What is Business Email Compromise (BEC)?

How BEC Attacks Work

CEO Fraud

CEO fraud involves the attacker impersonating the CEO or another senior executive to pressure an employee — typically in finance — into making an urgent wire transfer. The communication typically creates urgency, requests secrecy, and provides wire instructions to an attacker-controlled account. The impersonation may be achieved through a lookalike email domain, display name spoofing, or actual compromise of the executive's email account. The financial employee receives what appears to be a direct instruction from the CEO, often referencing a real business deal or acquisition to create plausibility.

Vendor Invoice Fraud

Vendor invoice fraud involves the attacker impersonating a legitimate vendor to redirect payment for legitimate invoices to an attacker-controlled account. The attacker may compromise the vendor's email account to send fraudulent payment change notifications, or may spoof the vendor's email domain to intercept or redirect invoice payment discussions. The target organization believes they are paying a legitimate invoice from a known vendor; the funds go to the attacker.

Payroll Diversion

Payroll diversion attacks target HR or payroll staff to redirect employee direct deposit payments. An attacker impersonating an employee requests a change to their banking information, providing attacker-controlled account details. The next payroll cycle deposits the employee's pay to the attacker's account rather than the legitimate employee's account.

Technical Enablers of BEC

Email Account Compromise

The most sophisticated BEC attacks involve actual compromise of a legitimate email account — either the executive being impersonated or a vendor whose communications are being intercepted. An attacker with access to a CFO's email account can monitor communications, identify pending transactions, understand the context that makes fraudulent requests plausible, and send fraudulent communications that originate from the legitimate email address. Email account compromise is typically achieved through adversary-in-the-middle phishing, credential stuffing, or exploitation of email platform vulnerabilities.

Domain Spoofing and Lookalike Domains

Attackers register domains that closely resemble legitimate business domains — cloudskope.com might be spoofed by c1oudskope.com, cloudsk0pe.com, or cloudskope-billing.com. Emails sent from these lookalike domains appear legitimate at a glance, particularly when the display name is set to match the legitimate organization. DMARC, DKIM, and SPF email authentication standards prevent spoofing of the exact legitimate domain but do not prevent lookalike domain attacks.

BEC in Practice and What Defends Against It

Common BEC Patterns

Wire transfer fraud is the most common BEC pattern: an attacker impersonates an executive, vendor, or legal authority and requests an urgent wire transfer, typically to an account controlled by the attacker. The fraud succeeds when the recipient bypasses normal authorization procedures because of the apparent urgency or authority of the request.

Vendor invoice fraud impersonates an established vendor and submits a fraudulent invoice with attacker-controlled banking details, or modifies the banking details on a legitimate invoice. Payroll diversion impersonates an employee and requests that their direct deposit be redirected to a new account, capturing their next paycheck before the fraud is discovered. W-2 and tax fraud impersonates an executive and requests that HR provide W-2 forms for employees, harvesting personally identifiable information for tax fraud.

BEC Defense: Process Plus Technology

Technical email security controls — SPF, DKIM, DMARC, advanced threat protection, email warning banners — reduce but do not eliminate BEC risk. Effective BEC defense requires process controls: multi-step verification for wire transfers above defined thresholds, out-of-band verification of payment changes (calling the vendor at a known phone number rather than the number in the email), and structured training that focuses on the specific patterns of BEC rather than generic phishing awareness.

The Deepfake Acceleration

BEC attacks increasingly incorporate AI-generated voice and video to bypass out-of-band verification. An attacker impersonating a CFO via email may follow up with a phone call using a deepfaked voice that matches the CFO's actual speech patterns. The 2024 Arup case — a $25 million wire fraud enabled by deepfaked video conference participants impersonating the CFO and multiple colleagues simultaneously — demonstrates the structural shift this technology represents. Verification procedures based on "call them to confirm" are no longer reliable against well-resourced attackers.

Related Reading

• Spear Phishing — the targeted phishing technique BEC frequently uses
• Email Authentication (SPF, DKIM, DMARC) — the technical defenses against email spoofing
• Deepfake Fraud — the emerging BEC variant using AI-generated voice/video

Real-World Example: Toyota Boshoku — $37M in 4 Days

In 2019, Toyota Boshoku Corporation's European subsidiary transferred $37 million to an attacker-controlled account following a BEC attack. An employee in the finance and accounting department received communications from an attacker impersonating a business partner, requesting an urgent change to banking information for a pending payment. The attacker's communications were convincing enough that the employee completed the transfer without additional verification. The funds were moved through multiple accounts before the fraud was discovered four days later. Recovery was minimal. The attack required no technical sophistication — no malware, no hacking, no credential theft. It required only a convincing email and an employee who followed instructions without verification.