Skip to content
FortaRisks
Back to the glossaryAttacks and incidents

Business Email Compromise (BEC)

Business Email Compromise (BEC), also known as CEO fraud, is a scam that impersonates an executive, supplier or partner to obtain a fraudulent transfer or sensitive information. With no malware involved, it relies on manipulation and evades classic technical defenses.

Updated on July 2, 2026

What is Business Email Compromise?

Business Email Compromise, or BEC, is a targeted scam built on impersonation. The attacker poses as a trusted party, often an executive, supplier or lawyer, and exploits authority and urgency to obtain an action: a transfer, a change of bank details, the disclosure of confidential data.

Unlike most cyberattacks, BEC needs no malware. Its weapon is human manipulation, which makes it particularly hard to block through purely technical means.

Why it matters for your organization

BEC ranks among the most costly frauds, because it targets financial flows directly. A single fraudulent transfer can involve considerable sums, and once the money is moved, it is often unrecoverable.

The rise of AI and deepfakes has boosted the credibility of these attacks. A well-crafted email can now be backed by a call mimicking an executive's voice, making the deception very convincing.

How to reduce the risk

  • Validation procedures with dual control for any transfer or bank-detail change.
  • Out-of-band verification: confirm a sensitive request through an independent, known channel.
  • Targeted awareness for finance, accounting and leadership.
  • Email protection (SPF, DKIM, DMARC) against domain spoofing.
  • Clear rules stating that no urgency justifies bypassing controls.

Where organizations most often fall short

The main pitfall is relying on individual vigilance alone against hierarchical pressure and urgency, which is exactly what the fraudster exploits. The effective countermeasure is procedural: a systematic, independent check that does not depend on the judgment of one isolated person at the wrong moment.

Frequently asked questions

Why is BEC so hard to detect?

Because it often contains no malicious link or attachment to catch: it is a plain email, sometimes sent from a genuinely compromised account. It exploits authority, urgency and trust. Technical filters are largely ineffective, because there is nothing technically abnormal to block.

How do deepfakes strengthen BEC?

Attackers now add voice or video deepfakes to lend credibility to their requests: a call mimicking an executive's voice, even a faked video call. Verification by a simple voice contact is no longer enough; you need authentication procedures independent of the channel the fraudster uses.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.