Read My Latest Artificial Intelligence (AI) Newsletter For FREE By Clicking Here!

Additional menu

PithySecurity.com

PithySecurity.com

How Does Business Email Compromise Actually Work and Who Does It Target?

By - Get email updates

Business Email Compromise is the most financially damaging cybercrime category. The FBI’s Internet Crime Complaint Center reported over $2.9 billion in BEC losses in 2023 alone. It works by impersonating a trusted person inside or connected to your organization to authorize fraudulent payments or credential transfers. The technical sophistication required is low. The social engineering required is high.

Analysis Briefing

  • Topic: Business email compromise mechanics and prevention
  • Analyst: Mike D (@MrComputerScience)
  • Context: A collaborative deep dive triggered by a reader question
  • Source: Pithy Cyborg
  • Key Question: Why does BEC keep working against organizations that should know better?

The Three BEC Variants That Account for Most Losses

CEO fraud is the most documented variant. An employee in finance or accounting receives an email appearing to come from the CEO or CFO requesting an urgent wire transfer to a new account. The request is framed as confidential and time-sensitive. The employee complies before verifying because the authority of the apparent sender suppresses the skepticism that would catch it.

Vendor impersonation targets accounts payable teams. An attacker compromises or spoofs a vendor email account and sends updated banking instructions for an upcoming invoice. The finance team processes the payment to the attacker’s account. The real vendor eventually notices the unpaid invoice. By then the money is gone.

Payroll diversion targets HR departments. An employee email is spoofed or compromised and a request is sent to HR to update direct deposit information. The next payroll cycle deposits the employee’s salary to an attacker-controlled account.

Why Technical Controls Are Insufficient Against BEC

BEC often requires no malware, no hacked accounts, and no technical sophistication. A spoofed email crafted to appear internal can bypass endpoint security, email filtering, and firewall rules because it arrives from a real server with no malicious attachments for filters to detect. The filtering that catches malware cannot catch social engineering.

This is also why DMARC alone is not a complete solution. When an attacker gains access to a real vendor or executive email account through credential stuffing or phishing, the emails pass all authentication checks because they genuinely originate from the legitimate account. A strong DMARC configuration stops domain spoofing. It does not stop an attacker who already has the keys.

DMARC, DKIM, and SPF authentication reduce the ability to spoof your own domain convincingly. They do not prevent spoofing of look-alike domains one character different from yours. Registering common typosquat variants of your domain and configuring them to reject email is a meaningful defensive step that most small businesses never take.

Attack TierMethodologyAttacker EffortDetection “Tell”
Tier 1: The SpoofLook-alike domains (e.g., micros0ft.com) or display name fakes.LowHovering over the sender name reveals the wrong address.
Tier 2: The Account TakeoverAttacker logs into a real account via credential stuffing or MFA bypass.MediumPerfect email headers, but unusual urgency or bank changes.
Tier 3: The AI PivotCloned voice calls or Deepfake video “huddles” confirming the email.HighThe request requires secrecy or bypassing normal AP controls.
Tier 4: The Vendor-in-the-MiddleAttacker sits in a real email thread for weeks, then “swaps” the final invoice.EliteThe Final Invoice: Everything is real except the Routing Number.
The BEC Evolution ➞ From Script to Simulation

The Verification Call That Stops Almost Every BEC Attempt

The single most effective defense against BEC is a verbal verification requirement for any change to payment details or any unusual wire transfer request. Call the requester directly using a phone number you already have, not a number provided in the email.

This sounds simple. It is. The reason BEC keeps working is that organizations do not enforce this requirement consistently. The call feels awkward when you are sure the CEO sent the email. It feels less awkward after you have wired $200,000 to an attacker.

Why the Verification Call Itself Is Now Being Spoofed

AI voice cloning has changed the BEC threat model in one specific and important way. Some BEC attacks now include a follow-up call from a cloned voice of the executive confirming the wire transfer request. A verification call to a number provided in the attack, or to a number you look up rather than one you already have stored, can now be part of the attack rather than a defense against it.

