Business Email Compromise (BEC), Explained: The $3 Billion Scam Hiding in Your Inbox

Business email compromise (BEC) is the most expensive cybercrime in the world that almost nobody outside a finance department can name. There is no malware, no encrypted hard drive, no ransom note — just a convincing email asking someone with access to money to move it, and a busy employee who complies. In 2025, victims reported $3.05 billion in BEC losses to the FBI’s Internet Crime Complaint Center (IC3), many times the reported losses from ransomware. This explainer covers what BEC is, how an attack unfolds, who gets targeted, the red flags, the defenses that work, and exactly what to do — within hours — if the money has already left your account.

What BEC is

Business email compromise is a financial fraud in which an attacker uses email — sometimes a genuinely hijacked account, sometimes a convincing fake — to trick an organisation or individual into sending money or sensitive data to the wrong place. It is a confidence trick wearing the clothes of a routine transaction. The FBI files closely related individual cases under “email account compromise” (EAC), where the victim is a person rather than a company, but the mechanics are identical.

What makes BEC distinct from ordinary phishing is that the payload is a request, not a link or an attachment. The attacker is trying to get you to authorise a payment you believe is legitimate. Because no technical defence is “tripped” — the email may carry no malware and may even arrive from a real, trusted mailbox — antivirus and most filters never raise an alarm. The exploit targets human trust and business process, which is why it is so hard to stop and so costly when it works.

The five faces of BEC

BEC is an umbrella term for several closely related schemes. The names vary, but each one impersonates a trusted party to redirect a payment.

• CEO fraud (executive impersonation). An email appearing to come from a chief executive or senior director instructs a finance employee to make an urgent, confidential wire transfer — often framed as a secret acquisition or a time-sensitive deal.
• Vendor or invoice fraud (also called VEC). The attacker impersonates a genuine supplier and sends “updated” bank details for an invoice that the victim was already expecting to pay. This is among the most successful variants because the transaction is real — only the destination account is fake.
• Payroll diversion. Posing as an employee, the attacker emails HR or payroll asking to change the direct-deposit account for an upcoming salary run.
• Attorney or legal impersonation. The fraudster claims to be a lawyer handling a confidential, urgent matter — leveraging authority and secrecy to pressure a quick payment.
• Real-estate wire fraud. During a property purchase, the attacker impersonates the conveyancer, title company or solicitor and sends fraudulent closing-payment instructions to the buyer. The sums are large, the timing is fixed, and the buyer is often a one-time, emotionally invested target.

How an attack unfolds

A successful BEC is rarely a single email. It is a staged operation, and understanding the sequence is the key to interrupting it.

1. Reconnaissance. Attackers study the target using public sources — LinkedIn, company websites, press releases and leaked credential databases — to learn who approves payments, who the suppliers are, when invoices fall due and when executives are travelling and harder to reach.
2. Access or impersonation. The attacker either compromises a real mailbox (via a phishing page that harvests the password, then bypasses or fatigues multi-factor authentication) or registers a lookalike domain — swapping rn for m, or buying a near-identical address with a different top-level domain.
3. Quiet observation and thread hijacking. With access to a real inbox, attackers set hidden mailbox rules and watch genuine conversations for weeks. They wait for a live payment discussion, then reply within the existing thread — inheriting all its trust and history — to insert new bank details.
4. The urgent ask. The request lands: pay this invoice, change these account details, wire these funds — wrapped in urgency, authority and confidentiality, the three levers that short-circuit careful checking.
5. The cash-out. Once sent, funds are moved through money-mule accounts and across borders, increasingly into cryptocurrency, to defeat recovery. Speed is everything — for both the criminal and the victim.

By the numbers

The FBI IC3 has tracked BEC as one of the costliest crime types it records for nearly a decade. Its 2025 Internet Crime Report, published in 2026, set the scale in stark terms.

