Back to blog

Business Email Compromise Explained: Attack Lifecycle, Types, and Defenses

Articles

Articles

Written by

Brightside Team

Published on

A vendor your company pays every month sends an invoice with an updated bank account. A CEO emails an assistant asking them to buy a stack of gift cards and send over the serial numbers right away. A homebuyer gets wire instructions from the title company for the down payment. Each request looks routine. Each one is the kind of thing that gets handled a hundred times a year without a second thought. And in the versions of these stories the FBI documents, every message was fake, and the money went to a criminal instead of the intended recipient.

That is business email compromise. It is not a virus, a malicious attachment, or a link to a credential-harvesting page. It is a financially motivated con that impersonates someone the recipient already trusts, then asks them to do something they are already authorized to do: move money, change payment details, or hand over sensitive data. The whole attack lives in the space between a familiar sender name and an employee's instinct to comply.

That is also what makes BEC so hard to stop. It attacks trust, not systems. There is usually no malware for antivirus to catch and no dangerous URL for a filter to block, so the tools most organizations rely on have almost nothing to detect, and the entire burden of defense falls on human judgment at the exact moment the attacker has engineered that judgment to fail. What follows is how these attacks are built, why they work on careful people, how AI and deepfakes have raised the stakes, and what actually reduces the risk.

Key Takeaways

  • Business email compromise is malware-free social engineering that impersonates a trusted party to trigger a fraudulent payment, a banking-detail change, or a data disclosure. It is consistently one of the costliest cybercrime categories the FBI tracks.

  • BEC defeats perimeter and email-filtering tools precisely because there is often no malicious link or attachment to detect. The defense burden shifts onto human judgment and financial process.

  • Attacks follow a repeatable lifecycle (reconnaissance, impersonation or account compromise, trust-building, the ask, and laundering) and show up as a small set of recognizable subtypes such as CEO fraud, vendor email compromise, and payroll diversion.

  • AI has removed the old warning signs. BEC emails are now grammatically flawless and context-aware, and voice and video deepfakes are turning up in high-value executive-impersonation fraud.

  • Durable defense is layered: phishing-resistant authentication and email authentication, dual authorization and out-of-band verification for any money movement, and realistic, psychology-aware simulation training that builds human resilience.

What Business Email Compromise Actually Is

Business email compromise is a targeted attack in which a criminal impersonates a trusted person or organization over email to manipulate an employee into transferring funds, changing payment instructions, or disclosing confidential information. The impersonated party is almost always someone with legitimate influence over the target: a senior executive, a known vendor, an attorney, a colleague, or a business partner. The request is designed to look like normal business, because normal business is exactly what the attacker wants the victim to think they are doing.

What separates BEC from most other email threats is what it lacks. There is typically no malware, no exploit, and no obviously malicious link. Microsoft, Cisco, Proofpoint, and the FBI all describe BEC the same way: a social engineering attack that relies on impersonation and persuasion rather than technical compromise. Cisco notes that BEC was once called "man-in-the-email," a reminder that the attacker inserts themselves into a trusted conversation rather than breaking anything. Because the message carries none of the usual technical markers of an attack, traditional threat-detection tools that scan headers, links, and attachments frequently see nothing worth flagging.

It helps to separate three terms that get used loosely.

BEC versus email account compromise (EAC). The FBI often pairs the two because they overlap in practice, but they are mechanically different. In classic BEC, the attacker impersonates a trusted party from the outside, usually by spoofing a display name or registering a look-alike domain. In email account compromise, the attacker actually controls a real mailbox, having stolen the credentials through phishing, password reuse, or an adversary-in-the-middle kit. EAC is more dangerous because the fraudulent message genuinely originates from the legitimate account, so there is no spoofed address or look-alike domain to notice. Many of the most convincing BEC frauds begin with an EAC foothold.

BEC versus phishing. Phishing is the broad category: high-volume, often automated messages blasted to large groups in the hope that a small percentage click a link or enter credentials. BEC is a targeted, research-driven subset that usually contains no link at all. Instead of casting a wide net, the attacker studies a specific organization, identifies who controls money or data, and crafts a message tailored to that person and moment. Phishing generally wants your credentials or wants to plant malware. BEC generally wants a payment or a document, and it wants it now. The difference matters for defense: the controls that catch bulk phishing (link rewriting, attachment sandboxing, spam scoring) are largely irrelevant to a plain-text email asking a finance manager to update a supplier's bank details.

