Business Email Compromise (BEC) is today one of the largest sources of financial loss in cybersecurity: the annual reports of the FBI Internet Crime Complaint Center (IC3) attribute tens of billions of dollars in cumulative losses to BEC, exceeding in dollar terms many malware-based attack categories. And the most disconcerting part for security teams: almost none of it depends on malicious code.
Unlike ransomware or a banking trojan, BEC — known in Portuguese as "fraude do e-mail corporativo" and popularly as the "CEO scam" — is essentially a social engineering attack conducted by email. The criminal does not break into the victim's computer; he breaks into their trust. A credible email, in the right tone, at the right moment, requesting an urgent transfer or an update to a supplier's bank details, is all he needs to divert amounts ranging from a few thousand to tens of millions.
This article details what BEC is, its main types, the anatomy of the scam, why it slips past traditional email filters and — most important for a company of any size — which technical and process controls effectively reduce the risk, and what to do when the fraud has already occurred.
What BEC is
Business Email Compromise is a fraud in which the attacker impersonates a trusted person or entity — an executive, a supplier, a lawyer, the HR department — to induce an employee to perform a financial action: transfer money, change payment details, buy gift cards or hand over sensitive information. The vector is email, and the engine is psychological manipulation.
What makes BEC so dangerous is the absence of obvious technical artifacts. There is no infected attachment, no link to a credential-harvesting site, often not even a spelling mistake. It is a message legitimate in form and illegitimate in intent. That is why BEC is classified, in the MITRE ATT&CK framework, under phishing and impersonation techniques, and not under code execution.
The main types of BEC
The FBI and CISA describe BEC as a family of frauds with variations that share the same impersonation logic. The most common in corporate environments are:
- CEO fraud: the attacker impersonates a senior executive and orders a finance subordinate to make an urgent, confidential transfer, usually tied to a supposed acquisition, a secret payment or an emergency. It exploits hierarchy and the fear of going against leadership.
- Fake invoice / vendor fraud: the fraudster impersonates a legitimate supplier and sends a real or slightly altered invoice, stating that "the bank details have changed." The payment, which would go to the supplier, lands in the criminal's account. It is the variant that produces the largest per-incident amounts.
- Payroll diversion / HR fraud: impersonating an employee, the attacker asks HR to change the salary deposit details to a new account. The employee only notices when the payment fails to arrive.
- Account Compromise: here there is an actual intrusion — the attacker gains access to an employee's legitimate mailbox (via credential phishing or a leaked password) and operates from the inside. Because the messages come from the real address, this is the hardest subtype to detect.
- Attorney impersonation: the criminal pretends to be a legal representative handling a confidential, time-sensitive matter, pressing for secrecy and speed.
Anatomy of a BEC attack
A successful BEC scam is rarely improvised. It follows recognizable steps, which also means there are points to interrupt it at each one.
1. Reconnaissance
The attacker maps the organization: who the CEO is, who the CFO is, who pays the bills, who the suppliers are, when there are trips or month-end closings. Much of this intelligence comes from open sources — LinkedIn, the company website, press releases — and from data leaked in earlier incidents.
2. Establishing the channel — spoofing or lookalike
With the target mapped, the criminal creates the means of contact. It can be spoofing (forging the "From" field to display the executive's real email), a lookalike domain (such as decripte-io.com instead of decripte.io, or swapping an "l" for a "1"), or the use of a legitimate account that has already been compromised.
3. The urgency and authority trigger
The message is built to switch off critical thinking. Urgency ("I need this today"), authority ("it's an order from the board"), secrecy ("don't tell anyone, it's confidential") and a short time window are the classic psychological levers described in the social engineering literature.
4. The exchange of details and the execution
The concrete request almost always involves money in motion: a transfer to a new account, a change of invoice bank details, or the purchase of gift cards. Once the payment is made, the funds are quickly dispersed through mule accounts and often converted, turning recovery into a race against the clock.
Why BEC slips past security filters
Email gateways, antivirus and sandboxes were designed to detect what is technically malicious: executable attachments, macros, phishing URLs, known signatures. BEC deliberately carries none of that. A plain-text message, with no link and no attachment, saying only "can you process an urgent payment for me?", is indistinguishable from a legitimate corporate email to a content-based filter.
