- BEC carries no malware or malicious links, so standard email security tools do not catch it
- The four main attack types are CEO fraud, invoice fraud, account compromise, and attorney impersonation
- Finance teams, accountancies, and executive assistants are the primary targets
- DMARC at p=reject stops exact-domain spoofing but does not stop lookalike domains
- A phone callback to a known number is the single most reliable process control
- If a transfer goes out, contact your bank within minutes, not hours
What BEC is and why it differs from phishing
Business email compromise is targeted financial fraud delivered through email. An attacker impersonates a trusted person, such as your CEO, a long-standing supplier, or your company's legal firm, and convinces someone inside your organisation to transfer funds or redirect a payment. The email looks legitimate, the language fits the relationship, and the request arrives at a plausible moment, often a Friday afternoon or mid-payment cycle.
Phishing and BEC share email as the delivery channel, but the mechanics are different. Phishing casts wide, sends millions of messages, and relies on scale. It carries a payload: a malicious link, an infected attachment, or a credential harvesting page. Antivirus, email gateways, and sandboxing catch a significant proportion of phishing because there is something to detect. BEC is the opposite. The attacker sends a small number of carefully researched messages with no technical payload at all. There is no malicious URL. There is no attachment. The email is clean text, and it passes every content filter.
The FBI's Internet Crime Complaint Center (IC3) recorded $2.9 billion in BEC losses in a single reporting year. UK Finance reported that authorised push payment fraud, the category that includes most BEC outcomes, cost UK businesses £239 million in the same period. These numbers reflect reported cases. The true total is higher because many organisations do not report or do not realise what happened.
The four main attack types
BEC incidents follow recognisable patterns. Understanding the format of each one shapes both your technical controls and the process changes your finance team needs to make.
CEO fraud
The attacker spoofs or compromises the CEO's email address and sends a message directly to a finance team member or accounts payable. The message requests an urgent wire transfer, often framed around a time-sensitive acquisition, a confidential deal, or a legal requirement. The urgency discourages the recipient from following normal approval procedures. The CEO is "travelling" or "unavailable to take calls." The request often instructs the recipient not to discuss the transfer with colleagues.
CEO fraud works because authority and urgency together suppress verification behaviour. An employee receiving a direct request from the company's most senior person, marked confidential and time-sensitive, faces social pressure that makes pausing feel obstructive. Attackers research the CEO's travel schedule, writing style, and typical language from LinkedIn posts, press releases, and out-of-office replies before sending a single message.
Invoice fraud
The attacker impersonates a supplier your organisation pays regularly. The message notifies your accounts team of a change in bank details and asks that all future payments go to the new account. The impersonation targets suppliers you pay large amounts to, identified by reviewing your publicly available company information, procurement announcements, or construction contract notices.
Invoice fraud is the most financially damaging BEC variant at scale because payments go out under routine circumstances, processed by staff doing their normal jobs. There is no urgency trigger and no unusual request. The only anomaly is the changed bank details, and that anomaly arrives with a plausible explanation: an accounting system migration, a new banking partner, or a company restructure.
Account compromise
In account compromise attacks, the attacker gains genuine access to a legitimate email account, most often through a credential phishing campaign or a data breach that exposed a password. From inside a real account, the attacker monitors email for weeks before acting, identifying payment relationships, approval workflows, and the language patterns of the account owner. When a real invoice or payment request arrives, the attacker intercepts it and reroutes it.
This variant is the hardest to detect because the email comes from the real account with the real display name and an authentic email thread. Standard sender verification fails. The only defence at the moment of attack is the out-of-band callback process, combined with upstream controls that prevent accounts from being compromised in the first place.
Attorney impersonation
The attacker poses as a solicitor, notary, or legal adviser handling a confidential transaction on your behalf. This variant targets business owners and executives directly, often around genuine high-value events such as a property purchase, a merger, or a legal settlement. The "lawyer" provides payment instructions for a deposit or settlement amount and stresses confidentiality to deter the target from discussing the transfer with others.
Attorney impersonation exploits the deference many people extend to legal professionals and the genuine confidentiality obligations that surround legal transactions. Targets often receive these messages when they are already in the middle of a stressful transaction and expecting payment instructions to arrive.
Every BEC attempt shares a handful of structural features: a request for financial action, time pressure, a reason to bypass normal process, and an instruction to keep the communication private. Any email that combines two or more of these elements deserves verification before action, regardless of how legitimate the sender appears.
