Every week, finance staff at small and medium businesses wire thousands of dollars based on an email from their "CEO." Most of those emails are legitimate. But some aren't — and the difference can be catastrophic.

Business Email Compromise (BEC) is not a technical hack. It's a human exploit. Attackers don't break into your network; they trick your people into sending money to the wrong place. And they are very, very good at it.

In 2024, the FBI's Internet Crime Complaint Center (IC3) tracked $2.9 billion in adjusted losses from BEC attacks in the United States alone. That number is almost certainly an undercount — many SMBs never report these attacks. The true cost, when you include forensic fees, legal costs, and lost business, can reach $500,000 or more per incident.

If your finance team moves money via wire or ACH, you are a target. This guide explains exactly what BEC looks like in practice, how to spot it, and what concrete steps stop it.

What Is Business Email Compromise?

Business Email Compromise (BEC) is a social engineering scam where an attacker impersonates a trusted party — a vendor, executive, attorney, or business partner — to trick an employee into making an unauthorized financial transfer or releasing sensitive information.

Unlike phishing, which often uses generic lures to harvest credentials en masse, BEC is targeted. Attackers research your organization, study your payment patterns, and craft emails that look indistinguishable from normal business communication.

The result: your accounts payable clerk processes a $47,000 wire transfer to what looks like your regular vendor's bank — but it's a scammer's account.

BEC attacks are reported in all 50 U.S. states and 177 countries. The FBI has called it "the $55 billion scam." And SMBs bear a disproportionate share of the pain.

The 5 Types of BEC Attacks Targeting SMBs

1. Vendor Email Compromise (VEC)
The most common form for SMBs. An attacker compromises a vendor's email account or spoofs their domain, then sends updated banking instructions to your AP team. The email looks exactly like the real vendor — same tone, same formatting, same sender name.

2. CEO Fraud / Executive Impersonation
An attacker impersonates your CEO, CFO, or another executive — often using a lookalike domain or a compromised personal email — and requests an urgent wire transfer. The urgency is the hook: "I'm in a meeting, need this done in the next 20 minutes."

3. Payroll Diversion
Attackers target HR and payroll staff with fake instructions to change an employee's direct deposit account. With remote work normalized, it's easy to impersonate an employee requesting a bank change via email.

4. Attorney Impersonation
Attackers pose as the company's attorney or outside counsel — often during a time-sensitive transaction like a real estate closing or M&A deal. "We need to move the escrow funds to this account by 3pm today."

5. M&A Fraud
As business acquisitions progress, attackers monitor communications and impersonate the selling party's broker or attorney to redirect deal proceeds. SMBs involved in buy-sell transactions are particularly exposed.

The Numbers That Should Scare Every SMB Owner

Real estate, finance, healthcare, law firms, and CPA practices are the most targeted sectors.

Test Your Team Against Real BEC Templates

Download 5 phishing test email templates, an answer key, and a 15-minute debrief script — free.

No spam. Unsubscribe anytime.

Anatomy of a BEC Attack: A Real-World SMB Walkthrough

Company: MidWest Financial Services (52 employees, CPA firm, Cedar Rapids, IA)

Week 1–3: Reconnaissance
The attacker starts with open-source intelligence. LinkedIn reveals the CFO's name. The firm's "About Us" page lists their bank and vendors. A data breach exposes a list of employee emails.

Week 4: Preparation
The attacker registers a lookalike domain: @midwest-financial-group.com. They also compromise a real email account at a related firm — giving them authentic email threads to reference.

Week 5: The Hook
The AP clerk receives an email from "CFO David Morrison" (david.morrison@midwest-financial-group.com):

"Lisa — we're finalizing the Q3 tax prep partnership and need to move a $28,000 retainer to the new escrow account before EOD. I'll be in back-to-back meetings until 4pm so please handle this quietly and don't flag it in the system yet. I'll call you at 3:30 to confirm. Thanks — DM"

The Transfer: Lisa processes the wire. She can't reach David by phone. She sends a Teams chat. No reply. She moves forward. $28,000 is gone.

Day 2: Discovery: The real vendor calls about an unpaid invoice. The bank is notified — but funds have already moved through mule accounts. Recovery is unlikely.

Total losses: $28,000 wired + $15,000 forensic accounting + $8,000 legal fees = $63,000 total — for a firm that had never done a dollar of cybersecurity training.