The practical takeaway is that BEC is a fraud problem wearing an email costume. The email is just the delivery mechanism. The actual attack is a manipulation of a business process.

Why BEC Is One of the Costliest Cybercrimes

BEC rarely tops the charts for the number of complaints, but it consistently ranks near the top for money lost. In its 2024 Internet Crime Report, the FBI's Internet Crime Complaint Center (IC3) logged 21,442 BEC complaints, which made it only the seventh most-reported crime category. By dollars lost, though, it ranked second, at roughly $2.77 billion. That gap between complaint volume and financial damage is the whole story of BEC: comparatively few incidents, each one expensive.

The cumulative figures are larger and starker. As reported by NACHA, the losses reported to IC3 for BEC between 2022 and 2024 totaled nearly $8.5 billion, a number the FBI itself called staggering. Estimates of cumulative BEC losses over the past decade run past $50 billion. Losses continued into 2025, with different tallies of the FBI's 2025 reporting landing somewhere in the range of $2.9 billion to $3.04 billion for the year. And these numbers almost certainly understate the problem, because many organizations never report, whether out of embarrassment, fear of reputational damage, or uncertainty about where to file.

Per-incident severity is climbing too. Industry analyses of IC3 data describe the average BEC claim rising from roughly $84,000 in 2023 to around $183,000 more recently. Proofpoint, which sits in the flow of enormous volumes of enterprise email, reports detecting and stopping more than 66 million targeted BEC attempts per month on average, a figure that conveys how routine these attacks have become as a background condition of doing business over email.

Two points deserve emphasis for security leaders.

First, size does not protect you. If anything, the pattern runs the other way for attention. Analyses of enterprise targeting suggest the largest organizations face something close to a near-certain weekly probability of being targeted by BEC, while even organizations under 1,000 employees face a high weekly probability. The Association for Financial Professionals reported in its 2025 fraud survey that 63% of organizations experienced BEC in the prior year. Small and mid-sized businesses are hit disproportionately hard relative to their resources, because they often lack the layered financial controls and dedicated security staff that give larger enterprises at least a chance to catch a fraudulent transfer before it settles.

Second, the risk concentrates by function more than by industry, though industry patterns exist (manufacturing, energy, retail, utilities, and real estate all show up heavily in targeting data). What every BEC campaign is really hunting for is a person with the authority to move money or release data, and a process that lets them do it without a second set of eyes.

How a BEC Attack Works: The Five-Phase Lifecycle

Security researchers consistently describe BEC as unfolding across a handful of sequential phases, regardless of the specific pretext. Cisco compresses the pattern into four stages (research, preparation, attack, and dissemination); other analyses break it into five. The version below maps the full lifecycle and shows where an organization can still intervene at each step.

Phase 1: Reconnaissance and identity research. The attacker builds a picture of the target. LinkedIn reveals the org chart, reporting lines, and who sits in finance, accounts payable, HR, and the executive suite. Company websites, press releases, and social media surface vendor relationships, deal activity, travel, and fiscal calendars. Email-address conventions are easy to infer once you have a few examples. Breach data and open-source intelligence tools fill in the rest. By the end of this phase, the attacker knows who to impersonate, who to target, what a normal request between them looks like, and when a payment would be plausible.

Phase 2: Compromise or impersonation setup. Now the attacker establishes the sending identity. There are three common routes. They can register a look-alike domain, swapping or adding a character so that john.kelly@examplecompany.com becomes john.kelley@examplecompany.com, a difference the eye skates right over. They can spoof a display name so the message shows a trusted person's name even though the underlying address is unrelated. Or they can take over a real mailbox through credential phishing, password reuse, or an adversary-in-the-middle kit that relays a multi-factor prompt in real time. Account takeover is the most potent option, because the fraud then comes from the genuine account. Attackers who gain mailbox access frequently set up hidden inbox rules that auto-forward or auto-delete certain messages, letting them monitor a billing thread for weeks and hide their presence from the real account owner.

