What is business email compromise and how do I prevent it?
Business email compromise uses spoofed or hacked email accounts to impersonate executives and trick employees into wiring money — a verbal confirmation call on a known number defeats it every time.
Last reviewed: 10 June 2026
Explanation
Business email compromise (BEC) is a targeted fraud where an attacker either hacks a corporate email account or registers a look-alike domain to send emails appearing to come from a senior executive, trusted vendor, or attorney. The email instructs an employee in finance or accounts payable to make an urgent wire transfer, change vendor banking details, or release payroll to a new account. The FBI considers BEC one of the costliest cybercrime categories, with multi-billion dollar annual losses across organisations of all sizes.
The attack relies on several conditions: employees who are conditioned to act quickly on senior requests, insufficient controls around payment authorisation, and email systems that do not clearly flag external look-alike domains. Attackers research their targets before striking — studying the corporate hierarchy from LinkedIn, learning financial reporting periods (when large transfers are common and less scrutinised), and identifying employees with payment authority.
The most effective single control is a verbal confirmation rule: any wire transfer, any change in vendor banking details, and any payroll modification requires a call to the requester on a number from your own contact list — not a number provided in the email. This one step defeats the vast majority of BEC attacks because the attacker cannot answer the phone as the real executive. Combine this with dual-approval thresholds so no single employee can authorise large transfers without a second signatory.
Technical controls complement the human process: enable multi-factor authentication on all corporate email accounts, configure email systems to tag messages from external domains that mimic internal addresses, and deploy DMARC email authentication to prevent attackers from spoofing your exact domain in messages to external parties.
Common red flags
- Email from CEO or CFO requesting an urgent wire transfer, especially while they are 'travelling'
- Vendor email updating banking details, with a new account that does not match your records
- Sender address is one character different from a known internal or vendor address
- Payment request explicitly asks you not to discuss with others or go through normal channels
- Attorney email requesting confidential transfer related to an acquisition or legal matter
- Unusual urgency around timing — 'must complete today before close of business'
What to do now
- Implement a verbal confirmation rule for all wire transfers and banking-detail changes
- Set dual-approval thresholds for payments above a defined limit
- Enable multi-factor authentication on all corporate email accounts
- Configure DMARC, DKIM, and SPF on your domain to prevent external spoofing
- Train finance staff on BEC formats at least annually
- Report BEC to the FBI IC3 at ic3.gov immediately if funds were transferred
Frequently asked questions
What is the best way to report BEC to law enforcement?
File a complaint with the FBI's Internet Crime Complaint Center (IC3) at ic3.gov. For same-day wire transfers, contact the FBI's Recovery Asset Team via the IC3 financial fraud kill chain — speed matters for fund recovery. Also notify your bank's fraud team the same day.
Can DMARC prevent BEC?
DMARC prevents attackers from spoofing your exact domain in emails to external parties, reducing a significant category of BEC. However, it cannot prevent attackers from using look-alike domains or hacked accounts. DMARC combined with the verbal confirmation rule provides the strongest layered defence.