Business email compromise is one of the most financially damaging cyberattacks an organization can face, and one of the least understood. Unlike ransomware, which announces itself loudly, BEC operates silently, often for weeks or months, exploiting trust rather than technology to steal money and data.
According to the 2026 Kaseya State of the MSP Report, 44% of MSPs report that at least 10% of their clients experienced a cyberattack in 2025, and BEC is consistently one of the most common and costly attack types behind those incidents.
The FBI’s Internet Crime Complaint Center (IC3) consistently ranks BEC as one of the costliest cybercrime categories. The FBI has titled its BEC advisory “The $55 Billion Scam”, reflecting cumulative global losses from October 2013 to December 2023. In 2024, BEC complaints resulted in $2.77 billion in adjusted losses in the US alone across 21,442 reported incidents. The attack works because it’s deceptively simple: no malware, no encryption, no technical exploit, just a convincing email from someone you trust.
Stop BEC Attacks Before They Cost You
Kaseya INKY analyzes every email against your organization’s communication patterns, flagging impersonation attempts and anomalous requests that bypass traditional filters.
What Is Business Email Compromise?
BEC is a fraud attack in which a threat actor uses a legitimate-looking email, from a compromised account, a spoofed domain, or an impersonated contact, to deceive someone with financial or data authority into taking a harmful action. That action is usually a fraudulent payment, a sensitive data transfer, or a credential disclosure that enables further access.
What distinguishes BEC from standard phishing is the targeting and the objective. Mass phishing casts a wide net for credentials. BEC focuses on specific individuals within a specific organization and is designed to generate immediate financial return, typically in the form of a wire transfer, gift card purchase, payroll diversion, or change to payment account details.
BEC is sometimes called Email Account Compromise (EAC) when the attack involves actual compromise of a real account rather than spoofing or impersonation. Both terms describe the same threat category and the same financial risk.
How BEC Attacks Work
BEC attacks follow a structured approach. Attackers first research the target organization, identifying key personnel in finance, accounting, HR, and the C-suite from LinkedIn, company websites, and social media. They map relationships: who reports to whom, who approves payments, who has authority to change payment details.
Initial access may come through phishing that compromises a real email account, or through domain spoofing that creates an email address visually similar to the real one (for example, [email protected] instead of [email protected]). Once inside a legitimate account, attackers often monitor email silently for weeks, learning communication patterns, ongoing deals, and the language style of the impersonated individual before initiating the fraud.
The attack itself is often a single, well-timed email: “Please update the bank account for the Smith invoice to the following details” or “Can you urgently process a wire transfer for this acquisition? I’m in meetings all day.” The combination of apparent authority, urgency, and specific context makes the request plausible. The window between the email being sent and the fraud being discovered is often enough for funds to be transferred beyond recovery.
The Five BEC Scenarios
The FBI identifies five primary BEC attack types:
CEO fraud involves impersonating a senior executive to pressure an employee into making a fraudulent transfer or disclosing sensitive information. The request typically arrives when the executive is traveling or otherwise unavailable to verify.
Account compromise involves actual compromise of a business email account used to request fraudulent payments from vendors or customers of that account’s owner. Unlike impersonation, the email genuinely comes from the real account.
False invoice scheme involves impersonating a vendor or supplier and requesting payment to a new bank account, intercepting a real payment that was expected.
Attorney impersonation involves posing as legal counsel to demand confidential information or urgent payment related to a pending legal matter, exploiting the authority dynamic of the legal relationship.
Data theft targets HR or finance to obtain employee tax records, payroll information, or personal data. This is often a precursor to further fraud or identity theft rather than an immediate financial transfer.
Why BEC Is So Hard to Detect
BEC bypasses most traditional security controls because it relies on social engineering rather than malware. Email security filters don’t flag a message that comes from a legitimate compromised account. No attachment or malicious link triggers endpoint protection. The communication looks, in every technical sense, like a normal business email.
The detection challenge is behavioral: recognizing that a request is inconsistent with normal business process, that the urgency is unusual, or that a payment instruction change is arriving through an atypical channel. These are human judgments, not technical ones, which is why BEC remains effective even in technically sophisticated environments.
AI-enhanced BEC is making this harder. Attackers now use AI to generate correspondence that precisely mirrors an individual’s writing style, referencing actual context from monitored email threads. The tells that a careful reader might previously have caught, slightly unusual phrasing or generic language, are increasingly absent from modern BEC attempts.
How to Defend Against BEC
Email authentication. DMARC, DKIM, and SPF policies prevent domain spoofing. A DMARC policy set to reject prevents attackers from sending email that appears to come from your domain. This addresses the impersonation vector but not the account compromise vector, which is why layered controls are necessary.
AI-powered email security. Solutions like Inky included in Kaseya 365 User, use AI to analyze email communication patterns and flag anomalies: messages from new senders claiming executive authority, requests that deviate from normal communication patterns, or characteristics that match known BEC profiles. Unlike signature-based filters, behavioral analysis catches contextually unusual requests even from legitimate-looking sources.
Process controls for financial transactions. The most effective BEC defense for payment fraud is a human process control: out-of-band verification by phone to a known number, not one provided in the suspicious email, before executing any payment instruction change or large wire transfer. No email-only authorization for financial transactions above a defined threshold.
Employee training. Finance and executive assistant staff, the primary BEC targets, need specific training on BEC scenarios and the verification procedures they should follow when they receive unusual payment requests. General phishing awareness training doesn’t cover the BEC-specific playbooks attackers use.
Dark web monitoring. Compromised credentials that enable account takeover BEC often appear on dark web forums before attackers use them. Dark Web ID, available through Kaseya, continuously monitors for credentials from your domain and provides early warning that allows passwords to be reset before accounts are exploited.
MFA on all email accounts. Account takeover BEC requires access to the compromised account. MFA prevents credential theft from enabling this access. Even if an attacker obtains the password through phishing or credential stuffing, they cannot log in without the second factor.
See how Kaseya 365 User addresses BEC through AI email security and dark web monitoring.
Key Takeaways
- BEC is one of the costliest cybercrime categories by total financial losses, causing billions in annual damage through fraud rather than technical exploitation. The FBI’s cumulative total from 2013 to 2023 is $55 billion.
- BEC bypasses technical security controls because it uses trusted accounts or convincing impersonation rather than malware or malicious attachments.
- The most effective defenses combine technical controls (DMARC, AI email security, MFA) with process controls (out-of-band verification for financial transactions) and targeted employee training.
- AI is making BEC harder to detect by generating contextually accurate impersonations. Detection increasingly requires behavioral anomaly recognition rather than content analysis.
