Business Email Compromise: When the Attack Comes From Someone the Company Already Trusts

Not every cyberattack starts with malware, ransomware, or a suspicious attachment. Sometimes, it starts with a simple email that appears to come from the CEO, CFO, manager, colleague, lawyer, or another trusted person inside the business.

This is exactly where Business Email Compromise, or BEC, becomes dangerous, attackers exploit trust, hierarchy, routine, and business pressure to convince employees to take actions that benefit the attacker.

BEC is not new, but it continues to evolve. According to the FBI IC3 2025 Internet Crime Report, BEC complaints increased from 21,442 in 2024 to 24,768 in 2025, with reported losses rising from about $2.77 billion to more than $3.04 billion. That makes BEC one of the most financially damaging email-based threats affecting businesses today.

What Is Business Email Compromise?

Business Email Compromise is a targeted email attack where criminals impersonate a trusted person or compromise a real mailbox to manipulate employees into taking a risky action.

The objective may vary, but it often includes:

Unlike generic phishing, BEC does not always depend on malicious links, malware, or obvious technical indicators. The attack works because the message feels believable.

A BEC email may look like a normal business request from someone who has authority, context, and a reason to ask for action.

Why BEC Is So Dangerous

The main danger of Business Email Compromise is that it blends into normal work.

Employees are used to receiving urgent requests. Finance teams process payments. HR teams handle employee information. Executives send short messages from phones. Managers approve exceptions. Teams work under pressure.

Attackers study those patterns and abuse them.

Imagine this scenario:

This type of attack does not need to break the network. It does not need to exploit a software vulnerability. It only needs to convince the right person to trust the wrong message.

How a BEC Attack Works

A BEC attack can happen in several ways. Some involve spoofed display names or lookalike domains. Others involve real compromised accounts, which makes the attack much harder to detect.

1. Reconnaissance

Before sending the email, attackers collect information.

They may review the company website, LinkedIn profiles, press releases, job posts, vendor pages, public documents, leaked credentials, and previous breach data. They look for employees with authority, people involved in payments, executives who travel often, and departments that handle sensitive requests.

The more context attackers collect, the easier it becomes to write an email that looks like part of a real business process.

2. Identity Selection

The attacker chooses who to impersonate or compromise.

Common identities include:

In simple cases, the attacker may spoof the display name:

In more advanced cases, the attacker may use a lookalike domain:

In the most dangerous cases, the attacker compromises a real internal mailbox. When that happens, the email comes from a legitimate account, may pass authentication checks, and may include real conversation history.

This is one reason BEC has become more professionalized. Microsoft’s 2025 Digital Defense Report describes an ecosystem where stolen credentials, compromised inboxes, and attacker services can be bought and reused, making it easier for BEC operators to target companies faster and at greater scale.

3. Creating the Pretext

The email usually presents a plausible reason for the request.

It may mention an urgent vendor payment, a confidential acquisition, a legal matter, a tax document, a payroll update, a new bank account, an executive decision, or an internal deadline.

The request is written to match the company’s normal workflow. That is what makes BEC so effective. The message does not need to look strange. In fact, the more ordinary it looks, the more dangerous it becomes.

4. Pressure and Isolation

Many BEC emails create pressure.

The attacker may use phrases such as:

The goal is to reduce the employee’s time to think, verify, or ask someone else. Attackers often try to isolate the victim from normal approval processes.

5. Fraud Execution

The final step depends on the attacker’s goal.

The victim may approve a payment, change bank details, send sensitive data, update payroll information, click a fake login page, or continue a conversation that gives the attacker more internal knowledge.

In some cases, BEC becomes the first stage of a larger attack. Once the attacker gains trust or access, they may use the same compromised account to target vendors, customers, other employees, or business partners, including vendor email compromise scenarios.

BEC Is Not Only a Financial Problem

Although BEC is often associated with payment fraud, the impact can go far beyond money.

A successful BEC attack can cause:

In many cases, the financial transfer is only the visible part of the incident. The attacker may also have accessed sensitive conversations, internal documents, business processes, and contact lists before the fraud was discovered.

Why Companies Remain Vulnerable

Companies are used to protecting systems, devices, and networks. But BEC targets something harder to secure trust between people.

The attack often succeeds because it appears to follow a normal business process.

1. Email Is Treated as an Approval Channel

If a sensitive request can be approved by email alone, the company is exposed.

Payment approvals, payroll changes, vendor updates, contract changes, and requests for confidential data should never depend only on a single email thread.

2. Authority Reduces Suspicion

When a request appears to come from leadership, employees may feel pressure to act quickly.

Attackers exploit hierarchy. They know that people are more likely to follow instructions from executives, managers, or senior employees, especially when the request sounds urgent or confidential.

3. Real Accounts Can Be Compromised

SPF, DKIM, and DMARC help reduce spoofing, but they do not stop every BEC scenario.

If the attacker controls a real mailbox, the message may come from a legitimate domain and pass authentication checks. That is why account behavior, login activity, inbox rules, OAuth applications, and communication history are critical signals.

