What are the main types of BEC?

The FBI classifies BEC into five primary patterns: CEO/executive impersonation, vendor/invoice fraud (often called VEC, Vendor Email Compromise), attorney impersonation, account takeover (a real internal account is hijacked and used) and W-2/data theft. Each pattern targets a different role and exploits different controls; defenses must address all five rather than just the most famous one.

How do BEC attackers use AI?

Generative AI is now used routinely to draft BEC messages: fluent, grammatically clean, tonally matched to the impersonated person and translated convincingly into target languages. Voice-cloning AI extends BEC into vishing - an attacker can simulate an executive's voice on a follow-up call confirming a wire request. The result is a step-change in BEC realism since 2023, which is why traditional 'spot the typos' awareness training no longer works.

How do you defend against BEC?

Layered controls. Email authentication (DMARC, DKIM, SPF) reduces spoofing. Phishing-resistant MFA reduces account takeover. Out-of-band verification for any wire, vendor banking change or unusual payment request blocks the action even if the message is convincing. Phishing simulation, including hard-difficulty templates that mimic real BEC patterns, builds the human pattern-recognition that filters miss. And one-click phish reporting gives the security team early warning of an active campaign.

What should I do if my organization is hit by BEC?

Report immediately to your bank - the first 24-72 hours are when international funds-recall (the FBI's Financial Fraud Kill Chain) is most likely to recover money. File a report with IC3 (ic3.gov). Notify your cyber insurance carrier per your policy's reporting clause. Initiate your incident response process: rotate any potentially exposed credentials, audit mailbox forwarding rules and OAuth grants and preserve email logs for forensic review. Do not delay reporting in the hope of recovering money privately.

What Is BEC (Business Email Compromise)?

Q: What is Business Email Compromise (BEC)?

BEC is a class of phishing attack in which the attacker uses email - either by impersonating a trusted party or by taking over a legitimate account - to manipulate the recipient into sending money, redirecting payments, releasing sensitive data or buying gift cards. Unlike commodity phishing, BEC is typically targeted, low-volume and high-value. The FBI's Internet Crime Complaint Center (IC3) consistently reports BEC as one of the highest-loss cybercrime categories year over year.

What Is BEC (Business Email Compromise)?

By The Bait & Phish Team
Definitions, BEC, Threat Education

The FBI's Internet Crime Complaint Center has, year after year, ranked Business Email Compromise as one of the highest-loss cybercrime categories - frequently exceeding ransomware, romance fraud and investment scams in total reported damages combined. That fact is hard to internalize because BEC doesn't make headlines the way ransomware does. There's no incident-response press release; the loss is usually a wire transfer that cleared, and the only public record is a quiet IC3 filing. But in dollars, BEC is the largest phishing-driven category in the world.

Definition

Business Email Compromise (BEC) is a class of phishing in which the attacker uses email - either by impersonating a trusted party or by taking over a legitimate internal account - to manipulate the recipient into sending money, redirecting payments, releasing sensitive data or buying gift cards. The defining property is that BEC monetizes through the recipient's authorized actions, not by deploying malware. There is often nothing technical to detect; the loss is a legitimate-looking wire that goes to the wrong account.

The term is sometimes treated as a synonym for "CEO fraud," but that's a single subtype. The FBI categorizes BEC into five recurring patterns.

The five FBI-recognized BEC patterns

CEO/executive impersonation. An attacker poses as a senior executive and instructs a finance employee to wire money urgently. Often timed to executive travel.
Vendor invoice fraud (VEC, Vendor Email Compromise). Attackers either spoof a vendor or take over a vendor's actual mailbox, then send messages updating banking details for upcoming invoices. The vendor's legitimate invoice arrives, the customer pays it - to the attacker's account.
Attorney impersonation. A message appears to come from outside counsel, marked confidential and privileged, asking for an urgent wire to settle a matter or pay an obligation. Effective because legal communications are often handled hurriedly and quietly.
Account takeover. A real internal email account is compromised (typically through credential phishing) and used from inside to send messages to colleagues. The most dangerous variant because there is no impersonation to detect - the account is actually who it claims to be.
Data and W-2 theft. Instead of asking for money, the attacker requests bulk employee data (W-2s, payroll, personal information) for downstream identity theft and tax fraud. Common in the Q1 tax season window.

The anatomy of a typical BEC attack

Consider a vendor invoice fraud, since it's the most operationally instructive variant.

Reconnaissance. Attacker identifies the target organization's vendors via LinkedIn posts, public press releases, customer success stories and case studies.
Initial compromise. Attacker phishes a credential at the vendor - frequently a smaller, less-defended supplier in the target's supply chain. AP-clerk-level access is enough.
Mailbox observation. Attacker quietly reads the compromised vendor mailbox for weeks, learning the vendor's billing cadence, the customer's accounts-payable contact and the language of normal correspondence.
Banking-change message. When the vendor is about to send a routine invoice, the attacker sends a polite update from the vendor's real mailbox: "We've recently changed banks - please use the attached new wire instructions for the upcoming invoice." The change feels routine.
Forwarding rule. The attacker installs a hidden forwarding rule that silently moves any reply about banking back into a folder the legitimate vendor doesn't check, so neither side sees the conversation.
Payment. The legitimate invoice arrives. The customer pays it using the new wire details. The money is in the attacker's bank within hours.