Phase 3: Trust-building and social engineering. Rather than open with a large financial demand, sophisticated actors often warm up the target with a low-risk, credible message first, such as a quick question or a heads-up that a payment is coming. They mirror the impersonated person's tone, signature block, and phrasing, and they reference real events (a merger, a quarter close, an executive traveling) to make the exchange feel like a continuation of normal work. When the attacker has hijacked a real vendor thread, this phase requires almost no effort, because the legitimate context is already there.

Phase 4: Execution, the financial or data ask. This is the payload. The victim is asked to wire funds to a new account, change a supplier's banking details, buy gift cards and send the codes, redirect an employee's payroll deposit, or hand over sensitive records such as W-2 forms or a customer list. The ask is almost always framed as urgent and confidential, two pressures that work together to push the target toward acting before verifying and to keep them from looping in a colleague who might notice something is off.

Phase 5: Laundering. Once the money moves, speed becomes the attacker's ally and the victim's enemy. Funds are pulled through mule accounts and across jurisdictions to obscure the trail before anyone notices. Recovery odds drop sharply with time. This is why the standard incident guidance, from the FBI and financial regulators alike, stresses contacting your bank and law enforcement within hours, not days, to attempt a recall while the funds are still traceable.

The lifecycle framing is useful because it shows that BEC is not a single lucky email. It is a small project, and every phase is an opportunity to insert friction: better external-sender warnings and domain monitoring in phase two, verification norms in phase three, and hard payment controls in phase four.

The Main Types of BEC Attacks

BEC is not one scam but a family of them, distinguished mostly by who gets impersonated and what the attacker asks for. Recognizing the named subtypes helps teams map the threat to their own workflows.

Type

Who is impersonated

The ask

CEO / executive fraud

A senior leader (CEO, CFO)

An urgent, confidential wire transfer, often bypassing normal process

Invoice / false-invoice fraud

A supplier or the AP process

Payment of a fake or altered invoice, or to a changed account

Vendor email compromise (VEC)

A real, trusted vendor (often via a hijacked account)

A change of bank details inserted into a genuine transaction

Attorney impersonation

Outside or in-house legal counsel

A rushed, secret payment tied to a sensitive matter

Payroll diversion

An employee, to HR or payroll

Redirecting the employee's direct deposit to an attacker account

Data-theft scheme

An executive or HR, targeting HR or finance

W-2 forms, employee PII, or tax records rather than money directly

Gift-card scam

An executive or manager

High-volume, lower-dollar gift-card purchases with codes sent back

A few of these deserve extra attention. Vendor email compromise has become one of the fastest-growing variants, with reported cases up sharply in recent years, because it weaponizes an existing, trusted relationship. When a fraudulent bank-change request arrives inside a real invoice thread from a real supplier, there is almost nothing visibly wrong with it. Executive-impersonation CEO fraud remains common, but vendor and third-party imposters now rival it in frequency, which reflects how much attackers have learned to exploit supply-chain trust. Data-theft schemes are easy to underrate because no money moves immediately, but a stolen W-2 roster feeds directly into tax fraud and synthetic-identity crime. Gift-card scams persist because gift cards are near-anonymous and easy to cash out, making them the low-friction option for lower-value, high-volume attempts.

Real incidents show the range. A Toyota parts supplier was reported to have lost roughly $37 million to a BEC attack in which criminals posing as a business partner directed finance staff to change payment details. The networking company Ubiquiti disclosed a loss of about $46.7 million in 2015 to vendor-impersonation fraud. The charity Save the Children reportedly lost around $1 million after criminals compromised an employee account and pushed through fake invoices. The dollar figures vary, but the shape is always the same: a plausible request, from a trusted-looking source, aimed at a person who could act on it.

The AI and Deepfake Escalation

For years, the classic advice for spotting BEC included "look for awkward grammar and odd phrasing." Generative AI has retired that tell. Attackers now produce fluent, context-aware, on-brand messages in any language at scale, and they can tune tone to match an executive or a vendor precisely. One industry analysis reported BEC attacks rising 38% year over year in 2025, attributing much of the increase to AI-generated content that is harder to distinguish from legitimate correspondence. The uncomfortable implication is that the most reliable visual cues employees were trained to catch are now the least reliable.

