Safeguard
Industry Analysis

Business email compromise (BEC)

Business email compromise (BEC) tricks employees into wiring funds or data to attackers posing as executives or vendors. Here is how BEC fraud actually works.

Marina Petrov
Compliance Analyst
7 min read

What is business email compromise? It's a form of cybercrime in which an attacker compromises or convincingly spoofs a legitimate email account -- typically belonging to an executive, a finance employee, or a trusted vendor -- in order to trick a target into wiring money, rerouting a payment, or disclosing sensitive data. Unlike most cyberattacks, BEC rarely involves malware: there's no payload to detect, no exploit to patch, no attachment to sandbox. Instead, it weaponizes trust, urgency, and the ordinary rhythm of business correspondence to manipulate a person into taking one routine-looking action, such as approving a wire transfer, updating bank details on file, or emailing a batch of W-2s. The FBI's Internet Crime Complaint Center has tracked more money lost to BEC than to any other cybercrime category on record, precisely because it is cheap to run, difficult for signature-based tools to catch, and devastating against organizations that treat an email in the inbox as sufficient authorization to act.

What Is Business Email Compromise at the Protocol Level?

At the protocol level, business email compromise exploits the fact that email was never designed to guarantee sender identity. Attackers achieve the illusion of legitimacy through one of three technical paths: registering a lookalike domain (swapping "rn" for "m," or using a different top-level domain than the real one), spoofing the "From" header on a message sent through an open or misconfigured mail relay, or -- the most dangerous variant -- gaining actual access to a real mailbox through credential phishing, password reuse, or a stolen OAuth token. Once inside a real account, an attacker can read months of prior correspondence to learn a company's tone, its approval chain, and its invoice cycle, then set a hidden inbox rule that auto-forwards or auto-deletes any reply from the real finance team so the victim never sees the compromised employee's suspicious activity. This is why BEC fraud explained purely as "a scam email" undersells it: the more damaging cases are quiet, patient account takeovers that precede the actual money-moving message by weeks.

How Does a CEO Fraud Email Scam Actually Unfold?

A CEO fraud email scam unfolds by impersonating a senior executive, usually the CEO or CFO, to pressure a subordinate into an urgent, confidential financial transaction outside the normal approval process. The pattern is remarkably consistent: the message arrives late in the day or right before a holiday, invokes secrecy ("don't loop in the rest of the team, this is a pending acquisition"), and applies time pressure ("I need this wired before the bank closes"). In 2015, Mattel's finance department received an email that appeared to come from the newly appointed CEO, requesting a $3 million wire transfer to a supplier account in China as part of what looked like a routine vendor payment approval. The employee followed procedure, verified nothing further because the request appeared to come from the top, and authorized the transfer. Mattel only recovered the funds because the transfer happened to hit a bank holiday in China, giving investigators a narrow window to freeze the account before it was emptied. Most victims are not that fortunate.

What Makes Invoice Fraud Attacks So Effective?

Invoice fraud attacks are effective because they insert themselves into a payment process that already exists, rather than asking a victim to do something new. Instead of impersonating an executive, the attacker impersonates a real vendor the target already pays regularly, sending a message -- often from a compromised vendor mailbox rather than a spoofed one -- that says the vendor's "banking details have changed" and provides new routing information for the next invoice. Because the invoice amount, vendor name, and purchase order number all match a legitimate transaction already in progress, the fraud hides inside routine accounts-payable work rather than standing out as anomalous. Toyota Boshoku Corporation's European subsidiary lost roughly $37 million in 2019 when attackers, after compromising a business partner's email thread, convinced a finance employee to redirect a wire transfer through what looked like an ordinary change in banking instructions. Invoice fraud attacks like this are particularly corrosive in software supply chains, where vendor relationships, license renewals, and support contracts already generate a steady stream of legitimate-looking payment requests for attackers to imitate.

Is BEC vs Phishing Really the Same Threat?

BEC vs phishing is a meaningful distinction, not just a labeling exercise, because the two attacks differ in scale, payload, and detection surface. Traditional phishing casts a wide net: thousands of near-identical emails, usually carrying a malicious link or attachment, designed to harvest credentials or drop malware on whichever fraction of recipients click. Business email compromise is the opposite -- a small number of highly targeted, malware-free messages, often preceded by weeks of reconnaissance on LinkedIn, press releases, or a compromised mailbox, and tailored to one person's role and one company's workflow. A phishing filter built to catch malicious URLs and attachments will let a BEC message sail through, because there is nothing technically malicious in it -- just a well-crafted request from what looks like the right person at the right time. Practically, this means BEC defense depends far more on verifying identity and intent (out-of-band confirmation, callback procedures, payment-change verification) than on the payload inspection that stops conventional phishing.

Why Do BEC Attacks Slip Past Traditional Email Security?

BEC attacks slip past traditional email security because most of that security is built to catch malicious code, not malicious intent. Secure email gateways, sandboxing, and antivirus scanning all look for something to flag -- a bad URL, a known-malicious attachment hash, an exploit signature -- and a well-written BEC message contains none of that. Even SPF, DKIM, and DMARC, which authenticate that a message actually came from the domain it claims to, do nothing to stop an attacker who has compromised the real mailbox or registered a domain one character off from the real one and configured its own valid authentication records. Compounding the problem, attackers who gain mailbox access frequently create inbox rules that silently archive or forward messages from anyone likely to notice the fraud, so the compromise persists undetected long after the initial phishing email that started it. Effective defense requires controls that sit outside the inbox entirely: verified out-of-band callbacks for any payment or banking-detail change, anomaly detection on vendor and domain behavior, and monitoring for the kind of account and access changes that precede a BEC payout request.

How Safeguard Helps

Safeguard treats business email compromise as a supply chain risk, not just an inbox problem, because the same trust relationships attackers abuse to redirect a wire transfer are the ones they abuse to compromise software. A maintainer's email account is frequently the recovery path for their npm, PyPI, or GitHub credentials -- compromise the inbox, reset the package registry password, and an attacker can publish a malicious version of a dependency thousands of applications pull in automatically. Safeguard monitors the vendor and maintainer relationships behind your software supply chain for the same warning signs that precede financial BEC: newly registered lookalike domains impersonating your suppliers, anomalous changes to publisher or maintainer account details, and package or dependency updates that don't match the historical behavior of a trusted source. By correlating identity and behavioral signals across both your vendor communications and your software dependency graph, Safeguard helps security teams catch the account takeovers and impersonation attempts that BEC and supply chain attacks both rely on, before a fraudulent invoice or a poisoned package update ever reaches production.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.