The 8-Point SMB Defense Checklist

1. Enforce DMARC, SPF, and DKIM on your domain
Email authentication prevents attackers from spoofing your domain. Set DMARC to "quarantine" or "reject." If your domain isn't protected, attackers can send emails from your company that pass spam filters.

2. Require dual-control for all wire and ACH transfers
No single person should be able to initiate a financial transfer unilaterally. Require two authorized employees to approve any wire over $1,000. Enable dual authorization in your bank's commercial portal.

3. Verify all payment method changes via out-of-band confirmation
Any request to change vendor banking details must be verified through a channel different from the original request. Call the requestor at a number you already have on file (not one provided in the email).

4. Establish a vendor change-of-banking SOP and enforce it
Create a written procedure requiring written approval from two levels (AP clerk + CFO) and a phone call to the vendor's known contact before any banking change is processed.

5. Audit mailbox rules monthly
BEC attackers often set up hidden forward rules in compromised email accounts. Check your email system's "Rules" settings for any rules you didn't create. Remove any suspicious rules immediately.

6. Train finance and operations staff on BEC-specific red flags
Finance and operations staff need BEC-specific training covering lookalike domains, urgency language ("don't tell anyone"), requests to bypass procedures, and any request involving a new payment destination.

7. Implement least-privilege access on financial systems
Limit who can access your accounting software, banking portal, and payroll systems. Require MFA on all financial platforms — not just email.

8. Report every attempt — even the ones that fail
File a report at IC3.gov. Financial institutions can sometimes freeze funds in-transit if you act fast enough — but only within a narrow window.

How Live Training Closes the Gap Tech Alone Can't

BEC attacks are not technical problems — they're human problems. The attacker finds the one employee who processes payments, sends them a convincing email, and waits.

Live, instructor-led BEC training works because it:

At SecurEveryone, our Executive-tier BEC Defense Training covers the 5 attack types, real SMB case studies, dual-control procedures, and live Q&A — all in 90 minutes.

Book Executive BEC Training — 90 Minutes, $390 →

Frequently Asked Questions

What is BEC (Business Email Compromise)?
BEC is a targeted email fraud where an attacker impersonates a trusted contact — a vendor, executive, attorney, or business partner — to trick employees into making unauthorized wire transfers or releasing sensitive information. Unlike phishing, BEC attacks are personalized, research-driven, and often bypass traditional email security tools because they don't contain malicious links or attachments.

How is BEC different from phishing?
Phishing is broad — attackers send mass emails hoping someone bites. BEC is surgical — attackers research your organization and impersonate someone you already do business with. Phishing attacks typically want your credentials; BEC attacks want your money, wired directly.

How much does BEC cost SMBs?
The FBI IC3 reports an average loss of $137,000 per BEC incident. For SMBs specifically, NetDiligence data shows average losses around $157,000 per incident, with some reaching into the millions. Beyond direct financial loss, SMBs face forensic accounting fees, legal costs, regulatory scrutiny, and reputational damage.

What's the first thing to do if we've been hit by a BEC attack?
Contact your bank's commercial fraud team immediately and request a wire recall. Time is critical — if funds were sent to a domestic account, there may be a narrow window to freeze or reverse the transfer. File a report at IC3.gov and contact your local FBI field office. Change all email passwords and audit mailbox rules for suspicious forward rules. Do not assume the incident is over once the wire is recalled.

Can MFA stop BEC?
MFA on email accounts reduces the risk of account compromise, but it does not stop BEC outright. Most BEC attacks don't require access to a compromised email account — attackers use lookalike domains, personal email compromise, or vendor impersonation instead. MFA is essential, but it's a layer, not a shield. Human controls (dual authorization, out-of-band verification, BEC-specific training) are what actually stop BEC attacks from succeeding.

Could your team catch a BEC email?

Run a real phishing test with 5 ready-to-send templates, a click-tracking sheet, and a debrief guide.

No spam. Unsubscribe anytime.

Ready to Protect Your Finance Team?

If your team processes wires, ACH transfers, or vendor payments — you are in the BEC kill zone. The good news: this is one of the most preventable cybercrimes if you have the right controls and trained staff.

Book Executive-tier BEC Defense Training — 90 Minutes, $390 →

Free Assessment

Could your team spot a BEC attack before money leaves the account?

The FBI reports $137,000 average loss per BEC incident. Our free cybersecurity scorecard shows your team's current exposure in 5 minutes.

Take the Free Scorecard →