The bigger shift is the move beyond text. Voice and video deepfakes have turned executive impersonation from a written pretext into a live performance. Criminals harvest an executive's voice from conference talks, interviews, earnings calls, and social clips, then clone it to leave a voicemail or join a call. In the most cited case, finance staff at the engineering firm Arup were reportedly deceived by a video call populated with deepfaked colleagues and authorized transfers totaling roughly $25 million. The FBI logged an estimated $893 million in AI-related fraud losses in 2025, and by most accounts fewer than one in twenty victims report such incidents, so the real total is likely far higher. Regional analyses put the average loss per deepfake fraud incident against large enterprises in the neighborhood of $680,000, though figures like these should be read as estimates rather than precise measurements.

The through-line is convergence. BEC is no longer an email-only threat. A modern attack might open with a spoofed email, escalate to a deepfaked voicemail that "confirms" the request, and close with a video call that overrides an employee's hesitation. The channels reinforce each other, and each added channel makes the fraud feel more legitimate. That is why the useful detection cues have shifted away from spelling and toward behavior: resistance to a callback on a known-good number, refusal to move the conversation to an established secondary channel, and pressure to skip a control "just this once." Those are red flags that survive even when the audio and video do not give the attacker away.

Why BEC Attacks Succeed: The Psychology

If BEC carried a technical signature, we would have automated it out of existence years ago. It does not, so its success rests on something more durable: predictable features of human cognition and organizational behavior. Understanding those levers is the difference between training that scolds employees for "falling for it" and training that actually changes outcomes.

The peer-reviewed work here is instructive. In a widely cited 2020 study of human cognition through the lens of social engineering, Montañez and colleagues frame these attacks as psychological attacks that exploit specific weaknesses in how people process information. Two of their findings matter enormously for BEC defense. First, susceptibility rises under high cognitive workload, acute stress, and low attentional vigilance, and when the target lacks relevant experience. A busy finance employee clearing a backlog at quarter-end under time pressure is, cognitively, an easier target than the same person on a quiet afternoon. Second, and more sobering, the researchers found that awareness alone does not reliably reduce susceptibility. Knowing that BEC exists is not the same as being resistant to it in the moment.

That is because BEC is engineered to trigger fast, automatic thinking and suppress slow, deliberate analysis. Cognitive scientists describe two broad modes of decision-making: a quick, heuristic, low-effort mode and a slower, controlled, analytical mode. Well-constructed social engineering pushes the target into the fast mode and keeps them there. Several specific levers do the pushing:

  • Authority bias. People are conditioned to comply with senior leaders. An email that appears to come from the CEO or CFO short-circuits the normal impulse to question a request. The employee is not being reckless. They are being a good team member, which is exactly the reflex the attacker is renting.

  • Urgency and artificial time pressure. "This has to go out before the bank closes" removes the window in which a person would otherwise pause and verify. Time pressure narrows attention onto the demand itself and away from the peripheral cues (an odd address, a slightly wrong domain) that would give the fraud away. Stress researchers call this attentional tunneling.

  • Familiarity and trust. Because the attacker has done reconnaissance, the message uses the right names, the right signature, the right project references, and the right tone. It feels personally validated rather than generic, which lowers the recipient's guard.

  • Confidentiality framing. "Please keep this between us until the deal is announced" isolates the victim from the colleagues who might otherwise flag the request. Secrecy is not incidental. It is a control the attacker uses to prevent a second opinion.

  • The absence of technical red flags. There is no malware and no link, so nothing in the employee's environment lights up. When the tools stay silent, people reasonably read that silence as safety.

  • Organizational process gaps. If a single employee can execute a wire or change a vendor's bank details without a second approver or an out-of-band check, then one deceived person is all it takes. This is the organizational failure hiding behind what looks like an individual mistake.

The 2025 Verizon Data Breach Investigations Report found that roughly 60% of breaches involve a human element such as phishing or pretexting. BEC is the purest expression of that statistic. People are not careless here. Attackers have simply gotten very good at building situations where the natural, cooperative, efficient response is also the wrong one.

Why Traditional Defenses Miss BEC

Most enterprise email security was built to answer a technical question: is there anything dangerous in this message? BEC is designed so the answer is no.