• Total cybercrime losses reported to IC3 reached a record $20.9 billion in 2025, from more than 1 million complaints — the first time annual complaints crossed that threshold.
• BEC alone accounted for $3,046,598,558 in reported losses across 24,768 complaints — making it the second-costliest category by dollar loss, behind investment fraud.
• That is roughly $123,000 lost per reported BEC complaint, a far higher per-victim figure than most cybercrimes.
• About 86% of BEC losses moved by wire transfer or ACH — the rails of legitimate business banking.

The contrast with ransomware surprises most people. Ransomware dominates headlines, yet the direct losses victims reported to IC3 are a small fraction of BEC’s. BEC is quieter, less technical and far more lucrative — and because so many incidents go unreported, even these figures are an undercount.

In the wild

Two cases show the range, from the world’s largest companies to a single subsidiary.

Facebook and Google — about $121 million. Between 2013 and 2015, Lithuanian national Evaldas Rimasauskas impersonated Quanta Computer, a genuine Taiwanese hardware supplier used by both companies, sending fake invoices and forged contracts. The two giants paid roughly $99 million (Facebook) and $23 million (Google) into accounts he controlled. He was extradited to the US, pleaded guilty, and in 2019 was sentenced to five years in prison and ordered to forfeit nearly $50 million.

Toyota Boshoku — about $37 million. In 2019, a European subsidiary of the Toyota Group parts supplier acted on fraudulent payment instructions received by email and transferred roughly 4 billion yen (about $37 million) before realising the directions were fake — a textbook vendor/CEO-style BEC with no malware, just a trusted-looking instruction to move money.

Who gets hit

BEC is engineered to find whoever can move money with the fewest checks:

• Finance and accounts-payable teams — the people who pay invoices and process wires, the direct route to the cash.
• Small and mid-sized enterprises (SMEs) — large enough to move significant sums, often without the layered approvals of a multinational.
• Law firms and conveyancers — they hold client funds and broker large, time-critical transactions, making them both targets and impersonation vehicles.
• Property buyers — individuals making the largest payment of their lives, on a deadline, to a party they have never met.
• HR and payroll staff — the entry point for direct-deposit diversion.

Red flags

Almost every BEC carries some combination of these warning signs. Any one of them should trigger an out-of-band check.

• Urgency and secrecy. Pressure to act immediately, often with a request to keep it confidential or bypass normal procedure.
• A change of bank details. Any request to update payment or payroll account information — the single most important trigger for verification.
• A subtle mismatch in the sender address. A lookalike domain, a reply-to that differs from the display name, or an external-sender warning on a supposedly internal email.
• A request that breaks the usual process. A wire when the vendor always invoices on terms; an approval by someone who normally would not.
• “Do not call me — I’m in meetings.” Pre-emptive excuses for why you cannot verify by phone are a hallmark of impersonation.

Defenses that work

BEC defeats technology because it targets process. The strongest controls are therefore procedural, reinforced by email authentication.

• Callback verification, out of band. For any new or changed bank details — no exceptions — confirm by phoning a number you already hold on file, never one supplied in the email. This single habit stops most vendor and CEO fraud.
• Dual approval for payments. Require two authorised people to sign off wires and account-detail changes above a set threshold, so no single inbox is a single point of failure.
• Payment controls. Fixed approval limits, vendor master-data change procedures and a brief cooling-off period for first-time or altered payees.
• Email authentication: SPF, DKIM and DMARC. SPF lists who may send for your domain, DKIM signs your mail, and DMARC ties them together. Crucially, DMARC must be set to an enforcement policy (p=reject or p=quarantine) to actually block spoofing — a permissive p=none only monitors. This stops attackers spoofing your exact domain, though not lookalike domains.
• Multi-factor authentication (MFA) on all email accounts, ideally phishing-resistant, to make mailbox takeover far harder.
• Train the people who pay. Drill finance, HR and executives on these specific scenarios, not just generic phishing, so verifying a payment is never seen as an insult. See our guide to phishing for the credential-theft step that often precedes BEC.

