Payments fraud is a major threat facing nearly every industry. From large corporations to small businesses, fraudsters target anyone and everyone to amass funds. Among the different types of online fraud globally, business email compromise (BEC) is one of the largest, highly effective, and most financially damaging.
To stay vigilant and prevent financial loss, employees and business owners need to understand these attacks and the steps they can take to combat them.
BEC facts
- In 2025, US businesses lost over $3 billion to BEC fraud
- AI-enabled BEC attacks are on the rise: in 2025, US businesses reported losses over $30 million to BEC scams involving AI
- In Germany and across Benelux, BEC accounts for over 70% of cyber incidents
- In Australia, BEC fraud is growing by 7% year-on-year
- According to the Association for Financial Professionals, BEC affected 74% of surveyed organizations in 2025
What is business email compromise and how does it work?
Business email compromise is a type of payments fraud in which an employee receives an impersonator email from a known client, vendor, or associate who tries to convince the victim to transfer money.
Typically, the scenario unfolds in three simple steps:
- The fraudster sends an email to an employee (usually involved in accounting or billing) asking about an invoice or payment.
- With a sense of urgency, they’ll ask to change the bank account details, such as the beneficiary name, bank, or location. Additionally, they might list a reason for this adjustment.
- The employee will adjust the banking details and complete the payment.
Many organizations and individuals believe they are immune to such schemes and that attempted fraud must be blatantly obvious. However, in reality, the simplicity of the scheme and its social engineering nature mean that many do indeed comply with these requests. Fraudsters are convincingly impersonating a client, partner, vendor, or boss, and their email address and content may closely mirror a real communication.
What are the most common types of BEC attacks targeting businesses?
The most common types of BEC attacks targeting businesses include:
Vendor email compromise
Vendor email compromise (VEC) now accounts for the majority (61%) of all the BEC incidents. Attackers impersonate a trusted vendor or supplier by compromising real vendor accounts and damaging trusted relationships. These attacks are even more financially damaging and harder to detect, when ongoing, routine payments are rerouted to fraudsters through requests to change existing billing accounts.
Invoice manipulation
Similar to VEC, invoice manipulation is when attackers compromise existing trusted vendor relationships to send fake invoices. They manipulate the payment instructions, such as routing numbers, to request a routine payment to a new, fraudulent bank account.
CEO, or executive, fraud
This type of BEC attack leverages authority bias: employees are likely to comply with a request to send an urgent payment, when it’s originating from the company’s CEO, CFO, or another executive.
While many BEC attacks compromise email accounts, attackers can also impersonate executives or vendors over the phone or virtual meetings by using deepfakes.
What are the warning signs that an email requesting a payment change is fraudulent?
There are several business email compromise red flags, including these:
- Requesting a change to the country of receipt: If a correspondent has always received payment in a particular location, be wary if they suddenly want to shift to another part of the world — especially if they have no business there.
- Asking to change the beneficiary name: How often does your company change the name on its account? The answer is not very often, if ever.
- Providing a valid and urgent reason: The fraudster is likely trying to justify their haste by providing details of the change and asking to bypass regular procedures. In reality, companies usually keep such routine business decisions to themselves.
- Originating from a new or misspelled email address: The domain or alias of the email might be very similar to the real address, but even a new dash should be noted. In some cases, the email might even be identical.
- Containing mistakes and awkward spelling: If the grammar, spelling, tone, or sentence structure is off, this is a clear sign that something is amiss.
- Including suspicious attachments and unusual message size: If the invoices suddenly look different, the attachments change format or vastly change in file size (200k instead of the usual 1mb), take an extra look.
- Manufacturing a sense of urgency: If the sender seems in a hurry to gather funds and sends multiple follow-up emails, especially outside of business hours, this is a big sign that the sender is a fraud.
How can businesses protect themselves from vendor email compromise?
The best way to combat payments fraud, such as VEC and BEC, is to be vigilant, enforce mandatory verification for all payment changes, and enact a multi-factor authentication process.
Any financial change requested through email should be verified through another method. For example, you can call the client to confirm they sent the email, as well as double-check their email address. This simple step could save a significant amount of money, not to mention reputational damage to the company.
What is multi-factor authentication and how does it prevent BEC attacks?
Quite simply, multi-factor authentication (MFA) means that users must provide two or more methods to access their accounts..
MFA acts as a barrier against BEC attacks that typically start with a hacker stealing login credentials via phishing or social engineering. When an attacker attempts to log into a compromised account, the system requires a second authentication method, such as a time-sensitive code or biometric scan. Without the user’s mobile device or fingerprint, the system blocks the attacker from accessing the account, and they can’t impersonate the victim and ask for a wire transfer.
Unfortunately, in cases of social engineering attacks and deepfakes, email inbox-level MFA is not effective. To maximize business defenses against BEC fraud, it’s worth going beyond a simple MFA process. The key here is to combine secure business practices with technical security processes.
Key steps to protect your business from BEC attacks
- Implement MFA
- Verify financial transactions and any requested changes
- Enforce stronger email authentication processes, such as SPF, DKIM, and DMARC protocols
- Educate and train employees
Audit and monitor your operations and infrastructure for security
Common BEC prevention misconceptions
Myth 1: Fraudsters only target CEOs
BEC attackers target employees at multiple levels. Anyone who manages payments and invoicing is a potential recipient of these emails or phone calls.
Myth 2: If you contact a vendor to confirm a suspected fraud email, they will be annoyed
Most vendors/associates/clients will appreciate that your company has multiple layers of security.
Myth 3: My security software authenticated an email, so it must be safe
AI and other modern techniques can help fraudsters pass multiple authentication protocols and hijack real accounts.
Myth 4: If you have lost money to a fraudster, it’s impossible to recover
Recovering money from a scheme is difficult but not impossible. Learn what to do if your business is a victim of fraud.
Fraud can be a costly and difficult problem for all businesses. If you suspect business email compromise or another type of fraud, contact your Convera representative immediately. Do not further email the fraudster or send additional funds. Verify any changes with your real vendors, suppliers, or associates via telephone. These incidents can be overwhelming, but are also preventable. Read more about fraud awareness and Convera.