Why financial services and accountancies are prime targets
BEC attacks follow the money. Financial services firms, accountancy practices, and wealth managers attract disproportionate attention for three reasons.
First, they process large transfers as a matter of routine. A payment of €250,000 that would trigger multiple approval steps at a manufacturing company is a normal daily transaction for an accountancy firm managing client funds. The threshold above which finance staff pause and verify is higher, and attackers know it.
Second, they hold money on behalf of third parties. A law firm holding client account funds or an asset manager executing investment instructions moves money at client request without the same organisational controls that apply to internal payments. An attacker who convinces a conveyancing solicitor that a client has changed their completion account can intercept an entire property purchase.
Third, they are rich in public information. Regulatory filings, Companies House records, LinkedIn profiles, and client announcements make it straightforward to identify who handles payments, who the senior partners are, and which client relationships are active. This reduces the reconnaissance time needed before an attack to hours rather than days.
Regulated firms also face a compliance dimension. A successful BEC attack that results in client fund loss triggers regulatory reporting obligations under FCA rules and DNB requirements in the Netherlands. The reputational and regulatory exposure compounds the direct financial loss.
BEC does not break into your system. It walks in through the front door by convincing someone to hold it open.
How attackers build credibility
A BEC email that reads like a generic fraud attempt fails. Attackers invest real time in building the context that makes requests feel routine.
Domain spoofing and lookalike domains
The simplest technique is display name spoofing: the attacker sets the display name to "Sarah Mitchell, CFO" while the actual sending address is a throwaway Gmail account. Most email clients show the display name prominently; the actual address requires a deliberate click to inspect. Without DMARC enforcement on your domain, exact-domain spoofing is also possible. The attacker sends from [email protected] and the email arrives appearing to come from your own domain.
Lookalike domains require more investment but bypass DMARC entirely. The attacker registers yourcompany-accounts.nl, yourcompany-invoices.nl, or yourcornpany.nl (with a substituted character). These domains pass email authentication checks because they have legitimate DNS records. The receiving mail server has no basis to reject them on technical grounds.
Email header manipulation
Reply-to manipulation is a technique that lets attackers use a convincing from address while routing replies to an address they control. The email appears to arrive from [email protected], but if the recipient clicks Reply, the message goes to [email protected]. Recipients rarely inspect the reply-to header before responding. Over several exchanges, the conversation moves entirely to the attacker-controlled address.
OSINT and LinkedIn research
Open-source intelligence gathering takes attackers 30 to 60 minutes per target. LinkedIn shows the names and roles of finance staff, who reports to whom, and recent promotions. Job postings reveal the software your accounts payable team uses. Press releases name your key suppliers. A CEO's recent conference talk gives the attacker their vocabulary and communication style. Out-of-office replies confirm travel dates and provide the name of the colleague who handles things in their absence, who then becomes the next target.
Technical controls that reduce exposure
Technical controls do not stop BEC on their own, but several eliminate entire attack vectors and reduce the attacker's options significantly.
DMARC, DKIM, and SPF
SPF (Sender Policy Framework) lists the mail servers authorised to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outbound messages that receiving servers can verify. DMARC (Domain-based Message Authentication, Reporting and Conformance) ties these together and tells receiving mail servers what to do when a message fails: nothing (p=none), quarantine it (p=quarantine), or reject it outright (p=reject).
Publish SPF and DKIM records for every domain your organisation uses, including domains that send no email. An unused domain with no SPF record is a free spoofing resource for attackers. Set DMARC to p=reject on all domains. At p=none or p=quarantine, DMARC provides reporting but not protection. P=reject is the only setting that stops exact-domain spoofing from reaching inboxes.
Check your current DMARC status with a tool such as dmarcian's DMARC inspector. Many organisations that believe DMARC is in place discover it is set to p=none, reporting only, with no enforcement.
MFA on all email accounts
Multi-factor authentication on Microsoft 365, Google Workspace, or any email platform closes the account compromise vector. An attacker who obtains a password through a phishing campaign or a credential dump cannot access the account without the second factor. Enforce MFA for every user with access to business email, including shared mailboxes and service accounts. Conditional access policies in Microsoft Entra ID can enforce MFA based on sign-in risk level, blocking access from unfamiliar locations or devices without requiring the full MFA challenge for every login from a known device.
