A payment request arrives late on a Friday afternoon. It appears to come from a familiar vendor, references a real project, and includes an invoice that looks completely normal. The only change is a new bank account for the transfer.
Nothing about the message feels like a typical cyberattack. There is no strange attachment, obvious spelling error, or dramatic warning. The email simply fits into the normal rhythm of business.
That is what makes business email compromise so effective. It does not usually depend on sophisticated software. It depends on understanding how people communicate, who approves payments, and when employees are most likely to act without stopping to verify the request.
Business Email Compromise Is a Trust Attack
Business email compromise, often called BEC, is a form of fraud in which a criminal impersonates or takes control of a trusted email identity. The goal is usually to persuade someone to send money, change payment details, purchase gift cards, release sensitive information, or provide access to another account.
The criminal may pretend to be an executive, employee, vendor, attorney, payroll provider, or customer. Sometimes the sender address is slightly altered. In other cases, the criminal gains access to a real mailbox and sends messages from the legitimate account.
This is why BEC can be difficult to recognize. The message may appear inside an existing conversation and reference actual people, projects, invoices, or travel schedules.
The attack is designed to feel ordinary. Instead of forcing a technical system to fail, the criminal tries to become part of an accepted business process.
How a BEC Attack Develops
A successful BEC attack often begins well before the fraudulent payment request appears.
The Criminal Studies the Business
Public websites, professional profiles, social media posts, job listings, and email signatures can reveal who manages accounting, which executives travel, and what vendors the company uses.
This research helps the attacker choose a believable identity and request. A message that matches the organization’s structure and communication style has a better chance of being trusted.
An Email Identity Is Copied or Compromised
Some attackers use a lookalike domain or sender name. Others use phishing to capture an employee’s password.
Once inside a mailbox, a criminal may quietly monitor conversations, learn payment schedules, and wait for the right moment to intervene. They may also create inbox rules that hide replies or security alerts.
The Attacker Enters a Real Transaction
The most convincing BEC attacks often attach themselves to legitimate business activity.
Imagine a company that regularly pays a materials supplier. A criminal gains access to the supplier’s email account, watches an invoice discussion, and sends updated bank details just before payment is due.
The invoice is real. The project is real. The employees involved are real. Only the destination of the payment has changed.
A similar attack can target payroll. An employee appears to request a change to direct deposit information, and the next paycheck goes to an account controlled by the criminal.
Why Normal Email Security May Not Stop It
Email filters are important, but business email compromise does not always contain the warning signs those systems are designed to detect.
There may be no malicious link or infected attachment. If the attacker is using a real account, the message may pass standard checks because it came from a legitimate mailbox.
The request may also look reasonable in isolation. Businesses do change bank accounts, approve urgent payments, and handle confidential matters.
The warning sign is often a change in behavior or process. The amount may be unusual. The request may bypass a normal approval. A vendor may suddenly change payment instructions. An executive may ask an employee to keep a transaction private.
Technology can identify some unusual activity, but it cannot understand every business relationship. Strong protection combines technical controls with clear financial procedures.
The Most Effective Safeguards Support Better Decisions
Preventing BEC does not require employees to distrust every email. It requires consistent controls around actions that could cause financial or operational harm.
Verify Sensitive Changes Through Another Channel
Requests to change bank details, payroll information, or payment instructions should be confirmed using a known phone number or another established method.
Employees should not use the contact information included in the request. If the email is fraudulent, that information may be fraudulent too.
Separate Requests From Approvals
One person should not be able to request, approve, and complete a sensitive transaction without review. A second approval creates a useful pause and makes impersonation more difficult.
The process should apply to executives as well as employees. Criminals often rely on the assumption that a senior leader’s request will not be questioned.
Protect and Monitor Email Accounts
Multi-factor authentication can make stolen passwords less useful. Businesses should also review automatic forwarding rules, unexpected mailbox settings, and unusual sign-in activity.
Email authentication settings can reduce the chance that criminals will successfully impersonate the company’s domain. These settings help receiving systems determine whether a message was authorized by the organization it claims to represent.
Make Reporting Simple
Employees should know exactly what to do when a request feels unusual. Reporting should be quick and free from embarrassment.
If money has already been transferred, the bank should be contacted immediately. The company should also preserve the message and review the related email accounts, inbox rules, sign-in records, and recent conversations.
The response should focus on containment and learning rather than blame. A well-designed BEC message is built to exploit normal trust.
Business Email Compromise Is Also a Process Problem
The most useful way to think about BEC is not as a suspicious email problem. It is a business process problem delivered through email.
A criminal succeeds when a trusted identity, a believable request, and a weak approval process come together. Strong email security reduces the opportunity. Clear verification and payment procedures reduce the impact.
Business leaders do not need to inspect every message personally. They do need confidence that important changes cannot be completed based on one email alone.
A practical next step is to review how your company handles changes to payment details, payroll accounts, and executive requests. The goal is not to add unnecessary friction. It is to make sure trust is supported by a process that can verify it.