If you have already paid

Speed is the single biggest factor in getting money back. Fraudulent funds are moved and dispersed within hours, so the window to freeze them is short — act the moment you suspect a problem, not after an internal investigation.

1. Call your bank immediately and ask for a recall or reversal of the wire, explaining it is fraud. Ask them to contact the receiving bank to freeze the funds.
2. Report to law enforcement at once. In the US, file with the FBI at ic3.gov immediately. The IC3 Recovery Asset Team (RAT) runs the Financial Fraud Kill Chain, working with banks to freeze fraudulent domestic wires. In 2025 it initiated 3,900 such actions and froze $679 million (a 58% success rate) — but it depends on you reporting fast, ideally within the first 24 to 72 hours while funds may still be domestic.
3. Preserve everything: the original emails with full headers, payment confirmations and phone records. Do not delete the fraudulent thread.
4. Tell your IT/security team to check for a compromised mailbox, malicious inbox rules and any wider access.

For step-by-step help recovering from a scam, see our cybercrime help hub.

How to report

Report regardless of whether you lost money — attempts and near-misses help authorities track and disrupt the networks.

• United States: FBI Internet Crime Complaint Center at ic3.gov. Report as fast as possible to give the Recovery Asset Team a chance to freeze funds.
• India: Call the cyber-crime helpline 1930 or file at cybercrime.gov.in. The 1930 helpline is designed for rapid reporting of financial fraud so transfers can be flagged quickly.
• United Kingdom: Action Fraud at actionfraud.police.uk or 0300 123 2040 (England, Wales and Northern Ireland). In Scotland, report to Police Scotland on 101.

Whichever country you are in, contacting your bank and the police should happen in parallel, not in sequence — every hour counts.

Frequently asked questions

Is BEC the same as phishing?

No, though they overlap. Phishing usually aims to steal credentials or plant malware via a malicious link or attachment. BEC aims to make you authorise a payment, often using a real or near-real email address and carrying nothing technical to detect. Phishing is frequently the first step an attacker uses to take over the mailbox they later exploit for BEC.

Why does BEC cause more reported losses than ransomware?

BEC targets money directly and at scale, with a high average loss per incident (around $123,000) and very low cost to the attacker. Ransomware grabs headlines and disrupts operations, but the direct financial losses victims report to the FBI are a fraction of BEC’s. In 2025, reported BEC losses exceeded $3 billion.

Can I get my money back after a BEC?

Sometimes — but only if you act within hours. Banks can attempt to recall or freeze a wire, and in the US the IC3 Recovery Asset Team froze $679 million in 2025 with a 58% success rate. Recovery odds fall sharply once funds are moved abroad or into cryptocurrency, which is why immediate reporting is critical.

Does DMARC stop business email compromise?

It stops one important variant: attackers spoofing your exact domain. With DMARC at an enforcement policy (p=reject), backed by SPF and DKIM, spoofed mail from your domain is rejected. But DMARC cannot stop lookalike domains or emails sent from a genuinely compromised account, so it must be paired with payment-verification controls.

What is the single most effective defence?

Out-of-band callback verification of any new or changed bank details, using a phone number you already hold — never one provided in the email. It directly defeats the core of vendor, CEO and real-estate fraud. Small and mid-sized businesses need it most: they move meaningful sums without the layered approvals of large corporations, and a single fraudulent wire can be existential.

Sources

1. FBI Internet Crime Complaint Center, 2025 Internet Crime Report (published 2026).
2. FBI, FBI Releases Annual Internet Crime Report.
3. U.S. Department of Justice, Lithuanian Man Sentenced to 5 Years in Prison for Theft of Over $120 Million in Fraudulent Business Email Compromise Scheme.
4. BleepingComputer, Over $37 Million Lost by Toyota Boshoku Subsidiary in BEC Scam.
5. FBI, Federal Fact Friday: Recovery Asset Team.
6. Government of India, National Cyber Crime Reporting Portal (cybercrime.gov.in) and helpline 1930.
7. Action Fraud (UK), National reporting centre for fraud and cybercrime.