Add to that the account-compromise subtype, in which the message comes from an authenticated, trusted sender, and it becomes clear why the control cannot be purely perimeter technology. BEC attacks the process and the person — and that is where the defense needs to be. Here is how each type manifests and which control neutralizes it:
| Type of BEC | Warning sign | Recommended control |
|---|---|---|
| CEO fraud | An urgent, secret payment order coming from "the board," outside the normal flow | Approval thresholds and dual approval; out-of-band verification with the executive |
| Fake invoice / vendor | A notice of a "bank details change" on an invoice or supplier email | Confirmation through a known channel (a registered phone number) before changing the account |
| Payroll diversion (HR) | A request to change a salary deposit account by email | Multi-channel identity verification and a formal record-change policy |
| Account Compromise | Hidden forwarding rules, logins from unusual locations, atypical "internal" emails | MFA, login anomaly detection and mailbox rule review |
| Lookalike domain / spoofing | A domain nearly identical to the real one; a sender authentication failure | DMARC in reject policy, SPF and DKIM |
Defenses against BEC
An effective strategy combines technical, process and human layers. None of them solves it alone.
Email authentication: SPF, DKIM and DMARC
These three protocols are the technical foundation against domain spoofing. SPF declares which servers may send email on behalf of your domain; DKIM cryptographically signs messages; and DMARC instructs providers on what to do when SPF or DKIM fail. Keeping DMARC in a reject policy (p=reject), and not merely in monitoring, prevents spoofed domains from reaching your employees' inboxes. CISA explicitly recommends this configuration for organizations.
Out-of-band verification for financial changes
This is, on its own, the single most effective defense against vendor fraud. Every change of bank details and every transfer above a threshold must be confirmed through a channel other than email — preferably a call to a number that is already on file, never to the number that came in the suspicious email itself. If the request came by email, the verification cannot be by email.
Approval thresholds and dual payment approval
No significant transfer should depend on a single person. Approval by two people (segregation of duties), value-based limits and a formal process that cannot be "bypassed" by urgency remove from the attacker exactly the lever he exploits most: the lone, hurried decision.
Training and culture
Because BEC attacks people, awareness is a first-line control. Finance and HR staff need to know that "urgency + secrecy + account change" is an alert pattern, and that checking is not distrust — it is procedure. Combine this with phishing defense practices, since account compromise almost always begins with credential phishing.
Anomaly detection
Modern email and identity security tools detect signals that escape the traditional filter: a sender who has never written before asking for money, a login from an unusual country, the creation of automatic forwarding rules (a classic technique of whoever has compromised an account), or fraud-typical language. MFA on all mailboxes cuts off at the root the most dangerous subtype, that of the compromised account.
Response: what to do when the scam happens
Speed determines whether the money comes back or not. If your organization has fallen for a BEC:
- Contact the bank immediately. Request a freeze and an attempt to recall/reverse the transfer. The first hours are decisive — the sooner, the greater the chance of holding the funds before they are dispersed.
- Notify the authorities. In the U.S., the FBI advises filing a report with IC3 (ic3.gov), which operates a fund recovery mechanism (the Financial Fraud Kill Chain). In Brazil, file a police report and contact the competent authority; also notify the receiving bank.
- Preserve evidence. Keep the original emails with full headers, access logs and transaction details — they are essential for the investigation and for any recovery.
- Contain the compromise. If there was an account intrusion, force password changes, revoke sessions, enable MFA and check for malicious forwarding rules.
- Communicate internally and review the process. Alert the risk teams so that the same vector is not exploited again while the incident is being handled.
BEC is a process risk, not just a technology one
The central lesson of BEC is that the security of a modern company does not end at the firewall. A simple financial control — confirming every change of bank account by phone — prevents frauds that no antivirus would ever have stopped. For an organization of 1 or 100,000 employees, the challenge is the same in nature, differing only in scale: aligning email authentication, payment discipline and a culture of verification.
Decripte helps companies of all sizes map this exposure, harden email authentication, design payment approval thresholds and respond quickly when an incident occurs. Get started free by assessing your organization's risk, or explore our plans for continuous defense against BEC and other threats.
References
- FBI Internet Crime Complaint Center (IC3) — Business Email Compromise / Internet Crime Report.
- MITRE ATT&CK — Phishing (T1566) and Impersonation.
- CISA — Guidance on email authentication (SPF, DKIM, DMARC) and protection against phishing and BEC.
