Spaceship Blog

What is business email compromise (BEC)?

Updated on
6 min read

Every year, criminals walk away with billions. Not by breaking into fancy art galleries or bank vaults, but by sending the right email to the right person at the right time. This is how they do it.

In this article, you’ll learn:

  • What business email compromise actually is

  • How these attacks are pulled off, step by step

  • The most common types of BEC attacks

  • A real-world example of a $37 million attack

  • How to protect your business before it becomes a target

What is business email compromise in cybersecurity?

Business email compromise is a cyberattack in which criminals impersonate someone you trust to fool you into sending money or handing over sensitive data. What makes it dangerous is the patience and the planning. Attackers spend weeks learning how a company communicates, who holds the authority, and when to strike. By the time the email lands, it looks like a normal email from someone you know.

How does a business email compromise attack work?

There's a tried-and-trusted playbook to these attacks, and scammers follow it every time.


Step 1 – Find the target

The whole point behind a business email compromise attack is that it needs to be convincing. Luckily for attackers, the Internet is a goldmine of information on potential targets. A quick look at your social media profile can reveal your job, close friends, and even your tone of voice. Cobble this together with press releases on your future company moves and bios from company websites, and it starts to look credible.

Attackers can scrape all that information and, within seconds, create an email that looks and sounds like the real deal.

Step 2 – Get inside the inbox

For the email content to seem real, attackers need to wrap it in a shiny, believable package. If the email address doesn’t appear to be from a trusted source, the whole scam will fall flat.

Attackers could spoof the domain by registering a name like acme-corp.com instead of acmecorp.com. Or, if they're smart enough, hack the real inbox, making it nearly impossible to distinguish from a genuine message.

After all, if it looks like a duck and quacks like a duck, most will think it's a duck.

Step 3 – Build trust

With these attacks, patience is the name of the game. Attackers can hide in a hacked inbox for weeks, reading email threads and learning communication styles. When the email finally arrives, it blends in with previous emails, mirroring the tone and flow of the conversation.

Step 4 – Make the ask

Once attackers know you inside out — your tone of voice, your colleagues’ names and titles, and what's going on in your company — and they've successfully wormed their way into your email, the request is sent.

It's usually something that can't be easily undone. It might involve sending money to a bank account or sharing private information. The key is that it must be irreversible. 

Once the target realizes something is wrong, the attacker needs the damage to already be done. If they're extra sneaky, they might even send it during a festive period when everyone's guard is down, and there's a greater chance of success.

Step 5 – Vanish without a trace

After the funds are sent, they're moved quickly through a series of intermediary accounts. These are usually based overseas, making the money trail very difficult to follow even for law enforcement.

Business email compromise example

Business email compromise is the final boss of digital attacks. It usually involves big companies and eye-watering sums of money. 

In 2019, one of Toyota's major suppliers lost tens of millions in a single transfer. The attacker broke into Toyota Boshoku's email system. They read messages and learned how the company communicated. When a big money transfer came up in conversation, they asked someone in the company with the authority to move money to update the bank account details for the transfer. It looked legitimate, and the money was sent.

Just like that, $37 million, gone.

Types of business email compromise attacks

Not all business email compromise examples look the same. Of course, the goal is always to trick people into handing over as much money as possible, but the approach can be very different.


CEO Fraud (Executive impersonation)

This is the most recognized form of BEC. An attacker impersonates a senior executive, usually a CEO or CFO, and pressures someone in finance to move money. It works because of the power dynamic. When the boss wants something, most people don't stop to ask why. If this is then combined with a believable backstory, it's enough to get someone to act without thinking twice.

Vendor email compromise

Attackers target relationships outside the company rather than pretending to be someone inside. They target trusted suppliers and vendors, slipping into existing email conversations and swapping out real payment details for their own. From the victim's side, it looks like a routine invoice update from a supplier they have worked with for years.

Account takeover

This is the most dangerous variant because there's no spoofing involved. The attacker is using the real account. The email comes from a real address and uses the right tone. The message looks completely normal, because it technically is.

Payroll Diversion

This one doesn't target the company's money. Instead, it targets the employees. Attackers pose as HR or an employee and request a payroll update, quietly rerouting a salary to an account they control. 