The guidance update is specific: verification must happen on a pre-established channel using a contact number already in your phone or your organization’s records before the incident began. Not a number in the email. Not a number you find by searching. A number you already had. If you cannot reach the requester on that number, the request does not proceed.

Why Invoice Fraud Is the BEC Variant Most Likely to Hit Small Businesses

CEO fraud requires impersonating an internal executive. Invoice fraud requires impersonating a vendor you already pay, which is operationally simpler and targets a process that runs on routine rather than scrutiny.

The attack arrives as a message from a familiar sender referencing a real invoice with updated banking details for the next payment. Accounts payable processes it without verification because it looks like a normal part of a normal workflow.

Small businesses are disproportionately targeted because they typically lack the verification controls that large enterprises have built around payment processes. A two-person finance team processing dozens of invoices per week does not have the bandwidth to verbally verify every payment instruction change. Attackers know this.

The fix is a standing policy: any change to vendor banking details requires a phone confirmation to a number already on file before the new details are used. For a small team, this does not need to be elaborate. A one-page written policy that lists the trigger (any banking detail change), the required action (call the number on the existing vendor record), and who is responsible is sufficient. The policy needs to be written down and signed off by whoever owns the finances, because an informal expectation does not survive staff turnover or a high-pressure moment.

What This Means For You

  • Implement a verbal verification requirement for all wire transfer requests and all changes to vendor payment details. Write it down as a formal policy, not an informal expectation. For small teams, a one-page document with a clear trigger and a clear action is enough.
  • Verify on a pre-established channel. AI voice cloning means a confirmation call to a number provided in the request is no longer sufficient. Use a number already in your records before the incident started.
  • Configure DMARC, DKIM, and SPF on your domain and set DMARC to reject rather than just monitor.
  • Register common typosquat variants of your business domain and configure them to reject all email.
  • Train finance and HR staff specifically on BEC scenarios. These teams are the primary targets and generic security awareness training rarely covers BEC in enough detail.

If this was useful, more like it lives at Pithy Cyborg | AI News Made Simple.

You found Pithy Security. Good instincts. But the bigger story right now is AI, and that's where I spend most of my time. My name's Mike D, and Pithy Cyborg is where thousands of sharp minds come every week to stay ahead of the models, breakthroughs, and power moves reshaping everything. Engineers, developers, business owners, and curious people who just want to understand what's actually happening in AI all read every issue because I don't bury the lede and I don't waste your time.

The frontier models. The privacy traps. The tools your competitors are already using. The hype that's actually real and the hype that isn't. All of it, delivered without the jargon spiral. Pithy Security covers the cybersecurity angle. Pithy Cyborg covers the whole war. If you've been reading on the web, do yourself a favor and subscribe to the full experience below.

Disclosure: Pithy Cyborg is always 100% free. But, I may earn commissions from the affiliate link below. You get real tools that deliver real value. Everyone wins.

# 1 - Pithy Cyborg | AI News Made Simple - The free newsletter that cuts through the AI noise and keeps you two steps ahead of the models, the tools, and the people building both. Every issue lands with 3 elite AI stories plus one prompt you can use immediately, written in plain English without sacrificing depth. Five minutes. No filler. Join thousands of readers who refuse to be the last to know.

# 2 - Galaxy.AI, The All-in-One AI Platform - Why pay for ChatGPT, Midjourney, and three other tools when Galaxy.AI puts every top LLM, image generator, video tool, and ad creator in one place? One account. One flat price. Unlimited creative firepower. This is the unfair advantage your competitors don't have yet.

# 3 - Follow @MrComputerSci on X - Between issues, I'm on X posting real-time AI hot takes, model breakdowns, and threads that go deeper than any newsletter can. If you want to be in the room where it happens, follow along.