Business Email Compromise

The email looks like it's from your CEO: "I need you to wire $38,000 to this vendor immediately. I'm in a meeting, can't talk, just handle it." Your controller complies. The money vanishes. This is Business Email Compromise, and it cost American businesses $2.74 billion in 2025 alone.

Unlike the obvious phishing emails that promise Nigerian fortunes or claim your password expired, BEC attacks are surgical. They target specific people in your organization who have the authority to move money. They exploit trust, urgency, and routine business processes. And they work because they look exactly like legitimate business communication.

For CFOs, controllers, and business owners in the Greater St. Louis area, understanding BEC is not optional. It is a core financial risk that belongs on the same list as insurance, fraud controls, and cash flow management.

What Is Business Email Compromise?

Business Email Compromise is a type of fraud where criminals impersonate executives, vendors, or business partners to trick employees into wiring money or revealing sensitive information. The FBI classifies it separately from general phishing because of its targeted nature and the scale of losses involved.

Regular phishing casts a wide net. Attackers send millions of emails hoping someone clicks a malicious link. The goal is usually credential theft or malware distribution. BEC is different. Attackers research your company specifically. They learn who handles payments, who reports to whom, and what vendors you work with. Then they craft a single, highly convincing message designed to extract a large payment.

The reason BEC works so well comes down to psychology. These emails exploit the same dynamics that make businesses run smoothly: trust in leadership, responsiveness to urgent requests, and established payment processes. When your CEO asks for something urgently, most employees comply without extensive verification. Attackers know this, and they weaponize it.

BEC is particularly dangerous because it often involves no malware and no malicious links. Email security filters are looking for attachments with viruses or URLs leading to phishing sites. A plain-text email that says "please wire $50,000 to this account" sails right through traditional filters because there is nothing technically malicious about it. The attack is entirely social.

The Anatomy of a BEC Attack

Understanding how these attacks unfold helps explain why they succeed and what controls can stop them. Most BEC attacks follow a predictable pattern across four phases.

The first phase is reconnaissance. Attackers gather information about your organization from public sources. LinkedIn provides org charts and job titles. Company websites list executives. Press releases announce partnerships and major deals. Court filings, regulatory records, and social media fill in the gaps. In some cases, attackers compromise a low-level email account first just to observe internal communication patterns, learning who approves payments, what the normal request language looks like, and which vendors receive regular payments.

The second phase is spoofing or compromise. Attackers either spoof an executive's email address (making emails appear to come from ceo@yourcompany.com when they actually originate elsewhere) or they compromise the executive's actual email account through credential phishing. Account compromise is more dangerous because replies go to the real attacker-controlled mailbox and the emails pass all authentication checks.

The third phase is the ask. The attacker sends a request that fits normal business patterns. It might be a wire transfer for an "acquisition that must stay confidential," a change in payment details for an existing vendor, or a request for employee W-2 information. The ask always has urgency built in, discouraging the recipient from asking too many questions.

The fourth phase is the transfer. If the employee complies, the money moves to an attacker-controlled account. From there, it typically gets transferred through multiple accounts and often across international borders within hours. By the time anyone realizes what happened, recovery is extremely difficult.

Common BEC Scenarios

CEO fraud is the most recognized BEC variant. An attacker impersonates the CEO or another C-suite executive and requests an urgent wire transfer. These attacks typically target controllers, CFOs, or accounts payable staff. The emails often mention confidentiality ("Don't discuss this with anyone yet, it's a sensitive acquisition") to discourage verification.

Vendor invoice scams compromise or spoof a vendor's email and send updated payment instructions. Because your accounts payable team already expects invoices from this vendor, the request seems routine. The only change is the bank account number, which now routes to the attacker. These attacks are particularly effective because they hijack existing business relationships and trusted payment processes.

W-2 phishing targets HR departments during tax season. Attackers impersonate executives requesting employee W-2 forms or personal information, supposedly for tax purposes or a payroll audit. The data enables identity theft at scale, affecting every employee whose information gets disclosed.