The victim doesn't find out until payday, and because the amounts are smaller and the request looks normal, it rarely triggers a fraud alert. It's a slower version of BEC, but hit enough employees, and it adds up fast.

BEC vs Phishing – What's the difference?

Phishing emails have been around for a long time, and most people know what one looks like. It's the one telling you that you've won a prize, or that a Nigerian prince needs your help. They're sent in bulk and rely on sheer volume to catch someone off guard.

Where phishing is a net, BEC is a sniper. Attackers spend weeks researching one company, sometimes one specific person. By the time the email lands, it looks like a Tuesday morning message from someone you know.

Phishing is usually after your login credentials, but BEC skips that step entirely and goes straight for the money or the data.

How to spot a business email compromise attack

BEC attacks are designed to look normal. But if you know what to look for, the signs are there.

  • The rush— An email pushing you to move money fast, with no room to stop and verify.

  • The sudden change — A supplier or colleague has suddenly updated their payment information out of nowhere.

  • The almost-right address — The sender's email is just one character away from the real thing.

  • The tone that's just off— Something feels off, too formal, too casual, or oddly secretive.

  • The request from nowhere — You're asked to do something that would normally go through a different channel.

How to prevent a business email compromise attack

Knowing how these attacks work is half the battle. The other half is making sure your business isn't an easy target.

Pick up the phone

If an email asks you to transfer money or update payment details, don't reply to it. Call the person directly using a number you already have, not the one from the email. It takes thirty seconds, and it's the single most effective thing you can do.

Turn on two-factor authentication

If an attacker gets hold of someone's login credentials, 2FA can block a full inbox takeover. It won't stop everything, but it makes account compromise significantly harder.

Teach your team what good looks like

Regular training on what BEC is, how it works, and what the red flags look like can turn your employees into a line of defence.

Let your tools do some of the heavy lifting

Spam filters and domain authentication tools like SPF, DKIM, and DMARC can filter out BEC attempts before they reach your team. AI-based detection goes a step further. It learns what normal email behaviour looks like inside your organisation and flags anything suspicious.

Frequently asked questions

Business email compromise is when a criminal pretends to be someone you trust over email to trick you into sending money or sharing sensitive information. Attackers send a convincing email that mirrors the tone of company emails and even comes from a company email address.

They're related but not the same. Phishing casts a wide net, sending generic emails to as many people as possible. BEC attacks are targeted. Attackers research a specific company, a specific person, and a specific moment. The result is far more convincing and far more costly.

Most business email compromise scams start with research. Attackers study a company's structure and communication. Once they know enough, they either spoof a trusted email address or take over a real one.

CEO fraud. An attacker impersonates a senior executive and pressures someone in finance to transfer money quickly. It works because most people don't question an urgent request from the boss.

Yes. Business email compromise protection starts with people. Train your team to spot the red flags, verify payment requests by phone, and use tools like 2FA and DMARC to make your email harder to compromise. No single measure is foolproof, but the right combination makes you a much harder target.

Profile picture of Josh Horritt
Written by

Josh Horritt

Josh is a copywriter and UX writer from Manchester, UK. He began his career as a journalist at the BBC and now works on Spaceship’s email products, writing blogs and user-focused copy. Outside of work, he’s usually in the mountains or making music with friends.
More articles by Josh Horritt

Rate this article

5/52 Reviews
Share this article

Suggested articles

How Spacemail protects you from tracking
Your email activity is probably being tracked without you knowing. Learn how to remove tracking links without any loss of functionality.
Jamie L.
4 min read
The different faces of email threats
Familiarize yourself with the most common email scams so you can protect yourself against them.
Jamie L.
15 min read
Staying email-safe in a digital age
A sizable chunk of Internet crime happens via email. Learn the easiest ways to implement email security in your business with these email safety tips.
Jamie L.
8 min read
How to stop email spam: tactics that work
Flooded with spam? This guide empowers you to reclaim your inbox and protect your online security.
Stefania S.
5 min read

Share your thoughts

More than 10 characters required.
Your identity for public display.
Providing your email address is optional. It will not be shared with third parties.

Help us improve our blog

Share your thoughts in a quick two-minute survey.

A valid email is required