Secure email gateways, antivirus, and sandboxing look for malicious attachments, weaponized links, and known-bad indicators. A plain-text note asking accounts payable to update a supplier's bank account contains none of those things. Authentication protocols such as SPF, DKIM, and DMARC can blunt outright domain spoofing, and they are worth deploying, but they do not help when the attacker uses a look-alike domain they legitimately registered, or when the message comes from a genuinely compromised account that passes every authentication check because it really is the sender. Detection and response tooling watches for anomalous system behavior, but a finance manager voluntarily initiating a wire transfer is not anomalous. It is their job.

This is the core reason BEC persists. The transaction looks legitimate at every technical layer, because at every technical layer it is legitimate. The illegitimacy lives in the intent behind the request and the deception that produced it, and neither of those is visible to a scanner. When the one deceived employee also happens to be the only approval required, the fraud completes with nothing to trip an alarm. Defense therefore has to move to the two places where BEC is actually vulnerable: the human decision and the financial process.

How to Reduce BEC Risk: A Layered Defense

There is no single control that stops business email compromise, and any vendor claiming otherwise should be treated with suspicion. What works is layering, so that a failure at one layer is caught at the next. It helps to think in three layers: keep attackers out of accounts, make money hard to move on a single deceived decision, and build human judgment that resists manipulation.

Layer 1: Identity and account-takeover controls. Because EAC underpins the most convincing BEC, hardening authentication pays off directly. Phishing-resistant multi-factor authentication (FIDO2 security keys or passkeys) is the highest-value control here, because it defeats the adversary-in-the-middle kits that relay ordinary MFA prompts. Deploy SPF, DKIM, and DMARC to reduce spoofing of your own domain, and monitor for look-alike domain registrations that target your brand. Audit mailbox rules regularly, since attacker-created auto-forwarding and auto-delete rules are a reliable sign of a compromised account and a common enabler of long-running invoice fraud.

Layer 2: Financial process controls. This is where BEC is most cheaply defeated, and where too many organizations remain exposed. Require dual authorization for wire transfers and for any change to vendor or payroll banking details, ideally with the two approvers in different functions. Verify every banking-detail change and every unusual payment request out of band, using a phone number you already have on file, not the number or reply address in the message. Set payment thresholds that trigger additional review. These controls work regardless of how convincing the email, voicemail, or video call was, because they do not depend on anyone spotting the fraud. They depend on a second, independent confirmation that the request is real.

Layer 3: Human resilience. Because the attack ultimately targets a person's judgment, that judgment has to be trained, and this is where the honest debate lives. It is worth being candid: the evidence on security awareness training is genuinely mixed. A review by Cybersecurity Dive of more than a dozen peer-reviewed studies and meta-analyses concluded that commonly deployed forms of training offer small or minimal protective benefit, and can even breed false confidence. Vendor-reported figures paint a rosier picture, with surveys in which a large majority of organizations believe training reduced their phishing susceptibility. Both things can be true. Generic, annual, click-the-module training that teaches people to spot typos does very little against AI-written, context-aware BEC. Training that is frequent, role-specific, and built around realistic practice at recognizing emotional manipulation (urgency, authority, secrecy) rather than surface cues is a different proposition.

The practical conclusion the field is converging on is not "training does not work" but "training only works as part of a system." Realistic simulation that rehearses the actual pressure of a BEC attempt, paired with the hard controls in layers one and two, is what moves the needle. Regulation is starting to reflect this systemic view: frameworks such as the EU's NIS2 directive expect in-scope organizations to demonstrate risk management, supply-chain security, and documented training, and financial regulators including FinCEN advise reporting BEC-induced wire fraud quickly and building transaction monitoring around it. The direction of travel is toward treating BEC as an enterprise risk that spans security, finance, and process, not an inbox problem to be solved with a filter.

Brightside AI: most realistic phishing simulation software for enterprises

The layered model above puts realistic, psychology-aware simulation at the center of the human-resilience layer, and that is the specific problem Brightside AI is built to solve. Brightside is a Swiss security-awareness training platform that focuses on making simulated attacks feel like the real thing, so employees rehearse the exact pressures a BEC attempt applies before a genuine one arrives. It is worth being clear about what this is and is not: Brightside is training and simulation, a complement to the identity and financial controls in the other two layers, not an inbound email filter or a detection-and-response tool.

