Business Email Compromise is the most financially damaging form of cybercrime targeting organizations today. According to the FBI's 2023 Internet Crime Report, BEC attacks accounted for $2.9 billion in losses — more than any other category of cybercrime. Unlike ransomware or data breaches, BEC requires no malware, no malicious links, and no technical exploits. It relies entirely on trust and social engineering. This guide explains how BEC works, why it bypasses standard defenses, and what you can do to stop it.
Threat fact
The average BEC wire transfer loss is $137,000. The majority of victims are small and mid-size businesses, not large enterprises. No organization that sends wire transfers or shares vendor banking details by email is immune.
What Is Business Email Compromise?
Business Email Compromise is a category of targeted email fraud in which an attacker impersonates a trusted executive, vendor, attorney, or colleague to trick an employee into wiring money or surrendering credentials. There is no malware. No suspicious attachment. No link to a fake login page. Just an email that appears to come from someone the recipient already trusts — and a request that feels urgent enough to act on without verification.
Because BEC attacks do not rely on technical payloads, they bypass the tools that most organizations depend on: antivirus, endpoint detection, URL scanners, and standard spam filters. The attack surface is entirely human.
The 5 Most Common BEC Attack Patterns
CEO Fraud (Wire Transfer Request)
An attacker spoofs or compromises the CEO's email address and sends the CFO or an accounts payable employee a direct request to wire funds to a new account — typically framed as a confidential acquisition or time-sensitive vendor payment. The email instructs the recipient not to call and to process quickly.
Vendor Impersonation (Change Bank Details)
The attacker impersonates a known vendor and sends a legitimate-looking email requesting a change to their banking details before the next invoice payment. The email appears in the same thread as prior legitimate correspondence. By the time the fraud is discovered, the payment has cleared to an account the attacker controls.
Payroll Redirect
An attacker impersonates an employee — often a recently onboarded one with fewer internal relationships — and emails HR or payroll requesting a change to their direct deposit details. The "employee" then does not notice their next paycheck was stolen until it fails to arrive.
Lawyer Impersonation (Legal Urgency)
An attacker poses as the company's outside counsel and claims a pending litigation, merger, or regulatory matter requires an immediate confidential wire transfer. The manufactured legal urgency is designed to short-circuit the recipient's standard verification habits.
Account Compromise (Legitimate Account Hijacked)
The most dangerous variant. The attacker gains access to a real email account — often through a prior phishing attack — and then uses that account's actual history, contacts, and writing style to conduct BEC fraud. Every security signal looks legitimate because the email is legitimate. Only behavioral anomaly detection can catch this.
Why BEC Bypasses Standard Spam Filters
Standard spam filters are designed around technical threat signals: malicious URLs, suspicious attachments, known bad sending IPs, and domain reputation scores. BEC attacks are engineered to produce none of these signals.
- No malicious links — the email body is plain text with a request
- No attachments — nothing to scan, nothing to detonate in a sandbox
- Passes SPF, DKIM, and DMARC when the attacker uses a lookalike domain (amaz0n.com) or a compromised legitimate account
- Sent from legitimate email services — Gmail, Outlook, and Office 365 are commonly used
- Targets specific individuals — no mass-send volume signal for filters to detect
- Relies on urgency and authority rather than any technical exploit
Key insight
When a BEC attacker uses a compromised legitimate account, even authenticated email headers look clean. The only detectable signal is behavioral anomaly — the account is suddenly requesting wire transfers when it never has before. This is why human review checkpoints and behavioral baselines are essential.
How Glance Detects BEC
Glance uses a multi-signal approach specifically designed to catch the patterns that traditional spam filters miss:
Behavioral baseline
Glance builds a communication baseline per sender. A known contact who has never requested wire transfers and suddenly does — even from an authenticated account — triggers an anomaly flag and gatekeeper review.
Circle of Trust gatekeeper review
High-value requests from unusual patterns are held for a designated gatekeeper to approve before the recipient acts. This creates a human checkpoint that no amount of social engineering can bypass without involving a second person.
Homoglyph detection
Glance flags lookalike domains at the character level. amaz0n.com, paypa1.com, and rn.icrosoft.com are caught immediately — before the email reaches the recipient.
Reply-to header anomalies
A common BEC tactic is to spoof the display name while routing replies to an attacker-controlled address. Glance detects reply-to header mismatches against the sending domain as a high-confidence signal.
Domain age checks on vendor domains
Newly registered vendor domains — a hallmark of fresh BEC infrastructure — are flagged automatically. A vendor you have paid for three years does not email you from a domain registered last Tuesday.
BEC Response Checklist
If you receive an email that matches any BEC pattern — or if a transfer has already been made — follow these six steps immediately:
- 01Verify via phone call. Call the sender at a number you already have on file — not a number provided in the suspicious email. Do not reply to the email.
- 02Do not reply to the suspicious email. A response signals to the attacker that the account is active and monitored, and may escalate the attack.
- 03Report immediately to IT or your security team. Freeze any pending transaction before it clears. Most BEC losses occur because the transfer is processed before fraud is detected.
- 04If a transfer was made, contact your bank within hours. International wire recalls are possible within a narrow window — typically 24–72 hours.
- 05File a complaint with the FBI's Internet Crime Complaint Center at ic3.gov. IC3 has a dedicated BEC Recovery Team that has successfully recalled over $330M in fraudulent transfers.
- 06Update your Circle of Trust. Add the impersonated sender to your monitored list and enable gatekeeper review for all future wire-related requests from that contact.
Frequently Asked Questions
Can BEC attacks be detected automatically?
Some signals can be caught algorithmically — reply-to mismatches, new vendor domains, homoglyph domains. But the most dangerous BEC uses compromised legitimate accounts, which is why Circle of Trust human review is essential for high-value requests. Automation catches the patterns; humans catch the intent.
Our company uses Microsoft 365 Defender. Does that protect against BEC?
M365 Defender catches some BEC patterns but its rules are primarily signature-based. Glance adds a behavioral layer and human gatekeeper review that Microsoft's system lacks for targeted attacks. The two tools are complementary, not redundant.
What's the difference between BEC and phishing?
Phishing casts a wide net with malicious links and attachments targeting many recipients at once. BEC is targeted, uses no payload, and impersonates known individuals to manipulate specific people into taking specific high-value actions — usually a wire transfer or credential handover. BEC attacks often begin with a phishing attack that compromises an account first.
Stop BEC Before It Reaches Your Team
Glance's behavioral detection and Circle of Trust gatekeeper review catch the BEC patterns that signature-based filters miss. Free to start.