Total elapsed time from initial credential theft to wire: weeks. Total moment-of-loss for the customer: a few minutes of normal accounts-payable work.

The AI augmentation problem

Three AI capabilities have meaningfully changed BEC since 2023:

Fluent multilingual drafting. Generative AI produces grammatically clean, tonally appropriate messages in any business language. The "broken English" tell is gone.
Stylistic mimicry. An attacker who has access to a few of an executive's real emails can prompt an LLM to match the cadence, signature line and idioms - which used to require talent and effort.
Voice cloning for follow-up. When a finance employee hesitates to wire on email alone, the attacker can place a voice-cloned phone call from the executive ("yes, I'm in the meeting, please go ahead") to break the tie. See our post on vishing for the voice side.

The traditional advice - "look for spelling errors and unusual phrasing" - does not work against AI-augmented BEC. The new pattern-recognition has to be process-based, not prose-based.

Defenses that actually work

Layered, in order of impact:

Out-of-band verification for high-impact actions. Wire transfers, vendor banking changes, payroll redirections, gift-card purchases - all require a verification step on a different channel using a known number, not a number provided in the message. This single control blocks most BEC even when the message is convincing.
Phishing-resistant MFA. Hardware security keys (FIDO2) on executive and finance accounts. Defeats the credential-phishing step that enables account takeover.
Email authentication. DMARC at p=reject, DKIM aligned, SPF correct. Reduces (not eliminates) the impersonation variants.
Mailbox-rule monitoring. Detection rules that alert when a user account creates an external forwarding rule, an unusual auto-reply rule or a rule that targets keywords like "wire" or "invoice." Catches the post-takeover attacker.
Phishing simulation that includes BEC patterns. Run hard-difficulty templates that resemble real BEC messages - vendor banking changes, executive urgency wires, attorney pretexts. Auto-assigned remediation after a click teaches the pattern at the moment of failure. Bait & Phish ships hard-difficulty templates in the IT and Business and Banking and Finance categories specifically built for this. AI-generated phishing emails are part of our template engine.
One-click reporting. The Outlook one-click phish-report add-in we ship with the platform turns reporting into a single button. Faster reporting equals faster security-team visibility into an active BEC campaign across other inboxes.

What to do if BEC has already happened

Speed is everything. The FBI's Financial Fraud Kill Chain - the funds-recall mechanism for international wires - is most effective in the first 24 to 72 hours. Steps:

Call your bank immediately. Request a recall and ask them to invoke the Kill Chain if international.
File an IC3 report at ic3.gov. Include the wire details and counterparty bank information.
Notify your cyber insurance carrier per the reporting clause in your policy. Late notice can void coverage.
Initiate IR: rotate credentials, audit mailbox forwarding rules and OAuth grants, preserve logs.
Communicate with the impersonated vendor or counterparty so they can defend their side.

Detection signals worth tuning your tools for

Even with good controls, BEC will reach your environment. The detection signals that materially shorten time-to-discovery:

New external email forwarding rules. Especially rules that target keywords like "wire," "invoice," "payment," "ACH," or "banking." The single highest-yield BEC indicator across mature SOCs.
OAuth grants to unfamiliar applications. Token-based mailbox access bypasses MFA after the initial grant; new third-party app permissions on executive or finance accounts deserve immediate review.
Impossible-travel and atypical-location logins. Especially when paired with a session that creates an inbox rule.
Lookalike-domain registrations targeting your brand or your top vendors. Several commercial services monitor this; even DIY monitoring of recent registrations containing your brand is a useful low-cost control.
External replies to internal-only conversations. When an "outside" address suddenly enters a thread that should be internal, examine the headers carefully - this is the signature of a reply-chain hijack.
Phishing reports clustered in time. Three reports in a morning of similar messages is an active campaign, not a coincidence. The faster reports reach security, the faster the campaign is contained - which is the operational case for the Bait & Phish one-click Outlook reporting add-in.

BEC across the supply chain

The vendor side of BEC is the part most organizations have the least control over. Your security posture can be flawless and you can still receive a legitimate-looking, legitimately-sent email from your vendor's compromised mailbox asking you to update banking details. Defending against this scenario is partly process (out-of-band verification), partly contractual (vendor security expectations in the contract) and partly cultural (your AP team understanding that vendor email compromise is now common enough to be the default suspicion when banking details change).

Three vendor-side controls worth pushing on:

Verbal verification on all banking changes. Phone the vendor. Always. At a known number, not one in the email.
Vendor security questionnaires that ask specifically about phishing simulation and MFA. Lower-tier vendors are often the weakest link in the supply chain.
Contractual breach-notification clauses. So a vendor mailbox compromise becomes your problem on disclosure rather than three months later when your wire goes wrong.

BEC and your insurance and compliance posture

Most cyber insurance policies have specific BEC sub-limits - sometimes substantially lower than the headline policy limit. Underwriters now ask whether you have out-of-band verification controls, whether your phishing simulation program covers executive and finance staff and whether MFA is in place on email accounts. The cyber insurer phishing questions we cover elsewhere include these directly. Strong answers reduce premiums; weak answers reduce coverage.

If your program doesn't currently include BEC-style hard-difficulty simulations and you want to test how your finance and executive teams perform against them, start a free trial with up to 25 users and run a hard-difficulty BEC campaign this month. For full deployment scoping, see pricing or contact us.

Related definitions

3dec