What Is Business Email Compromise?
Business Email Compromise — BEC for short — is a scam where an attacker impersonates someone you trust (your boss, a vendor, a lawyer, or a bank) and manipulates you or your staff into sending money or sensitive information to the wrong place.
What makes BEC so dangerous is that there's often no malware involved, no virus to detect, and no obvious red flag. It's pure social engineering — and it works.
How Does It Work?
Attackers invest real time researching your business before striking. They look at your website, LinkedIn, public records, and sometimes get into your email first to watch how you communicate. Then they strike at exactly the right moment.
Common BEC Scenarios
The Fake CEO Wire Transfer
An employee in accounting gets an email that appears to be from the owner or CEO asking for an urgent wire transfer to close a deal or handle an emergency. The email looks legitimate. The request feels real. The money leaves the account before anyone catches on.
Thanks,
Chris
The Vendor Payment Redirect
An attacker compromises your vendor's email or spoofs it, then sends you a message saying their banking information has changed. You update your records and start sending payments to the attacker's account. Sometimes this goes undetected for months.
The Lawyer or Closing Agent Scam
Especially common during real estate closings. An attacker intercepts communication between you and a title company or attorney and sends fake wiring instructions at the last minute. Victims wire their entire down payment or closing funds to a criminal.
W-2 and Payroll Fraud
An attacker poses as an executive and requests all employee W-2 data from HR — then uses that information for identity theft or fraudulent tax filings.
How Does This Hurt Your Business?
- Direct financial loss — often tens of thousands of dollars in a single transaction
- Exposure of employee personal data (Social Security numbers, payroll information)
- Damaged relationships with vendors and clients when payment fraud is discovered
- Legal liability if customer funds or sensitive data are involved
- Reputational harm to your business in the community
How to Protect Yourself
- Always verify payment changes by phone — Call a known number (not one in the email) before changing banking information or sending any wire
- Require dual approval for wire transfers — Any transfer over a certain amount should need two people to sign off
- Slow down on urgent requests — Urgency and secrecy are the two biggest warning signs of BEC
- Check the sender's email address carefully — Look for subtle changes like an extra letter or a different domain
The FBI's BEC resource page has current guidance and a place to report incidents if you've been targeted.
How CAER Technologies Protects You
BEC is hard to stop with technology alone — it targets people. So we combine technical controls with training to build a human firewall around your business.
- Email authentication setup (DMARC, DKIM, SPF) to prevent attackers from spoofing your domain
- Microsoft 365 configuration to flag emails from outside your organization that impersonate internal senders
- Security awareness training so your team knows the warning signs and verification steps
- BEC-specific phishing simulations to test and reinforce good judgment
- Account monitoring to detect if an email account is compromised and being used to conduct BEC
- Incident response — if BEC occurs, we help you act fast to report it and attempt fund recovery