The realism comes from specific mechanisms rather than positioning. Brightside's email phishing library includes templates built specifically around business email compromise, vendor impersonation, and AI-powered spear phishing, organized by department (Finance and Accounting, Legal and Compliance, IT and InfoSec) and aligned to the NIST Phish Scale so difficulty can be dialed from least to very difficult. Its AI-powered OSINT spear-phishing personalizes each simulation from the employee's actual profile (role, tools, tenure) using data synced from HR and identity integrations, which mirrors the reconnaissance real BEC actors perform in phase one of the lifecycle. Instead of a generic test, a finance analyst receives a scenario shaped to how a finance analyst would actually be approached.

Because modern BEC has jumped channels, so has the training. Brightside's vishing simulator runs AI-powered voice calls in two modes, a voice-only attack and a hybrid attack that pairs a call with a trackable phishing email, and it can clone an executive's voice from a short recording to rehearse the deepfake-voice scenarios described earlier. Deepfake awareness courses prepare teams to recognize synthetic audio and video manipulation. A one-click Report Phishing add-on for Gmail and Google Workspace closes the loop between simulation and real reporting, routing genuine threats to the security team while crediting employees who correctly report a simulation. Results feed NIST-weighted failure rates and risk reporting so leaders can see where exposure actually concentrates.

Pros

  • BEC-specific, department-targeted email templates aligned to the NIST Phish Scale, so difficulty and relevance are tunable

  • AI-driven OSINT personalization that reproduces attacker reconnaissance for genuinely realistic scenarios

  • Multi-channel coverage in one platform: email phishing, AI vishing (including executive voice cloning), and deepfake awareness, matching how real BEC now converges across channels

  • Report Phishing add-on that turns training into a real reporting habit, with simulation-aware routing

  • Swiss-built, multilingual, with integrations for Google Workspace, Microsoft Active Directory, Okta, and Vanta

Cons

  • Focused on the human-resilience layer, so it complements rather than replaces email authentication, account-takeover controls, and financial process controls

  • Deepfake video simulation for high-value targets is delivered as a managed service rather than a self-serve feature, which suits executive scenarios but is not a do-it-yourself tool

Try our vishing simulator

Experience the most advanced voice phishing simulator built for security teams. Create scenarios, test voice cloning, and explore automation features.

Frequently Asked Questions

What is the difference between BEC and phishing?

Phishing is a broad, high-volume tactic: generic messages sent to many people, usually carrying a malicious link or attachment meant to harvest credentials or plant malware. Business email compromise is a targeted subset that typically contains no link or malware at all. The attacker researches a specific organization, impersonates a trusted person or vendor, and asks a particular employee to move money or release data. Phishing plays the numbers; BEC plays a single, well-prepared con.

What is the difference between BEC and email account compromise (EAC)?

They overlap but describe different mechanics. In BEC, the attacker impersonates a trusted party from the outside, often through a spoofed name or a look-alike domain. In EAC, the attacker actually controls a real mailbox after stealing the credentials, so the fraudulent message genuinely comes from the legitimate account. EAC is frequently the foothold that makes a BEC fraud almost impossible to spot, because there is no fake address to notice.

Which employees and departments do BEC attacks target most?

Anyone who can move money or release sensitive data. In practice that means finance and accounts payable, HR and payroll, executives and their assistants, procurement, and IT administrators. Attackers also target external vendors and partners, since a compromised supplier account is a powerful launch point for invoice fraud against everyone that supplier bills.

Can email security tools or spam filters stop business email compromise?

Only partly. Authentication protocols (SPF, DKIM, DMARC) and modern email security reduce outright spoofing and catch many attacks, and they are worth deploying. But because most BEC carries no malware or malicious link, and because account-takeover messages come from genuine accounts, technical filters miss a meaningful share of these attacks. That is why financial process controls and trained human judgment are essential, not optional.

What should we do if we fall victim to a BEC wire transfer?

Move fast, because recovery odds fall by the hour. Contact your bank immediately and ask them to attempt a recall or freeze on the transfer, and have them contact the receiving institution. Report the incident to the FBI's Internet Crime Complaint Center at ic3.gov, which can invoke recovery mechanisms for fraudulent wires. Preserve the original emails and headers for investigators, and review your accounts for signs of a mailbox compromise, such as unexpected forwarding rules, in case the incident was EAC rather than pure impersonation.