← All Articles
Business Security ·

Business Email Compromise: The $2.9 Billion Fraud Targeting Small Businesses

Business Email Compromise (BEC) is the most costly cybercrime category in the US. AI has made it dramatically more effective. Here's how it works and how to protect your business.

The FBI’s 2024 Internet Crime Report named Business Email Compromise the single most financially damaging cybercrime category — $2.9 billion lost in the US alone. And that’s just what gets reported.

Unlike ransomware or data breaches, BEC leaves no malware behind. There’s nothing to scan for. It exploits human trust, not software vulnerabilities — which is exactly why it’s so effective and so hard to stop with traditional security tools.

What Is Business Email Compromise?

Business Email Compromise is a fraud scheme in which an attacker impersonates a trusted executive, vendor, or partner — usually via email — to trick an employee into transferring money, changing payment details, or handing over sensitive information.

The three most common variants:

1. CEO Fraud

The attacker spoofs or compromises the CEO’s email address and sends an urgent wire transfer request to a finance team member. The message typically says to keep it confidential and act immediately — mimicking the tone of a real executive.

2. Vendor Impersonation

The attacker poses as a known vendor and sends a new invoice or “updated banking details” — requesting that future payments go to a new account. The account belongs to the fraudster.

3. Payroll Diversion

HR or payroll receives an email that appears to be from an employee requesting a change to their direct deposit information. The new account belongs to the attacker.

How AI Has Changed BEC

Traditional BEC relied on generic phishing emails — often with poor grammar and obvious red flags. AI has changed this in three significant ways:

Hyper-personalized messages. AI tools can analyze your LinkedIn, company website, press releases, and social media to write a perfectly convincing email that references real projects, real names, and real context. The “Nigerian prince” email is gone. The new version reads like it came from your actual boss.

Voice cloning on phone calls. Attackers now follow up BEC emails with phone calls using cloned voices of executives. An employee who is uncertain about an email may be convinced by a phone call that “sounds like the CEO.” Read more about voice cloning fraud →

Scale. What previously required hours of research per target can now be done in minutes across hundreds of targets simultaneously.

Who Gets Targeted?

Any business with a finance function is a target. But certain industries are disproportionately hit:

  • Law firms — trust account wire transfers are common and large
  • Real estate — closing cost wire transfers are frequently intercepted
  • Medical practices — insurance payment flows and vendor relationships
  • Accounting firms — access to client funds and high trust with financial institutions
  • Agencies and consultancies — frequent vendor payments and project-based wire transfers

Small and mid-sized businesses are particularly vulnerable because they typically lack the security infrastructure of large enterprises — but they move meaningful amounts of money.

The Average SMB Breach Cost: $140,000

The average cost of a BEC incident to a small or mid-sized business — including the fraudulent transfer, investigation, legal costs, and business disruption — is $140,000. Many businesses don’t recover.

That’s the context for the $199 Security Audit we offer. The maths are straightforward.

How to Protect Your Business

Implement wire transfer verification protocols

Any wire transfer request — regardless of who appears to be requesting it — should require a secondary verbal confirmation through an independently verified phone number. Not a reply email. A phone call.

Train your team to recognize urgency + secrecy

“Do this now, don’t tell anyone” is the signature of this fraud. It doesn’t matter whether it arrives by email, text, or phone. Train every person who handles payments to recognize this pattern and escalate rather than comply.

Verify vendor banking changes independently

Any request to change banking or payment details from a vendor should be verified via a phone call to a number you already have on file — not a number provided in the suspicious email.

Use email authentication (SPF, DKIM, DMARC)

Most email providers support these authentication standards. Properly configured, they prevent attackers from spoofing your domain. Many SMBs have these misconfigured or not configured at all.

Book a Security Audit

Our Business Security Audit is a structured assessment of your current exposure across email, payment workflows, employee access controls, and vendor relationships. We deliver a plain-English report with prioritized actions — no jargon, no unnecessary upsells.

BEC fraud works because it exploits the same thing that makes businesses run: trust. The solution is not to stop trusting people — it is to build verification habits that don’t depend on trust alone.

If you’d like to know where your business is most exposed, get in touch. We’ll do an initial assessment and explain what we find in plain English.

business email compromiseBEC fraudCEO fraudphishingSMB securitycybersecurity

Get the free monthly Scam Alert

New AI scam explained in plain English. Once a month. Free.