Email banner warnings for external senders
Configure your email platform to prepend a visible banner to all messages arriving from outside your organisation. A banner reading "This email originated outside your organisation" gives the recipient a visual cue to inspect the sender address before acting. This single configuration change, available in Microsoft 365 and Google Workspace at no additional cost, removes the ambiguity that makes display name spoofing effective. The recipient sees the external origin indicator and knows to check whether the address matches the name.
Monitoring for lookalike domain registrations
Services such as DomainTools, Brandwatch, or DMARC reporting platforms surface newly registered domains that closely resemble yours. A daily alert for domains containing your company name gives you visibility before an attack campaign launches. Some organisations use this information to pre-emptively register common typosquat variants of their own domain, removing the resource from attacker use entirely.
Process controls
Technical controls reduce attack surface. Process controls catch the attacks that get through anyway. For BEC, the process layer matters more than almost any other threat category.
Verification callbacks for payment changes
Every request to change payment details for a supplier, client, or employee must trigger a mandatory callback before the change takes effect. The callback goes to a telephone number already on file, retrieved from your existing records, not from the email that requested the change or from the updated contact details the requestor provided. This single procedure stops invoice fraud and most account compromise attacks. It does not require technology. It requires a written policy, training, and a culture in which staff feel able to make the call without being seen as obstructive.
Dual-authorisation for high-value transfers
Set a threshold above which any payment requires approval from two separate authorised individuals, with both approvals logged. The threshold should reflect your typical payment profile: for most SMEs, anything above €5,000 warrants a second set of eyes. The two approvers should receive independent confirmation of the payment request, ideally through a channel separate from the email thread that originated the request. CEO fraud works precisely because it typically bypasses the second approver by framing the request as confidential. A written policy stating that no executive directive overrides dual-authorisation removes that attack surface.
Payment instruction confirmation windows
Build a 24-hour confirmation window into your accounts payable process for first-time payments to new payees and for any payment above a defined threshold. An automatic hold, rather than immediate processing, gives time for the callback procedure to complete before funds move. Many business banking platforms support payment rules that flag new payees or high-value transactions for manual review. Configure these rules and test them periodically.
Finance teams and executive assistants need scenario-based training, not annual compliance slides. Walk them through real BEC email samples, show them how to inspect sender headers in Outlook and Gmail, run a simulated BEC exercise targeting a plausible payment request, and measure how many people would have processed the transfer. The result of that exercise sets your baseline and identifies individuals who need additional coaching.
What to do if you are hit
Speed determines the outcome. The window in which a fraudulent transfer can be recovered closes fast, typically within one to four hours of the funds leaving your account. The moment anyone in your organisation realises a payment went to a fraudulent account, three things must happen in parallel.
Call your bank immediately. Do not send an email or submit a portal request. Call the bank's fraud line directly, using the number from your account documentation or the back of your business bank card. Ask them to raise a Confirmation of Payee flag and, if your bank participates in the UK's Financial Fraud Kill Switch scheme, request activation. In the Netherlands, contact your bank's fraud team and request an urgent recall of the outbound transfer under SEPA recall procedures. Dutch banks are required to act on recall requests within defined timelines under PSD2 provisions.
Preserve all evidence. Do not delete, move, or alter any emails, sent items, or conversation threads related to the fraudulent payment. Forward the fraudulent emails to a dedicated evidence folder and note the time, sender address, and content of every message in the chain. Your insurer and law enforcement will need this. Quarantine any email accounts that may have been compromised.
Report to law enforcement and regulators. In the Netherlands, file a report with the police (politie.nl) and notify the Dutch Financial Intelligence Unit (FIU-Nederland) if client funds were involved. In the UK, report to Action Fraud on 0300 123 2040 and complete an online report at actionfraud.police.uk. If you are a regulated firm under FCA or AFM supervision, assess your notification obligations. A material loss affecting client money typically triggers a requirement to notify your regulator within defined timescales.
Engage your cyber insurance provider in parallel with these steps. Most cyber insurance policies cover BEC-related financial losses and provide access to incident response retainers and legal counsel. Review your policy before an incident so you know what your notification window is and which response partner to call.
After the immediate response, commission an investigation into how the attack succeeded. Was it a compromised account, a lookalike domain, or a process failure? The answer determines what you fix. A post-incident review within 72 hours, while detail is fresh, should produce a written findings report and a remediation action plan with named owners and deadlines.