, combined with confidentiality language and payment requests
- →Reply-To mismatch: detection of emails where the From address differs from the Reply-To address — a common BEC technique to redirect responses to attacker-controlled inboxes
Frequently Asked Questions
What is the difference between phishing and BEC?
Phishing is broad — it targets anyone at scale, trying to steal credentials or install malware. BEC is targeted — it focuses on specific individuals inside specific organizations to authorize fraudulent payments or data transfers. BEC emails are individually crafted, use social context, and typically involve no malicious links or attachments (making them extremely hard for automated filters to catch).
How much money is lost to BEC attacks each year?
The FBI's IC3 (Internet Crime Complaint Center) reported BEC as the highest-dollar-value cybercrime category, with billions of dollars in annual losses. The true figure is higher, as many incidents are not reported due to reputational concerns or uncertainty about the attack vector.
How do BEC attackers know enough about a company to be convincing?
Attackers research their targets extensively before striking. LinkedIn reveals organizational structure and reporting relationships. Company websites list executives by name and role. Public SEC filings reveal financial details. Breached credential databases confirm email formats. Some BEC attacks involve compromising an actual email account first and lurking in the inbox for weeks — learning communication patterns before impersonating the account holder.
Can email security tools detect BEC attacks?
Standard spam filters miss most BEC attacks because the emails contain no malicious links, no attachments, and often come from domains with clean reputations. Effective detection requires behavioral analysis — looking at sender-recipient relationship history, payment-related language patterns, and urgency markers. Gorganizer's scoring engine includes dedicated BEC signals: wire-transfer instruction language, vendor-impersonation patterns, CFO/CEO name-spoofing detection, and contextual urgency analysis.
Scan My Inbox for BEC Signals
Gorganizer scans for wire-transfer fraud language, vendor impersonation, CEO whaling signals, and Reply-To mismatches — automatically. One click to see what is in your inbox.
Scan My Inbox for BEC Signals