Phishing
Business email compromise: how BEC scams work
Inside the impersonation playbook attackers use to redirect payments and invoices — why email filters miss it, and how to shut it down.
Business email compromise (BEC) is the quiet giant of cybercrime: no malware, no malicious link, just a convincing message that moves money to the wrong account. It consistently causes some of the largest financial losses of any attack type — precisely because it looks so ordinary.
How a BEC scam unfolds
- Reconnaissance — attackers research executives, finance staff, and suppliers.
- Impersonation — they spoof or look-alike a trusted person or vendor.
- The ask — an 'urgent' wire transfer, a changed bank account, or a fake invoice.
- Pressure — secrecy and time limits to discourage double-checking.
Why filters miss it
There's often nothing for a scanner to catch: no attachment, no link, no known-bad payload — just plain text from a plausible address. That's what makes BEC a human problem first. The defence has to live with the people who handle money and trust, not only in the mail gateway.
How to stop it
- Verify payment and bank-detail changes out-of-band, every time.
- Build a no-blame culture where pausing to check is encouraged.
- Flag external senders and lookalike domains automatically.
- Simulate BEC scenarios so finance teams recognise the pattern.
BEC succeeds by exploiting trust and urgency. A simple, non-negotiable rule — verify any change to where money goes through a second channel — defeats the vast majority of these attacks.