An email from your CEO arrives asking finance to wire $87,000 to a new vendor account — urgently, confidentially, before end of business. The email address looks right. The writing style matches. The request has the same directness your CEO always uses. The account number is wrong. The CEO never sent it. By the time anyone realizes, the wire is gone.
Business Email Compromise (BEC) is a sophisticated fraud in which attackers impersonate executives, vendors, or trusted colleagues via email to trick employees — primarily in finance and accounting roles — into authorizing fraudulent wire transfers, changing banking details, or diverting payroll. The FBI’s Internet Crime Complaint Center has ranked BEC as the highest-loss fraud category by total dollar amount for multiple consecutive years, with $2.9 billion in reported losses in 2023 alone. The actual figure is estimated to be significantly higher due to underreporting.
What distinguishes BEC from standard phishing is its precision. Rather than mass-blasting millions of recipients, BEC attackers invest weeks in reconnaissance on specific targets — studying organizational structure, communication patterns, ongoing transactions, and the personal details of executives and finance staff. The resulting email is not a generic phishing attempt; it is a customized, contextually accurate impersonation that is calibrated to bypass the skepticism of a trained professional.
BEC succeeds not through technical exploitation of software vulnerabilities but through exploitation of trust and process gaps. The attack leverages authority (appearing to come from a CEO or CFO), urgency (requiring immediate action), and secrecy (discouraging verification through normal channels) to produce an authorized transfer before any procedural safeguard is triggered. No amount of technical security investment stops an attack that convinces a legitimate, authorized employee to make a wire transfer themselves.
The most widely reported variant: an attacker spoofs or compromises the email account of a CEO, CFO, or other senior executive and sends a wire transfer request directly to a finance employee. The request is framed as urgent, confidential, and time-sensitive — sometimes referencing a real ongoing acquisition, deal, or regulatory matter the attacker learned about through reconnaissance. The employee, receiving what appears to be a direct instruction from their top executive, complies without following standard approval processes.
An attacker compromises the email account of a legitimate vendor or supplier the target company regularly pays. From within the genuine account, they send a notification that banking details have changed — providing new account numbers for all future invoices. The email is indistinguishable from a legitimate banking change notification because it comes from the vendor’s real account. Payments intended for the vendor are redirected to the attacker’s account, sometimes for months before discovery.
Attackers impersonate law firms or attorneys purportedly handling a real estate transaction, acquisition, or legal matter for the target company. The fraudulent “attorney” contacts finance with urgent wire instructions — typically framed as time-critical for a closing or legal deadline. The authority conveyed by legal representation and the urgency of a transaction deadline produce fast compliance. This variant frequently targets real estate transactions where large transfers are a normal part of the process.
Rather than targeting a large one-time wire transfer, this variant targets recurring payroll. An attacker compromises or impersonates an employee — often using HR system access gained through a prior phishing attack — and submits a banking change request redirecting the employee’s direct deposit to an attacker-controlled account. Individual losses are smaller but the fraud can continue through multiple pay cycles before detection, and the process of restoring diverted payroll to real employees involves significant administrative overhead.
The most sophisticated variant involves actually compromising a legitimate email account — typically through phishing or credential stuffing — and monitoring it for weeks or months without taking any action. The attacker reads emails, learns communication patterns, identifies ongoing transactions, and waits for the optimal moment to interject a fraudulent payment instruction that perfectly fits the context of an existing conversation. Victims of this variant often cannot identify when the compromise occurred because the attacker made no immediately detectable changes to the account.
A mandatory out-of-band verbal verification for every outgoing wire transfer above a defined threshold — where “out-of-band” means calling a phone number already on file, not any number included in the wire request email. This single procedural requirement stops virtually every BEC attack. The call must be to a pre-established number. Calling a number provided in the suspicious email defeats the entire purpose. This control costs nothing to implement and requires no technology — only a written policy that is enforced without exception, regardless of who the request appears to come from.
Before sending a single fraudulent email, BEC attackers build a detailed intelligence profile of their target. Your company website provides the executive team’s names and titles. LinkedIn reveals the full organizational structure, identifies who works in finance and accounting, and shows reporting relationships. Press releases announce acquisitions, new banking partnerships, and significant transactions — providing ready-made pretexts for urgent wire requests. Annual reports and SEC filings provide financial scale information that helps attackers calibrate their request amounts.
Data broker databases compile personal information about executives that goes beyond what appears on company websites — including home addresses, personal email addresses, phone numbers, family members’ names, and purchase history. This personal data allows BEC attackers to craft communications that include convincing personal details, impersonate executives in phone calls that accompany email attacks, or target executives’ personal accounts as a vector into corporate systems. Executives who assume their personal data is irrelevant to corporate security are often the highest-risk individuals in a BEC attack chain.
In the most sophisticated operations, attackers compromise an email account and monitor it passively for weeks before acting. They read ongoing transaction discussions, identify the specific language and format that payment authorizations take, learn which executives approve which transaction types, and identify the optimal moment to insert a fraudulent instruction that exactly fits an existing context. The result is a BEC email so contextually accurate that it defeats even well-trained employees because it references real conversations and real transactions.
BEC attackers purchase executive profiles from data brokers — including personal email addresses, phone numbers, and home addresses — to craft convincing impersonations and target personal accounts as entry points into corporate systems. Data broker removal is a corporate security control, not just a personal privacy measure. We tested every major service to find which ones actually get results.
Many BEC attacks begin not with a corporate system breach but with a compromised personal email, LinkedIn credential, or data breach that exposed an executive’s password. Identity theft protection services that monitor dark web credential exposure can alert you before a compromised personal account becomes a corporate security incident.
Executives and finance professionals who are highly visible online — LinkedIn profiles, company bios, press mentions — are priority targets for BEC reconnaissance. Our identity theft risk quiz takes 2 minutes and shows you exactly where your personal data exposure creates organizational risk.
