What is Business Email Compromise?
Business Email Compromise, or BEC, is a targeted scam built on impersonation. The attacker poses as a trusted party, often an executive, supplier or lawyer, and exploits authority and urgency to obtain an action: a transfer, a change of bank details, the disclosure of confidential data.
Unlike most cyberattacks, BEC needs no malware. Its weapon is human manipulation, which makes it particularly hard to block through purely technical means.
Why it matters for your organization
BEC ranks among the most costly frauds, because it targets financial flows directly. A single fraudulent transfer can involve considerable sums, and once the money is moved, it is often unrecoverable.
The rise of AI and deepfakes has boosted the credibility of these attacks. A well-crafted email can now be backed by a call mimicking an executive's voice, making the deception very convincing.
How to reduce the risk
- Validation procedures with dual control for any transfer or bank-detail change.
- Out-of-band verification: confirm a sensitive request through an independent, known channel.
- Targeted awareness for finance, accounting and leadership.
- Email protection (SPF, DKIM, DMARC) against domain spoofing.
- Clear rules stating that no urgency justifies bypassing controls.
Where organizations most often fall short
The main pitfall is relying on individual vigilance alone against hierarchical pressure and urgency, which is exactly what the fraudster exploits. The effective countermeasure is procedural: a systematic, independent check that does not depend on the judgment of one isolated person at the wrong moment.