4. Generic Phishing Training Is Not Enough

Many employees are trained to look for spelling mistakes, strange links, and suspicious attachments.

Modern BEC emails may have none of those signs. They can be short, well written, context-aware, and aligned with the company’s real processes. With generative AI, attackers can also write more convincing messages at scale.

The FBI’s 2025 Internet Crime Report and related FBI press release highlight how AI can make online scams more convincing through synthetic content, realistic messages, and believable impersonation. For BEC, that matters because the attacker’s message is the attack: the more credible it feels, the harder it becomes for employees to recognize the risk.

5. Business Pressure Creates Shortcuts

End-of-month payments, vendor deadlines, executive travel, closing processes, audits, and urgent operational issues can all create pressure.

Attackers know that when teams are busy, exceptions become easier to justify.

Warning Signs in a Business Email Compromise Attack

BEC can be difficult to detect because the email often looks normal. Still, certain patterns should slow the process down and trigger additional validation.

1. Urgent or Confidential Requests

Messages that pressure the recipient to act quickly, avoid discussion, or keep the request private should be reviewed carefully.

Urgency is not always suspicious, but urgency combined with money, data, credentials, or process changes is high risk.

2. Requests Outside the Normal Process

If a payment, payroll change, document request, or approval is being handled outside the usual workflow, the request should be verified.

Attackers often ask employees to bypass procurement systems, ticketing tools, approval chains, or finance platforms.

3. Small Changes in the Email Address

The sender name may look correct while the actual email address is slightly different.

A swapped letter, added word, different domain extension, hyphen, or personal email account can be enough to deceive someone who is reading quickly or working from a mobile device.

4. Unusual Tone or Timing

Even when the email comes from a real account, the writing style may feel different.

A sudden change in tone, unusual wording, unexpected formality, missing context, or activity at strange hours can indicate that someone else may be controlling the account.

5. Payment or Bank-Detail Changes

Any request to change payment instructions, bank details, IBANs, payroll accounts, invoice details, or vendor payment destinations should be treated as high risk.

The request should be confirmed through a trusted channel that was already known before the email arrived.

6. Requests for Sensitive Information

BEC is not always about money.

Requests for tax documents, employee records, customer data, contracts, credentials, or internal reports should be verified before anything is sent.

7. New Links, Portals, or Attachments

Links to login pages, shared documents, billing portals, or “updated” files can be used to steal credentials or deliver the next stage of the attack.

If the request is unexpected, employees should validate the domain, the sender, and the business context before interacting with it.

How to Protect Your Company Against Business Email Compromise

Defending against BEC requires more than email filtering. Companies need identity protection, process controls, behavioral detection, and teams that know how to pause when a request feels unusual.

1. Create Strong Validation Processes

Sensitive requests should not be approved by email alone.

Payment approvals, payroll changes, vendor bank-detail updates, and confidential data requests should require verification through a separate trusted channel, such as a registered phone number, internal system, or approved workflow.

2. Require Dual Approval for High-Risk Actions

No single employee should be able to approve high-risk financial or data-related actions without a second review.

Dual approval reduces the chance that one pressured employee becomes the only barrier between the attacker and the business.

3. Use Multi-Factor Authentication

Multi-factor authentication reduces the risk of mailbox compromise.

However, MFA is not a complete solution. Modern attackers may use session theft, adversary-in-the-middle phishing, OAuth abuse, or token replay. MFA should be combined with monitoring for unusual login behavior, impossible travel, suspicious inbox rules, and unauthorized applications.

4. Implement SPF, DKIM, and DMARC

SPF, DKIM, and DMARC help reduce domain spoofing and unauthorized use of company domains.

These controls are important, but they do not solve BEC alone. They help with spoofing, but they do not detect every case of social engineering, lookalike domains, or real account compromise.

5. Monitor Exposed Credentials

Credentials exposed in data leaks can be used to compromise business mailboxes.

Companies should monitor for exposed employee accounts, enforce password resets when needed, and investigate whether leaked credentials are being used against Microsoft 365 or other cloud services.

6. Detect Behavior, Not Only Bad Links

Many BEC emails do not contain malware or known malicious URLs.

Detection should look at sender behavior, relationship history, communication patterns, payment language, urgency, unusual requests, new domains, identity mismatches, and deviations from normal business communication.

7. Train Teams With Realistic Scenarios

Training should reflect how BEC actually works.

Finance teams should practice payment and invoice approval scenarios. HR teams should practice payroll and employee-data requests. Executives should understand how their identities can be abused. IT teams should recognize mailbox compromise indicators. Employees should know when to pause, verify, and escalate.

Conclusion

Business Email Compromise shows that cyberattacks do not always need advanced malware or complex exploits. Often, attackers succeed by abusing trust.

The email looks familiar. The sender appears important. The request seems routine. The pressure feels real. That apparent normality is exactly what makes BEC dangerous.

Companies need to protect more than the inbox. They need to protect the decisions that happen after the email arrives.

That means validating sensitive requests, monitoring identity signals, detecting abnormal communication behavior, and giving teams clear evidence before they act.

BEC is a trust-based attack. Stopping it requires trust-based detection.