An email notification pops up on your laptop screen. It’s from your CEO, and they need a favor—fast. They’re stuck in a meeting and need you to handle an urgent payment for a new vendor. The email looks legitimate, the tone sounds right, and you want to be helpful. You quickly grab your phone, and enter the bank details without thinking twice.
Contents:
Unfortunately, this is exactly how business email compromise (BEC) works. It’s a sophisticated scam where an attacker’s goal isn’t just to steal data—it’s to trick well-meaning people into making fraudulent wire transfers or purchases. According to a PSA from the FBI’s Internet Crime Complaint Center (IC3), BEC has become a global, multibillion-dollar problem. The following statistics, reported to the IC3 and law enforcement between October 2013 and December 2023, highlight the massive scale of the threat, with global exposed losses reaching almost $55.5 billion.
How business email compromise works
BEC attacks are a calculated, patient process where scammers act more like con artists than actual hackers. Simply put, they don’t need to break into your servers if they can simply convince you to open the door.
To better understand how they operate, let’s break down the 4 typical stages of an attack:
Target Identification. First, BEC attackers compile a list of emails from their target company. They look for employees who handle money or sensitive data, such as finance teams, HR managers, and executive assistants. By scouring LinkedIn, company websites, and social media, they map out the organization’s hierarchy to see who reports to whom and which vendors the company works with.
Grooming. Once a target is chosen, the grooming begins. This is where social engineering techniques come into play. BEC scams use various impersonation techniques, such as domain spoofing and lookalike domains to make it appear as if emails are coming from the CEO or a trusted partner. BEC scammers might start a casual conversation to build trust or wait for a time when the target is likely to be busy.
Exchange. The attacker sends a request that requires urgent action. This could be an “overdue” payment to a long-term supplier or a confidential request from an executive for a project that “can’t wait,” as it’s always something urgent. Because the attacker has spent time mimicking the brand’s internal communication style, the request feels authentic and creates a sense of pressure that discourages the victim from double-checking the details.
Execution. The final step is the payoff. The victim, believing they are helping their boss or settling a legitimate bill, follows the instructions to wire funds or share sensitive employee data. The money is usually sent to an account controlled by the criminal, and from there, it’s quickly moved through a series of international banks, making it nearly impossible to claw back.
Who says business security has to be hard?
Protect your company from cyber threats without sacrificing convenience
Common types of BEC attacks
While anyone can receive a suspicious email, scammers usually target specific roles they can either impersonate or exploit to reach their goals. Finance teams and accounts payable staff are often targeted because they manage banking details and payments, while HR professionals are sought after for sensitive employee records and tax statements. Attackers also look for IT administrators to gain deeper system access, or new employees who might feel pressured to quickly fulfill a request from a senior leader.
Executives like CEOs and CFOs are especially high-value for BEC attackers. Because their requests carry natural weight and urgency—and because their professional details are often publicly available—attackers find it easy to mimic their tone. By understanding which roles are being mimicked or messaged, your team can better recognize the specific BEC scams used to exploit that professional trust:
CEO fraud. In this scenario, the attacker poses as a high-level executive like a CEO or CFO. The attacker typically sends an urgent and confidential email to an employee in the finance department, requesting a wire transfer to a specific account. The tone is often authoritative to discourage the employee from questioning the request.
Invoice scams. BEC scammers often target the accounts payable department by mimicking a trusted partner. In a typical fake invoice scam, the attacker poses as a vendor and requests payment for a legitimate service. They might send an email claiming that the vendor’s banking information has changed or provide “updated” wire instructions for future vendor invoices. Because a business relationship already exists, these requests often slip through without extra verification, proving that hackers don’t always need to break into your systems—they just need to exploit your trust.
Attorney impersonation. This is a particularly high-pressure tactic. BEC scammers pose as lawyers or representatives from law firms handling sensitive and time-sensitive legal matters. They use the perceived authority of the law and the threat of serious consequences to pressure employees into transferring funds or divulging confidential information.
Payroll diversion. This scam usually targets HR or payroll departments. The BEC attackers pose as legitimate employees in emails and ask to update their direct deposit information for their next paycheck.
Data theft. Not every business email compromise attack is a direct grab for cash. Sometimes, the goal is to steal employee data, tax forms (like W-2s), or protected health information (PHI). This data is then sold on the dark web or used to fuel even more sophisticated social engineering techniques later on.
Why does BEC bypass traditional security?
It’s a fair question, especially if you already have advanced antivirus software and secure email gateways in place. So how do these emails still land in employees’ inboxes? Unfortunately, the answer is simple yet frustrating: traditional email security tools are designed to look for digital signatures of danger—things like malicious code, infected attachments, or suspicious phishing links.
BEC scammers avoid these triggers by staying away from payloads or malware that would trip a scan. Instead, they target employees individually with plain-text messages that standard antivirus software flags as innocent. Because the message looks like a normal conversation—perhaps a boss asking for a quick update or a vendor sending an invoice—it slips right past the filters, which assume everything is business as usual.
This effectiveness stems from a deep understanding of human psychology rather than technical flaws. After all, people are trusting, and many companies follow predictable processes. So, BEC attacks bypass security by exploiting trust through domain spoofing, making the sender look like a colleague you already know. Unlike mass phishing campaigns that trigger spam alarms, business email compromise is extremely low volume and highly targeted. An attacker might only send one or two emails to a single person, making them invisible to filters that look for suspicious volume. Furthermore, scammers can use compromised internal accounts. To your email security system, the email appears to be coming from a trusted source, so it gets a green light.
How to build a strong BEC defense using NordPass?
When it comes to business email compromise, technology shouldn’t just be a shield; it should be a partner that makes security second nature for your team. A great place to start is by getting a business password manager. Once your employees start to store and manage their passwords from a single point, enable the built-in NordPass Authenticator, so your team can generate and autofill two-factor codes directly within the app. Since many business compromise attacks rely on account takeover, this secondary verification ensures that even if a scammer guesses a password, they still can’t access the account to send that urgent email.
Additionally, you can also use NordPass’ Email Masking for third-party sign-ups. This minimizes your actual email exposure and helps prevent your primary address from being discovered and targeted in future BEC scams. And yet, beyond proactive prevention, you need to stay alert to existing risks. The NordPass Data Breach Scanner allows you to identify data breaches and stay ahead with real-time alerts.
Of course, technology works best when paired with employee awareness. For example, establish a policy that prohibits authorizing wire transfers or sharing sensitive data based on email alone. Always verify the request via a secondary channel, like a quick phone call or a face-to-face chat. It’s a simple human check that can stop a sophisticated scam in its tracks.