Business email compromise (BEC)
A sophisticated email-based fraud targeting businesses, usually to divert large payments by impersonating executives or trusted suppliers.
Also known as: BEC, CEO fraud, email fraud
Last reviewed: 1 June 2026
Business email compromise (BEC) is a category of fraud in which attackers use email — either hacked, spoofed, or impersonating — to manipulate employees into transferring money or sensitive data. Unlike bulk phishing, BEC attacks are carefully researched and targeted.
The most common BEC scenarios include: a 'CEO' emailing the CFO for an urgent, confidential wire transfer; a 'lawyer' emailing about a confidential acquisition requiring immediate payment; a 'supplier' email notifying of changed bank details; and a 'payroll' email requesting salary redirects to a new account.
BEC causes billions in losses annually worldwide. Strong countermeasures include out-of-band verification for any payment requests (phone the requestor on a known number), dual-approval processes for wire transfers, and email authentication (DMARC) to reduce domain spoofing.