Business email compromise, or BEC, is a payment fraud in which criminals impersonate an executive, supplier, employee, or customer or compromise a real mailbox. The goal is usually to change bank details, rush a transfer, obtain payroll data, or redirect a closing payment. The safest control is independent verification: call a known number, use a second channel, require dual approval for changes, and treat urgency as a reason to slow down rather than a reason to bypass procedure.
What to remember
- A display name and familiar signature do not prove that the sender or account is genuine.
- Payment-detail changes need verification through a previously known channel.
- Multi-factor authentication, mailbox rules, and sign-in alerts reduce compromise risk but do not replace process controls.
- If money moved, contact the bank immediately and ask for a recall or freeze while preserving the full email thread.
- BEC affects small organizations, households, schools, and large companies alike.
What business email compromise looks like
BEC is social engineering built around a payment or data workflow. A criminal may send from a lookalike domain, take over a real account, insert a new reply into an existing thread, or impersonate a senior person through a fresh address. The request may involve a supplier invoice, payroll account, real-estate closing, tax payment, gift cards, or confidential employee records.
The message often arrives when the recipient is busy or when a legitimate transaction is already expected. That is why grammar alone is a poor defense. The fraud borrows real names, real invoices, real amounts, and real relationships. The suspicious detail may be only the account number, a request for secrecy, or a change in timing.
How criminals make a request look normal
Attackers study public websites, social posts, company signatures, out-of-office messages, and prior correspondence. A lookalike domain may differ by one character or use a different top-level domain. A compromised mailbox is more dangerous because replies and attachments may be genuine, with the payment instruction inserted later.
Do not treat a familiar thread as a trusted channel after a financial change. Start a new conversation or call a number from an old contract, vendor record, or official directory. Avoid using the phone number or link in the suspicious message. Verification must be independent of the message that created the risk.
Controls that interrupt the payment
Organizations can require two people to approve new beneficiaries, account-number changes, payroll edits, and urgent wire requests. The second approver should review the original contract or invoice rather than merely forwarding the same email. A short callback protocol is more useful than a policy nobody follows under pressure.
Technical controls include phishing-resistant multi-factor authentication where available, secure password management, alerts for new mailbox rules, restricted forwarding, domain protection, and regular review of administrator sessions. These measures reduce opportunity, but a compromised supplier can still send an authentic-looking request. Process and technology must reinforce each other.
How to review a suspicious message
Preserve the original message with headers if your mail system permits it. Record the sender address, reply-to address, received path, attachments, links, payment instructions, and any changes from previous invoices. Do not forward a malicious attachment widely. Ask the organization’s security or IT contact to capture the technical details.
Compare the request with independent records: contract terms, prior bank details, purchase orders, known contacts, and delivery information. A legitimate change can happen, but it should survive a normal verification process. If a sender resists a callback or demands secrecy, that behavior is itself meaningful evidence.
What to do after a transfer or data disclosure
Contact the sending bank immediately and request a recall, freeze, or Financial Fraud Kill Chain action where applicable. Contact the receiving institution through law-enforcement or bank channels, not the criminal’s instructions. Notify the real supplier or employee, secure compromised accounts, and preserve evidence before cleaning the mailbox.
If payroll, tax, identity, or customer data was exposed, activate the organization’s incident-response and privacy-notification process. Report cyber-enabled fraud to the appropriate authority, including IC3 in the United States. Be careful with follow-up calls: criminals may impersonate the bank, police, or a recovery team after learning that money moved.
The human lesson: urgency is a control failure signal
A respectful verification question is not disloyalty to a manager or an insult to a supplier. It is a normal safety control. Leaders can make it easier by publicly supporting callbacks and dual approval, including when the request appears to come from the leader themselves.
After an incident, avoid blaming the employee who clicked or paid. Review why the request looked plausible, which control was unavailable, and how the organization can make the safe action faster. A learning culture produces better reporting and fewer repeat losses than secrecy and punishment.
Questions people ask
Can a BEC email come from a real account?
Yes. An account may be compromised, or a genuine thread may be hijacked. Verify payment changes independently even when the address and history appear correct.
Should we rely on spelling mistakes to detect BEC?
No. Modern messages can be polished, copied from real correspondence, or sent from a compromised mailbox. Process verification is stronger than style analysis.
What is the fastest action after a wire fraud?
Call the bank immediately, state that it is suspected fraud, request a recall or freeze, and provide the transaction details. Then preserve the messages and report the incident.
Does MFA prevent BEC?
MFA reduces account takeover risk, especially when phishing-resistant methods are used, but it cannot stop every impersonation or authorized payment scam.
Research note: TruthTube prioritizes government publications, primary records, scientific standards, and official reporting channels. This article is educational and does not replace legal, financial, medical, or psychological advice.
This article was researched using official records, regulator notices, court documents, law-enforcement releases, provider documentation and reputable reporting. Material claims were checked against the cited sources.
AI tools may have assisted with research organization, language refinement, transcription or illustration, but factual claims were reviewed by Lavi, Founder & Editorial Lead.
Published July 13, 2026. This page is scheduled for review when official guidance, reporting channels, scientific standards, or relevant laws change.

