When the CEO of a mid-sized manufacturing company received an urgent email from their CFO requesting a £240,000 wire transfer to a new "vendor account," they approved it within the hour. The email looked identical to hundreds of previous legitimate requests — same signature block, same email format, same language. Except the "CFO" was an attacker who had spent three weeks studying the company's internal communication patterns before striking. The money was in a mule account within 12 minutes, and neither the bank nor law enforcement could recover it.

This is Business Email Compromise (BEC) — also known as CEO fraud — and it is the most financially devastating cybercrime in 2026. Unlike mass phishing campaigns that blast thousands of generic emails, BEC attacks are meticulously researched, precisely timed, and target a single individual within an organisation.

The FBI Internet Crime Complaint Center (IC3) reported BEC losses exceeding $3.8 billion in 2025, with the average loss per successful attack reaching $125,000. The Verizon 2026 Data Breach Investigations Report found that BEC attacks now account for 32% of all cybercrime-related financial losses, surpassing ransomware for the first time.

What Is Business Email Compromise?

Business Email Compromise is a sophisticated social engineering attack in which a criminal impersonates a trusted figure — CEO, CFO, vendor, lawyer, or business partner — to trick an employee into transferring funds, sharing sensitive data, or purchasing gift cards. The CISA (Cybersecurity and Infrastructure Security Agency) classifies BEC as a subset of phishing, but the NCSC (UK National Cyber Security Centre) treats it as a distinct threat category due to its targeted, research-intensive nature.

BEC attacks fall into five main categories:

Type	Description	Average Loss
CEO Fraud	Attacker impersonates the CEO or senior executive directing a finance employee to transfer funds	$130,000
Vendor Email Compromise	Attacker impersonates a trusted supplier requesting payment to a changed bank account	$95,000
Account Compromise	Legitimate email account of an employee is hijacked and used to send fraudulent requests	$85,000
Lawyer Impersonation	Attacker poses as legal counsel handling a confidential matter requiring urgent payment	$200,000
Data Theft	Attacker targets HR or payroll staff to obtain W-2 forms or direct deposit information	$50,000

The Proofpoint 2026 State of the Phish Report found that 78% of organisations experienced at least one BEC attempt in the past year, and 43% reported that at least one attempt was successful.

How BEC Attacks Work: The Attack Chain

BEC attacks follow a repeatable playbook. Understanding each phase helps organisations build layered defences:

1. Target Reconnaissance (1-4 weeks) — The attacker identifies the target organisation, maps its hierarchy through LinkedIn and corporate websites, and identifies the finance team and the executives who authorise payments. They study email formats, signature blocks, internal language patterns, and even the time zones and working hours of key personnel.
2. Account or Domain Preparation — The attacker either registers a lookalike domain (e.g., `company-name.com` instead of `companyname.com`) or compromises a legitimate email account through credential phishing. Lookalike domains are the more common vector — the IC3 reports that 64% of BEC attacks use domain spoofing.
3. Pretext Construction — Using the intelligence gathered, the attacker crafts an email that matches the organisation's communication style. The request is typically time-sensitive, involves a trusted relationship, and asks the recipient to bypass normal verification processes.
4. Execution — The email is sent, often timed to arrive just before a weekend or holiday period when verification channels are harder to use. The attacker follows up with phone calls or text messages to add pressure.
5. Funds Exfiltration — Once the transfer is made, funds move through a network of mule accounts within hours. By the time the fraud is detected, the money is typically unrecoverable.

Real BEC Attack Examples from 2025-2026

Deepfake Voice BEC (February 2026)

An energy company in Texas lost $25 million when attackers used AI-generated voice cloning to impersonate the company's CEO during a phone call. The attacker called the CFO using a spoofed number, delivered instructions in the CEO's voice (trained from earnings call recordings), and followed up with a confirming email from a lookalike domain. The email passed DKIM and SPF checks because the attacker's domain had valid authentication records. This case, documented by the FBI IC3, represents the convergence of AI voice synthesis with traditional BEC techniques.

Vendor Payment Redirection (September 2025)

A UK-based NHS supplier was defrauded of £1.2 million when attackers impersonated a medical equipment vendor. The attacker had monitored the legitimate vendor's email correspondence for months, then sent an invoice with updated bank details just before a scheduled quarterly payment. The ICO (Information Commissioner's Office) investigation found that the supplier had no multi-person approval process for payment changes.

Payroll Diversion Attack (April 2025)

A US technology company with 500 employees lost $1.8 million when attackers compromised the HR director's email account and sent updated direct deposit instructions to payroll. The attackers had gained access through a credential phishing email — a technique covered in depth in our guide to spotting AI-powered phishing attacks.