Real estate wire fraud targets the real estate industry specifically. Attackers monitor email accounts of real estate agents, title companies, or attorneys. When a closing approaches, they send fraudulent wire instructions to the buyer. Because real estate transactions involve large sums and tight deadlines, victims often wire hundreds of thousands of dollars before anyone catches the fraud.

Missouri businesses face all of these variants. We have seen St. Louis manufacturing companies targeted with vendor invoice scams, professional services firms hit with CEO fraud, and title companies across the region dealing with wire fraud attempts.

Financial Controls That Stop BEC

Technical defenses matter, but financial controls are your most reliable protection against BEC. Even if a fraudulent email reaches someone's inbox, strong payment processes prevent the wire from going out.

Dual authorization for wire transfers is the single most effective control. Require two people to approve any wire transfer above a threshold amount. The two approvers should not be the same people every time, and the second approver should be someone who can independently verify the legitimacy of the request. This simple control stops most BEC attacks because it forces a second set of eyes on every significant payment.

Callback verification requires anyone processing a wire transfer request to call the requester using a known phone number (not a number provided in the email) to confirm the request is legitimate. If your CEO emails asking for a $50,000 wire, your controller calls the CEO's known cell phone to verify. This takes 60 seconds and stops nearly every CEO fraud attempt.

Payment process changes should require formal documentation. If a vendor sends new bank account information, that change should trigger a verification process that includes calling the vendor at a known number. Never update payment details based solely on an email, even if it appears to come from a trusted contact.

These controls cost nothing to implement. They require only policy changes and staff training. Yet they provide more protection than any technology investment because they address the human element that BEC exploits.

Technical Defenses Against BEC

While financial controls are primary, technical defenses add valuable layers of protection that reduce the likelihood of fraudulent emails reaching your team in the first place.

Email authentication protocols (SPF, DKIM, and DMARC) verify that incoming emails actually originate from the domains they claim to be from. When properly configured, these protocols cause spoofed emails to fail authentication and get quarantined or rejected. Unfortunately, many organizations either have not implemented these protocols or have configured them incorrectly. We have helped St. Louis businesses implement the email security controls that catch these attacks before the wire goes out.

Impersonation protection can detect when incoming emails use display names that match your executives but originate from external addresses. These features flag or quarantine emails where someone outside your organization is pretending to be your CEO.

AI-powered email security tools analyze communication patterns and flag anomalies. If your CEO has never before emailed the accounts payable clerk directly, and suddenly sends an urgent wire request, AI tools can detect that unusual pattern and flag the message for review.

External email warnings add a banner to all emails originating outside your organization. This simple visual cue reminds employees that a message claiming to be from the CEO actually came from an external address, prompting additional scrutiny.

None of these technical controls are foolproof. An attacker who compromises an actual executive's email account will bypass most of them. That is why financial controls remain essential even with robust technical defenses in place.

The Business Case for BEC Prevention

The numbers make the business case clear. The FBI's Internet Crime Complaint Center reported $2.9 billion in BEC losses in 2023. The average loss per incident exceeds $125,000. Recovery rates are low because wire transfers move quickly and cross jurisdictional boundaries.

Cyber insurance provides some protection, but policies increasingly require documented security controls to pay claims. If your policy requires dual authorization for wire transfers and you did not have it in place, the claim may be denied. Insurance is not a substitute for prevention.

The ROI calculation for BEC prevention is straightforward. The cost of implementing dual authorization, callback verification, and email authentication is minimal, mostly staff training and configuration work. The potential loss from a single successful attack runs into six figures. For any business that processes wire transfers, BEC prevention is one of the highest-return risk mitigation investments available.

Missouri businesses of all sizes face this threat. Whether you are a 20-person professional services firm or a 200-person manufacturer, if you wire money, you are a target. The attackers do not care about your industry or location. They care that you have the authority and the processes to move money.

The path forward involves both policy and technology: financial controls that create verification requirements, technical defenses that reduce the volume of fraudulent emails reaching your team, and ongoing training that keeps employees alert to the threat. None of these elements alone is sufficient, but together they make BEC attacks dramatically less likely to succeed.

Curious what gaps exist in your current email security setup? Our pricing page shows exactly what's included in our managed security services, or reach out to discuss BEC prevention specifically.