Business Email Compromise: The Quiet Scam Costing Companies Billions

Ransomware gets the headlines. But the FBI's Internet Crime Complaint Center has been clear for years: Business Email Compromise (BEC) quietly causes more financial damage than any other cybercrime category — with reported losses in the tens of billions over the last five years and the real number certainly higher, because most companies don't report.

The reason BEC keeps working isn't technical sophistication. It works because the email looks completely normal — and because finance teams trust email more than they should.

What a BEC attack actually looks like

There are four shapes that account for almost all BEC cases we see:

• CEO fraud. An email apparently from the CEO to the CFO asking for an urgent wire transfer to close a deal. The CEO is "travelling" and can't be reached by phone. Time pressure is the whole point.
• Vendor invoice fraud. A real supplier's mailbox is compromised. The attacker watches conversations for weeks, waits for a real invoice, then sends a polite follow-up: "Our bank account changed — please use these new IBAN details."
• Payroll diversion. An email apparently from an employee to HR: "Can you update my bank account for next month's salary? Here are the new details." Small per-person amount, repeats every month.
• Attorney impersonation. Lawyer claims a confidential M&A transaction requires an immediate transfer. Confidentiality is leveraged to prevent verification by colleagues.

Why technical defenses alone fail

Most BEC emails contain no malware, no malicious link, and no obvious red flags. They're plain text. Spam filters have nothing to score against. That's by design — the attacker is exploiting your process, not your software.

Worse, attackers have gotten very good at:

• Lookalike domains. umayai.com vs. umayai.co or umaya-i.com. The display name in your email client shows the friendly "Goktug Onyer" — you have to hover to see the real address, and on mobile, often you can't.
• Reply-chain hijacking. Once a real mailbox is compromised, attackers reply to a genuine in-progress thread, slipping their new bank details in mid-conversation.
• LLM-polished writing. The grammar tells you nothing anymore. Modern BEC emails are indistinguishable from real ones at the sentence level.

What actually stops BEC

The defenses that work are unglamorous. They're about process and authentication — not products.

1. Out-of-band verification for any payment change

Any request to send money, change a bank account, or update payroll details must be confirmed via a second, pre-established channel— typically a phone call to a number you already have on file. Not the number in the email signature. Not a callback to a number provided by the requester. The pre-existing one.

This single policy stops more BEC than any technical control. Make it mandatory in your AP procedures, train every new finance hire on it from day one, and ensure it applies regardless of who is asking.

2. Strong email authentication (SPF, DKIM, DMARC)

These three DNS records together make it dramatically harder for attackers to spoof your domain. DMARC in particular, set to p=reject, tells receiving servers to drop any email that fails authentication. That kills the most basic form of CEO fraud where the From address is your own domain.

We have a whole separate post on this — SPF, DKIM, DMARC explained — but the takeaway is: if you haven't set these up, do it before you do anything else this quarter.

3. External-sender banners

Configure your mail server (Microsoft 365, Google Workspace, etc.) to prepend a clear "[EXTERNAL]" banner to every message originating outside your organisation. It feels noisy at first; it removes a class of confusion entirely.

4. MFA on every mailbox — and conditional access on top

Most vendor-invoice BEC starts with a credential phish that compromises a supplier's mailbox. Multi-factor authentication blocks the vast majority of those takeovers. Add conditional access policies (geo, device compliance, risk score) on top and you cover the rest.

5. Realistic phishing simulations

Quarterly simulated phishing campaigns — including internal impersonation scenarios — train muscle memory. The goal isn't to shame people who click; it's to build a workforce where reporting a suspicious email is the default reflex.

If you think you've been hit

Time is the only thing that matters in the first 24 hours. If a fraudulent transfer has just left your account:

1. Call your bank immediately and request a SWIFT recall. Funds can sometimes be clawed back if reported within hours.
2. Report to law enforcement. In the EU, your national cybercrime unit. In the US, IC3. They coordinate cross-border holds.
3. Preserve evidence. Don't delete the email. Don't forward it around — that loses headers. Export the original message and all related logs.
4. Force password resets and revoke sessions on any account that touched the conversation. Assume the attacker still has access.
5. Notify your insurer. Cyber policies often have strict early-notification clauses; missing the window can void coverage.

The bottom line

BEC is a process attack dressed as a technical one. The companies that get hit hardest are the ones with strong firewalls and weak procedures — because the firewall never sees the email. The companies that don't get hit have boring, repeatable verification steps that nobody is allowed to skip, no matter how senior or how urgent the requester.

If you'd like a structured review of your email authentication, AP controls, and phishing-simulation maturity, our security team is happy to help. It's usually a half-day engagement and pays for itself the first time it catches something.