Skip to Content
Threats and Attacks

What is BEC (business email compromise)?

BEC (business email compromise) is a scam in which a criminal impersonates a trusted person, almost always an executive, a supplier or a partner, and convinces an employee by email to transfer money or send sensitive data. It uses no virus: it exploits authority and urgency, which is why it slips past most filters.

Zamak TechnologiesUpdated on July 9, 2026

How a BEC scam works

BEC does not break into systems: it builds a convincing lie. The scam usually follows four stages, and the most effective frauds take weeks of preparation.

1

Reconnaissance

The criminal studies the company on social media, the website and leaked email threads, learning who authorizes payments, who executes them and how the company communicates.

2

The disguise

They create an address almost identical to the real one (a look-alike domain) or break into a real mailbox, so the message comes from a legitimate sender.

3

The request

A plausible, urgent request arrives with an air of authority: a transfer to a “new account”, a supplier's change of bank, a confidential payment that “cannot wait”.

4

The transfer

The employee complies. The money goes to the criminal's account and is moved quickly between banks. Recovery becomes a race against time.

Source: FBI (IC3) and N-able.

How to recognize a BEC scam

  • An urgent, confidential transfer request that skips the normal approval process
  • A supplier's change of bank details communicated only by email
  • An address that looks like, but is not identical to, the real one (one letter off in the domain)
  • The reply-to field points to a different address than the sender
  • Pressure to act fast without checking: “I'm in a meeting, just handle it now”
  • A request to keep the operation secret, without consulting colleagues
  • A switch of the usual channel: someone who always called now only writes

Types of BEC

  • CEO fraud The criminal poses as an executive and orders an urgent transfer to whoever can execute it.
  • Vendor fraud A known supplier “announces” a change of bank; the next payments go to the fraudster's account.
  • Account compromise A real employee's mailbox is hijacked and used to send requests from inside the company.
  • Payroll diversion and data theft The request is not for money but for data: changing a salary account or sending tax and HR information.

What BEC costs a business

$ 2.77B
in BEC losses in 2024, the 2nd costliest cybercrime of the year (FBI IC3 2024)
21,442
BEC complaints to the FBI in 2024 (FBI IC3 2024)
$ 8.5B
lost to BEC between 2022 and 2024 (FBI IC3)

BEC is quiet, but it is among the costliest scams there is. In the FBI's Internet Crime Report (IC3 2024), BEC drove $ 2.77 billion in losses across 21,442 complaints, making it the second costliest cybercrime of the year even without being among the most frequent. Between 2022 and 2024, BEC losses added up to nearly $ 8.5 billion. And the fraud has matured: Verizon (DBIR 2025) finds that nearly a third of social engineering incidents are now pretexting, the technique behind BEC, in which the criminal builds trust over weeks before asking for the transfer. The damage rarely stops at the amount sent: it adds the time spent with the bank, the broken trust with a supplier and the legal risk of exposed data.

How to protect against BEC

BEC deceives people, not machines, so defense combines technology with process, in the order that reduces risk the most:

  1. Out-of-email verification for paymentsEvery transfer or change of bank details confirmed through a second channel, a call to an already known number, never by replying to the email itself.
  2. A second identity checkBeyond the password, on email access: it stops a real mailbox from being hijacked and used in the scam.
  3. Managed email securityDetects look-alike domains, spoofed senders and messages that break the pattern, before they reach the inbox.
  4. Authentication of your own domainSet the controls that stop others from sending email in your company's name: a spoofing check shows whether your domain is exposed.
  5. Training and simulationThe finance team learns to distrust urgency and secrecy, BEC's two favorite triggers.
  6. A dual-approval ruleNo transfer above a threshold goes out with a single signature.

In practice

Faced with an urgent request for money by email, call to confirm. Thirty seconds on the phone are worth more than any filter.

How Zamak handles BEC

Zamak Technologies combines managed email security, a second identity check and finance-team training, so the scam does not depend on a single person getting it right. A good starting point is the email spoofing check, which shows in minutes whether a fraudster could use your domain, and the Cybersecurity front narrows the gaps BEC exploits. Monitoring leaked credentials, on the Anticipate front, helps stop the scam before it advances.

Frequently asked questions about BEC

What is the difference between BEC and phishing?
Phishing is the mass bait that steals passwords and data; BEC is targeted and uses trust to ask a specific person for money or information. BEC often begins with a phishing attack that breaks into the mailbox.
Does BEC use a virus?
Almost never. That is what makes it dangerous: there is no malicious attachment or link for an antivirus to block. The message is just a plausible request from someone who seems to have authority.
Is my company too small to be a target?
No. BEC targets any company that makes payments, and smaller ones usually have fewer process controls, which makes them easy targets.
I fell for a BEC scam, what now?
Act within minutes: contact your bank to try to stop the transfer, report it to the authorities and change the passwords of the affected email. The faster you act, the higher the chance of reversal.
Does antivirus solve it?
It helps, but it is not enough. Because BEC carries no virus, real defense combines smart email security, domain authentication and, above all, the habit of confirming payments through another channel.
What is vendor fraud?
It is the BEC variation in which the criminal poses as a known supplier and announces a change of bank. The following payments go to the fraudster's account, sometimes for months, until someone notices.

Related terms

PhishingSocial engineeringMFADark web
Threats and Attacks
RansomwarePhishingBEC (email fraud)Social engineeringDouble extortionDark webDeep web
Endpoint and Identity
MFA
Detection and Response
EDRMDRXDRMITRE ATT&CK
Network and Access
ZTNA
Continuity and Recovery
BackupImmutable backupRPO (Recovery Point Objective)RTO (Recovery Time Objective)DRaaS (Disaster Recovery as a Service)
Governance and Compliance
LGPDISO 27001SOC 2NIST CSFShadow ITCyber maturity assessment