How to Prevent Business Email Compromise Attacks

Business email compromise costs more than any other cybercrime category the FBI tracks. In 2025, it caused $3.04 billion in U.S. losses across 24,768 reported complaints, according to the FBI's 2025 Internet Crime Report published in April 2026. The average loss per incident came out to $122,000.

That number lands differently at a 60-person company than it does at a Fortune 500. There is no cyber insurance claim that makes it painless.

BEC is also one of the more preventable attack types when businesses put the right pieces in place. The gap between businesses that get hit and businesses that don't is mostly in five areas covered below.

What Business Email Compromise Actually Looks Like

BEC is not your standard spam or phishing attack. There is usually no malicious link, no suspicious attachment. The email looks legitimate because in many cases it is sent from a legitimate email account that an attacker compromised, or from a domain close enough to the real one that nobody catches it.

A typical scenario: your CFO gets a message appearing to come from the CEO. Traveling, deal closing this afternoon, need a wire transfer processed before end of day. The domain has a minor variation. The email thread looks real. Nobody questions it.

Two hours later, $85,000 is gone.

AI has made these attacks harder to spot. Attackers use AI to write tighter, more convincing copy and to research organizational structures before targeting. In documented cases, voice cloning has been used to fake executive calls that confirm the email request. The human side of BEC is improving faster than most businesses realize.

The Five Attack Types the FBI Tracks

The FBI identifies five BEC variants in its annual reporting:

1. CEO fraud: A message appears to come from a senior executive requesting a wire transfer or gift card purchase.
2. Vendor impersonation: An attacker spoofs a vendor you regularly pay and sends updated banking instructions.
3. Account takeover: Attackers compromise an actual email account and intercept in-progress payment conversations.
4. Data theft: Targets HR or finance staff to collect employee data, which is sold or used in follow-on attacks.
5. Payroll diversion: An employee's paycheck is redirected to an attacker-controlled account. This variant accounts for nearly half of all BEC complaints, according to threat intelligence firm LevelBlue.

Why Email Filters Alone Don't Stop It

You can have best-in-class email security and still get hit with BEC.

Standard spam filters are built to catch malware, suspicious attachments, and known phishing domains. BEC attacks often come from clean domains, use plain-text emails with no attachments, and pass through standard filters without triggering anything.

A 2026 Darktrace analysis found that 65% of sophisticated phishing and BEC emails pass standard DMARC authentication checks. That is not a failure of DMARC specifically — DMARC stops spoofed domains from impersonating your domain in outbound mail. It does not stop an attacker who registers a convincing lookalike or who has already compromised an actual account.

This is the gap where most companies get hit. The filters are working. The attack just isn't using the door the filters are watching.

Related: AI has amplified this problem significantly in how AI-powered phishing now bypasses traditional email filters.

How to Prevent Business Email Compromise: Five Steps

Step 1: Configure Email Authentication (DMARC, DKIM, SPF)

DMARC, DKIM, and SPF are technical email standards that prevent attackers from spoofing your domain. A 2026 scan of 5.5 million business domains by DMARCguard found that 69.6% of SMB domains have no DMARC policy in place. That means attackers can send email that looks like it came from your company.

Configuring DMARC at enforcement level (p=reject) dropped inbound spoofing attempts by 93% in documented deployments, according to analysis published in Security Boulevard. It is one of the highest-ROI security configurations available and most businesses haven't done it.

Implementation requires DNS record changes and testing — getting it wrong can interrupt legitimate outbound mail. This is the type of configuration that benefits from someone who has done it before.

Step 2: Require Multi-Factor Authentication on All Email Accounts

Account takeover is easier when attackers only need a stolen password. MFA on email accounts closes that path. This applies to Microsoft 365, Google Workspace, and any other email platform your team uses.

It also matters how MFA is configured. Phishing-resistant MFA (hardware keys or passkeys) stops attacks that standard SMS codes don't. The methods attackers use to bypass standard Microsoft 365 MFA are worth understanding before you assume a basic MFA rollout is sufficient.

Step 3: Build a Wire Transfer Verification Policy

No control addresses the human side of CEO fraud better than a mandatory callback rule. Any wire transfer above a defined threshold — most businesses use $5,000 to $10,000 — requires a phone call to a known, pre-established number before processing. Not a reply to the email thread. A separate call to a saved contact.

This stops CEO fraud cold. The attacker cannot answer that call.

The policy has to be written down and enforced. "We all know to call and verify" does not hold up under deadline pressure or when a new employee processes the request.

Step 4: Lock Down Payroll and Banking Change Requests

Payroll diversion accounts for nearly half of all BEC attacks because the process for changing direct deposit information is often informal. An attacker emails HR posing as an employee with updated banking details. Many HR teams process these without calling to verify.

The fix is a policy: any payroll change request requires in-person or phone verification with the employee making the request. No email-only changes. The policy should also flag any request that comes in close to a payroll processing date, which is when attackers time these.

Step 5: Run Security Awareness Training That Covers BEC Specifically

BEC attacks survive because employees do not recognize what they look like. Generic cybersecurity training that covers phishing often skips wire fraud and payroll diversion scenarios, which is where BEC actually happens.

Quarterly training using real BEC examples — including scenarios specific to your industry — builds the recognition that actually stops attacks. A CFO who has seen three simulated CEO fraud attempts in training will pause before processing a request sent at 4:45 pm on a Friday with an urgent deadline.

What Managed IT Support Adds

DMARC configuration, MFA enforcement, and email security gateways are not set-and-forget items. Without ongoing management, configurations drift, new employees bypass MFA enrollment during onboarding, and policy exceptions pile up until someone violates the wire transfer rule.

When something does get through, detection speed determines the outcome. Arctic Wolf data shows that businesses without managed detection and response take an average of 24 days to identify an active email compromise. With managed oversight, that drops to 24 minutes. Most wire fraud is irreversible once funds clear. The time gap is where the loss happens.

A managed IT partner configures DMARC enforcement, monitors for anomalies in email behavior, tests employee awareness, and handles the response when an attack lands. That coverage closes the gap between having security tools and actually being protected by them.

Frequently Asked Questions

What is business email compromise?

Business email compromise (BEC) is a targeted attack where criminals impersonate executives, vendors, or employees via email to steal money or sensitive data. Unlike phishing, BEC typically involves no malicious links or attachments, which is why standard email filters often miss it.

How much does business email compromise cost businesses on average?

In 2025, BEC caused $3.04 billion in U.S. losses across 24,768 reported complaints, according to the FBI IC3 2025 Annual Report. The average loss per incident was approximately $122,000.

What is the difference between phishing and business email compromise?

Phishing typically targets large numbers of recipients with malicious links or attachments to steal credentials or install malware. BEC is targeted — it impersonates a trusted contact to request a specific action like a wire transfer or payroll change. BEC emails often pass through spam filters because they contain no malicious content.

Does DMARC stop business email compromise?

DMARC prevents attackers from spoofing your exact domain in outbound emails, which stops one category of BEC attacks. A 2026 Darktrace analysis found that 65% of sophisticated BEC attempts still pass DMARC checks by using lookalike domains or compromised accounts. DMARC is essential but not sufficient on its own.

What is the most common type of BEC attack?

Payroll diversion — where an attacker redirects an employee's direct deposit to a fraudulent account — accounts for nearly half of all BEC complaints according to threat intelligence firm LevelBlue. It is also the most overlooked category because it does not involve a dramatic wire transfer; it is often not discovered until the affected employee contacts HR about a missing paycheck.