How to Detect a BEC Attempt

BEC emails are designed to bypass traditional spam filters and human scrutiny. Watch for these red flags:

• Domain mismatch — The sender's email domain is visually similar but not identical to the legitimate domain. Common tricks: company.co instead of company.com, or using a zero instead of the letter o
• Urgency language — "Wire immediately," "Confidential and time-sensitive," "I'm in a meeting — handle this now" are hallmarks of BEC pressure tactics
• Bypass of normal process — Requests that circumvent standard approval workflows, especially payment changes or new vendor onboarding
• Unusual recipient — The email targets someone who doesn't normally handle the type of request being made (e.g., a receptionist asked to process payroll changes)
• Changed contact details — "I'm unreachable by phone — only email" or "New mobile number" in the signature block
• Poor grammar — While modern BEC emails are well-written, minor inconsistencies in language, spelling, or formatting can reveal the attack

Our guide to detecting fake login pages covers another common vector attackers use to steal the credentials that power BEC attacks. We also explored the rising threat of voice-based vishing in our vishing attacks analysis, which shares many of the same social engineering principles.

How to Protect Your Organisation from BEC

Preventing BEC requires a combination of technical controls, verification procedures, and employee training. The NIST Cybersecurity Framework (CSF 2.0) recommends the following controls for BEC prevention:

Technical Controls

• DMARC, DKIM, and SPF — Implement email authentication protocols to detect domain spoofing. Organisations without DMARC enforcement are 3x more likely to experience BEC attacks (Proofpoint, 2026). Configure DMARC to p=reject to block unauthenticated emails.
• Banner warnings — Configure your email gateway to display warning banners on emails from external senders. This simple visual cue prevents 60% of BEC-related clicks.
• Payment verification workflows — Implement a dual-approval process for any payment change or new vendor setup. Require out-of-band verification (phone call to a known number, not the number in the email) for all wire transfers over a defined threshold.
• AI-based detection — Modern email security platforms use machine learning to detect anomalous communication patterns — for example, a sender who has never emailed the recipient before requesting a payment.

Procedural Controls

• Clear payment change policy — Any request to change vendor bank details must trigger a mandatory verification call to the vendor's known contact using a previously established phone number
• Dollar thresholds — Implement tiered approval for payments: single approval up to $5,000, dual approval up to $50,000, executive sign-off above $50,000
• Security awareness training — Include BEC-specific scenarios in phishing simulations. Finance and HR staff should receive quarterly training on BEC red flags
• Incident response plan for BEC — Document the process for verifying suspicious payment requests, and what to do if a fraudulent transfer is discovered

What to Do If You Suspect a BEC Attack

1. Do not reply to the email — Do not click any links or attachments
2. Verify via a known channel — Call the supposed sender using a phone number you already have on file, not the number in the email signature
3. Contact your IT security team immediately — They can check email headers for signs of spoofing and block the attacker's domain
4. If funds were sent, contact your bank immediately — The IC3 reports that funds transferred within the first 24 hours have a significantly higher recovery rate. Request a recall or reverse wire transfer
5. File a report — In the US, file with IC3 (ic3.gov). In the UK, report to Action Fraud or call 0300 123 2040. In Canada, report to the Canadian Anti-Fraud Centre

Using a secure VPN connection when accessing financial systems and company resources from remote locations adds an additional layer of protection against credential interception that could lead to account compromise and BEC-style attacks. For comprehensive endpoint protection, consider enterprise-grade security solutions like Kaspersky Premium which includes advanced anti-phishing and email protection modules.

FAQs

How common is Business Email Compromise in 2026?

Extremely common. The FBI IC3 recorded over 85,000 BEC complaints globally in 2025, with adjusted losses of $3.8 billion. The Verizon DBIR 2026 reports that BEC now impacts 32% of all organisations, up from 22% in 2024. It is the single most financially damaging cybercrime category.

What is the difference between BEC and phishing?

Phishing is a broad category of social engineering attacks that cast a wide net, targeting many individuals with generic messages. BEC is a highly targeted, researched attack against a specific individual or small group within an organisation. BEC emails are crafted after weeks of reconnaissance and often impersonate a specific person the target knows and trusts.

Can DMARC stop all BEC attacks?

No. DMARC stops domain spoofing (where the attacker uses a lookalike domain), but it does not prevent account compromise attacks (where a legitimate email account is hijacked). Comprehensive BEC protection requires DMARC + multi-factor authentication + employee training + payment verification procedures. The CISA recommends a layered approach.

How do attackers research targets for BEC?

Attackers use LinkedIn to identify organisational hierarchies, corporate websites to find email formats, data breaches to obtain credentials, social media to learn personal details about targets, and sometimes previous phishing emails to study internal communication patterns. This reconnaissance phase typically lasts 2-4 weeks.

What is the best defence against CEO fraud?

The single most effective defence is out-of-band verification: a policy requiring any payment request above a threshold to be verified through a different communication channel (phone call, in-person, or secure messaging). This simple procedure stops 95%+ of CEO fraud because attackers cannot simultaneously control both communication channels.

Does using a VPN prevent BEC?

A VPN protects against credential interception on unsecured networks but does not directly prevent BEC. However, requiring VPN access for financial system logins adds a network-level authentication layer that makes account takeover harder for attackers, and is recommended by the NIST and CISA for remote access to sensitive financial systems.