What is BEC (business email compromise)?
BEC (business email compromise) is a scam in which a criminal impersonates a trusted person, almost always an executive, a supplier or a partner, and convinces an employee by email to transfer money or send sensitive data. It uses no virus: it exploits authority and urgency, which is why it slips past most filters.
How a BEC scam works
BEC does not break into systems: it builds a convincing lie. The scam usually follows four stages, and the most effective frauds take weeks of preparation.
Reconnaissance
The criminal studies the company on social media, the website and leaked email threads, learning who authorizes payments, who executes them and how the company communicates.
The disguise
They create an address almost identical to the real one (a look-alike domain) or break into a real mailbox, so the message comes from a legitimate sender.
The request
A plausible, urgent request arrives with an air of authority: a transfer to a “new account”, a supplier's change of bank, a confidential payment that “cannot wait”.
The transfer
The employee complies. The money goes to the criminal's account and is moved quickly between banks. Recovery becomes a race against time.
Source: FBI (IC3) and N-able.
How to recognize a BEC scam
- An urgent, confidential transfer request that skips the normal approval process
- A supplier's change of bank details communicated only by email
- An address that looks like, but is not identical to, the real one (one letter off in the domain)
- The reply-to field points to a different address than the sender
- Pressure to act fast without checking: “I'm in a meeting, just handle it now”
- A request to keep the operation secret, without consulting colleagues
- A switch of the usual channel: someone who always called now only writes
Types of BEC
- CEO fraud The criminal poses as an executive and orders an urgent transfer to whoever can execute it.
- Vendor fraud A known supplier “announces” a change of bank; the next payments go to the fraudster's account.
- Account compromise A real employee's mailbox is hijacked and used to send requests from inside the company.
- Payroll diversion and data theft The request is not for money but for data: changing a salary account or sending tax and HR information.
What BEC costs a business
BEC is quiet, but it is among the costliest scams there is. In the FBI's Internet Crime Report (IC3 2024), BEC drove $ 2.77 billion in losses across 21,442 complaints, making it the second costliest cybercrime of the year even without being among the most frequent. Between 2022 and 2024, BEC losses added up to nearly $ 8.5 billion. And the fraud has matured: Verizon (DBIR 2025) finds that nearly a third of social engineering incidents are now pretexting, the technique behind BEC, in which the criminal builds trust over weeks before asking for the transfer. The damage rarely stops at the amount sent: it adds the time spent with the bank, the broken trust with a supplier and the legal risk of exposed data.
How to protect against BEC
BEC deceives people, not machines, so defense combines technology with process, in the order that reduces risk the most:
- Out-of-email verification for paymentsEvery transfer or change of bank details confirmed through a second channel, a call to an already known number, never by replying to the email itself.
- A second identity checkBeyond the password, on email access: it stops a real mailbox from being hijacked and used in the scam.
- Managed email securityDetects look-alike domains, spoofed senders and messages that break the pattern, before they reach the inbox.
- Authentication of your own domainSet the controls that stop others from sending email in your company's name: a spoofing check shows whether your domain is exposed.
- Training and simulationThe finance team learns to distrust urgency and secrecy, BEC's two favorite triggers.
- A dual-approval ruleNo transfer above a threshold goes out with a single signature.
In practice
Faced with an urgent request for money by email, call to confirm. Thirty seconds on the phone are worth more than any filter.
How Zamak handles BEC
Zamak Technologies combines managed email security, a second identity check and finance-team training, so the scam does not depend on a single person getting it right. A good starting point is the email spoofing check, which shows in minutes whether a fraudster could use your domain, and the Cybersecurity front narrows the gaps BEC exploits. Monitoring leaked credentials, on the Anticipate front, helps stop the scam before it advances.