What is business email compromise (BEC)?

Business email compromise (BEC) is a common type of fraud you might encounter as a business owner. In a BEC scam, criminals send email messages that appear to come from a known source in order to redirect payments or request sensitive information. These scams have resulted in significant financial losses for companies, but the risk can be reduced with proper procedures and employee training.

BEC affects organizations across industries, impacting small businesses and large corporations alike. Understanding what BEC is, how to spot it and how to report it can help organizations reduce risk and protect their assets.

What you’ll learn:

• BEC is a cybercrime in which criminals pose as trusted parties in order to obtain funds or sensitive information from businesses.
• Often carried out using spear-phishing tactics, BEC scams target specific individuals to gain their trust and trick them into sending money to a fraudulent account.
• Awareness of the signs of BEC scams and the implementation of preventive security measures can help businesses avoid financial losses.
• If you become a victim of a BEC scam, there are steps you can take to report it and potentially recover any lost funds.

BEC is a type of cybercrime in which fraudsters disguise themselves as trusted entities to trick an individual or business into transferring funds or disclosing confidential information. The victim may believe they’re conducting a legitimate transaction, only to find out later that it was fraudulent, which can result in financial losses.

As BEC has become an increasingly common cybercrime, the number of complaints and associated losses has also increased. In its most recent annual report, the Internet Crime Complaint Center (IC3), managed by the Federal Bureau of Investigation, noted the following in 2024: 

• 21,442 BEC complaints were received
• $2.77 billion was lost as a result of BEC

BEC and phishing are both forms of business fraud that involve bad actors posing as trusted entities, but they differ in approach and objective.

Phishing typically involves criminals sending seemingly legitimate messages through email, messaging apps or social media. The messages may include links or downloadable files that, if opened, can deliver malware, compromise sensitive information or put a larger network at risk.

BEC is a more targeted form of phishing attack that often involves fraudsters taking over or spoofing email accounts to impersonate key stakeholders, like executives or vendors. Those who receive communications from sources that appear to be trusted may send money or share sensitive information, thinking it’s business as usual.

Cybercriminals pursuing BEC leverage a wide range of tactics to defraud individuals and businesses. The FBI’s IC3 notes several common types of BEC scams that businesses should be particularly mindful of, including:

• CEO fraud: Attackers impersonate a CEO, CFO or other executive of a company—often by compromising or spoofing an email address—and direct an employee to transfer corporate funds to a bank account controlled by the fraudster.
• Account compromise: An employee’s email account is compromised and unknowingly used to request, initiate and/or authorize the transfer of funds to a bank account controlled by the fraudster.
• False invoice scheme: A fraudster purports to be a current supplier by compromising the supplier’s email account or sending a spoofed email on the supplier’s behalf, requesting that payment be made to a fraudulent account. 
• Attorney impersonation: A fraudster claims to be an attorney and issues a fraudulent request warning of the consequences of noncompliance, including the prospect of litigation. This scheme often targets lower-level employees who may not recognize this as an unusual request.
• W-2 form and other data theft: A fraudster targets a company’s HR department to obtain employees’ W-2 tax forms or other personally identifiable information, which can then be leveraged in a future attack. Executives are frequently targeted in this type of scheme.

Although these are commonly used schemes, fraudsters capitalize on all kinds of opportunities, and BEC tactics continue to evolve.

BEC scams typically unfold through a series of coordinated actions designed to build trust and redirect funds. Although schemes can vary based on the fraudster and the target, BEC scams often involve four steps.

1. Identifying the target: The fraudster determines which company to target. Once a company has been identified, the fraudster will determine which employees to impersonate or which email accounts to compromise, as well as who has the authority to issue a wire transfer.
2. “Grooming”: The fraudster attempts to become known and trusted by the prospective victim as part of setting up the scam. In some cases, fraudsters compromise a trusted vendor’s email account to take advantage of an existing relationship. Grooming can span several weeks in some scenarios.
3. Exchanging information/instructions: After the fraudster has taken control of a compromised account or established themselves as a trusted source, the victim will typically receive payment instructions directing funds to a bank account owned by the fraudster.
4. Initiating payment: Not realizing the request is fraudulent, the victim may initiate a payment to the fraudster’s bank account. Oftentimes, the fraudster quickly transfers the funds to other accounts—sometimes foreign accounts—before the fraud is detected, making recovery more difficult.

You can help prevent losses from a BEC scam by becoming familiar with common tactics and taking appropriate precautions. While nothing can guarantee that you or your company won’t be targeted, these steps can reduce the likelihood of financial loss.

BEC scams often rely on social engineering tactics designed to create urgency, establish trust or pressure recipients to act quickly. Recognizing these signs before losses occur can be as simple as knowing what to look for. 

According to the FBI, some common tactics include:

• Unexplained urgency
• Last-minute changes in payment instructions or recipient account information
• Last-minute changes in established communication platforms or email addresses
• Refusal to communicate outside of email (e.g., via telephone or video platforms)
• Requests for advance payment for services when not previously required
• Requests from employees to change direct deposit information
• Requests for gift cards instead of traditional payment

In addition to recognizing warning signs, organizations can incorporate security measures into their standard practices to help reduce the risk of a BEC incident, including:

• Invest in email security: Cybersecurity tools that use advanced email filtering to identify suspicious messages and help prevent data breaches are one way to limit contact between fraudsters and potential victims.
• Standardize payment procedures: To reduce the risk of fraud, you can implement dual approval requirements, limit who has authority to send money, use callback verification procedures for monetary transactions and execute all payments through a secure process.
• Educate employees on cybersecurity: Ensure employees know how to spot potential fraud and verify they’re communicating with a trusted source before sharing confidential information or initiating payments.

If you become aware of a BEC scam, whether successful or not, the FBI recommends taking the following actions:

• Contact your financial institution immediately to determine where the funds were transferred and whether a recall is possible.
• File a complaint with the IC3. 

In the event that you or your company falls victim to a BEC scam, time is one of the most important factors in loss prevention and, if necessary, the recovery of funds. Acting immediately may help reduce potential losses.

Capital One business customers can contact their relationship manager, submit a Suspicious Communications Form and report the incident to abuse@capitalone.com for further investigation.

As fraud tactics continue to evolve, criminals may use new and sometimes complex approaches to target individuals and companies. By becoming familiar with BEC scams, you can be better equipped to identify and report potential scams before they impact you or your company. Increased awareness and education are critical to helping prevent the loss of sensitive information and funds.

For added protection for your business, explore Capital One business credit cards, which offer security features like $0 fraud liability. You can see whether you’re pre-approved—with no impact on your credit scores—before applying.