What is business email compromise (BEC)?
Business email compromise (BEC) is a sophisticated fraud where criminals impersonate a company executive, trusted supplier, or employee via email to trick staff into transferring money or sensitive data to fraudulent accounts.
Last reviewed: 10 June 2026
Explanation
BEC is one of the costliest forms of cybercrime globally. Unlike mass-market phishing, BEC attacks are targeted and researched. Before striking, criminals study a company's organisational chart, payment processes, supplier relationships, and email styles — often gleaned from LinkedIn, company websites, or a prior email compromise.
A typical CEO fraud variant involves an email appearing to come from the CEO to a finance employee, urgently requesting a wire transfer for a confidential acquisition, time-sensitive deal, or contractor payment. Because the email looks authentic and comes with apparent authority, staff often comply without following normal verification procedures.
Another common variant is invoice fraud: attackers compromise a supplier's email account or create a convincing lookalike domain, then send a modified invoice with the supplier's bank account details replaced by their own. Companies pay the invoice in good faith and the money goes directly to the criminals.
Defences include multi-step verification for all payment changes (always call the requester on a known number), strict invoice change procedures, email authentication (DMARC, DKIM, SPF), and training staff to treat urgency and confidentiality requests in payment emails as red flags rather than reasons to act faster.
Common red flags
- A request from a senior executive for an unusual or urgent wire transfer, especially marked confidential
- A supplier sends updated bank account details by email only, without a phone follow-up
- The sender email address has a subtle domain difference from the real one (e.g. .co vs .com, or an extra letter)
- Requests to bypass normal approval or verification processes 'just this once'
- Urgency framing — a deal will collapse, a fine will be incurred, or an opportunity will be missed
- New instructions arrive on a Friday afternoon or before a holiday
What to do now
- Never change bank account details or make large transfers based solely on an email request
- Always verify payment changes with a phone call to a number from your internal directory, not the email
- If a payment has been made, contact your bank immediately — some international transfers can be recalled quickly
- Report to the FBI IC3 (US), Action Fraud (UK), or your national cybercrime unit
- Review and tighten your company's payment authorisation procedures
- Implement DMARC on your company's email domain to prevent spoofing
Frequently asked questions
Is BEC the same as phishing?
BEC is a targeted subset of email fraud but differs from mass phishing in that it is highly personalised, typically impersonates a known contact rather than a generic institution, and aims for a direct financial transfer rather than credential harvesting — though compromised credentials are often how BEC attackers gain initial access.
How quickly can wired funds be recalled?
Speed is critical. Domestic transfers recalled within the same business day have a reasonable success rate. International SWIFT transfers are much harder to recall once the beneficiary bank has credited the account. Contact your bank within minutes of discovery, not hours.