What Is a Business Email Compromise (BEC) Scam?

Updated on November 11, 2025

A Business Email Compromise (BEC) scam is a sophisticated, cyber-enabled financial fraud that targets organizations that regularly perform wire transfers or have suppliers. It involves an attacker impersonating a high-level executive, like a CEO or CFO, or a trusted vendor to trick an employee into performing an unauthorized action. This action is typically a large wire transfer to an account controlled by the attacker. BEC is one of the most financially damaging cybercrimes because it exploits human trust and administrative processes, often bypassing technical security controls.

Definition and Core Concepts

A BEC scam is a class of social engineering attack that focuses on tricking an employee into transferring money or sensitive data. The success of a BEC scam relies on impersonation and exploiting the hierarchical trust within a company. The email itself often does not contain malicious attachments or links, which allows it to bypass most traditional email filtering and gateway defenses.

Foundational concepts:

• Social Engineering: The psychological manipulation of people into performing actions or divulging confidential information. Business Email Compromise is a specialized form of social engineering.
• Impersonation (Spoofing): The act of making an email appear to originate from a legitimate, trusted source, often a senior executive or a known vendor.
• Wire Transfer Fraud: The primary objective of most BEC scams is to trick an employee into initiating a fraudulent wire transfer.
• CEO Fraud (Executive Impersonation): A specific type of BEC where the attacker impersonates a high-ranking executive to order a transfer.
• Vendor Email Compromise (Invoice Fraud): A specific type of BEC where a trusted supplier’s email system is compromised, and the attacker sends a fraudulent invoice with updated bank details.

How It Works

A BEC scam is typically a multi-stage process that requires careful reconnaissance. The attacker executes a planned sequence of events designed to manipulate a target within an organization. The process is methodical and exploits procedural and psychological vulnerabilities.

Reconnaissance and Target Selection

The attacker conducts extensive Open-Source Intelligence (OSINT) gathering to identify key players. This involves finding the executive to impersonate, such as the CEO, and the employee responsible for executing wire transfers, like an accounts payable clerk. They study corporate email signatures, organizational charts, and even out-of-office replies to understand internal hierarchies and communication styles.

Email Preparation (Spoofing)

The attacker crafts a highly convincing email. They use email spoofing or lookalike domains—for example, company.co instead of company.com—to make the email appear genuine. The message is typically urgent, confidential, and highly time-sensitive to pressure the employee into acting quickly without verification.

The Deception

The email orders the employee to execute a transfer immediately. It often cites a confidential reason, such as a secret acquisition or an urgent vendor payment. The attacker frequently requests the transaction be handled “discreetly” to discourage the employee from seeking verbal confirmation from others.

Wire Transfer and Cash-Out

Once the employee executes the transfer, the funds are routed to an offshore bank account or a series of mule accounts controlled by the attacker. This network of accounts makes the money extremely difficult to trace and recover. The funds are typically withdrawn or moved rapidly to finalize the attack.

Key Features and Components

BEC attacks are distinguished by specific characteristics that differentiate them from other forms of cybercrime. These features are central to their success and their ability to circumvent common security measures. Understanding these components is critical for developing effective defense strategies.

• Lack of Malware: The absence of traditional malicious attachments or links is what allows BEC emails to successfully bypass many technical defenses. Security gateways designed to detect malware often fail to flag these messages.
• Exploitation of Authority: The scam leverages the employee’s fear of disobeying a senior executive or disrupting a critical business process. This psychological pressure is a key element of the attack’s effectiveness.
• OSINT-Dependent: The attack is highly dependent on the quality of information gathered by the attacker about the company’s structure and personnel. The more accurate the intelligence, the more convincing the impersonation.

Use Cases and Applications (Scenarios)

The Federal Bureau of Investigation (FBI) classifies BEC scams into several common types based on the methods used. While all involve social engineering, the specific scenario can vary. Each type targets different internal processes and personnel.

• Invoicing Scheme: An attacker compromises a vendor’s email account and sends a fraudulent invoice to the target company. The invoice contains updated bank details, redirecting payment to an account controlled by the attacker.
• CEO Fraud: An attacker impersonates the CEO or another high-level executive. They send an urgent wire transfer request directly to an employee in the finance department, often citing a time-sensitive and confidential matter.
• Data Theft: An attacker requests sensitive employee or customer data instead of money. This type of attack usually targets Human Resources, requesting files like W-2 tax forms that can be used for identity theft or sold on the dark web.

Advantages and Trade-offs

From the attacker’s perspective, BEC scams offer distinct advantages compared to other cyberattacks, but they also come with specific trade-offs. These factors influence why and how criminal organizations choose to execute them.

Advantages (Attacker)

• High return on investment (ROI): The potential financial gain is significant due to the large sums involved in corporate wire transfers.
• Low risk of detection: Compared to attacks relying on malware, BEC has a lower technical footprint, making it harder for automated systems to detect.

Trade-offs (Attacker)

• Time-intensive reconnaissance: A successful attack requires significant time for intelligence gathering and social engineering.
• Dependency on victim response: The success rate depends heavily on the victim’s response time and the internal verification processes of the target organization. If the deception is identified quickly, the transfer can often be stopped.

Troubleshooting and Considerations (Defense)

Defending against BEC requires a multi-layered approach that prioritizes procedural and human-centric controls over purely technical solutions. Because these scams exploit human psychology, effective defenses must empower employees to identify and question suspicious requests.

Verification Process

Implementing a strict, mandatory verbal or out-of-band verification process is crucial. This should apply to all wire transfer requests above a set dollar amount. Confirmation must be made using a known, pre-verified phone number, not a number provided in the email request.

Email Gateway Tuning

Email filters should be configured to aggressively flag emails from external addresses that claim to be internal employees. Rules can also be set to highlight messages with display name spoofs or slight variations in domain names.

Employee Training

Continuous, high-quality training is essential. This should educate employees on recognizing the psychological cues and urgent tone common in BEC scams. Training should include simulations to test and reinforce learning.

Financial Controls

Using multi-factor authentication (MFA) on financial systems adds a critical layer of security. Organizations should also consider implementing “Positive Pay,” an automated fraud detection service offered by most commercial banks to match checks and electronic payments against a pre-approved list.

Key Terms Appendix

• Social Engineering: Psychological manipulation of people into performing actions or divulging confidential information.
• OSINT: Open-Source Intelligence, which refers to the gathering of information from publicly available sources.
• Spoofing: Creating a message with a forged sender address to mislead the recipient about the origin of the message.
• Mule Account: A bank account used by criminals, often belonging to an unwitting third party, to rapidly receive and move illicit funds to obscure their origin.
• Wire Transfer: An electronic method of transferring funds between people or businesses, often used in BEC scams due to the speed and difficulty of reversal.