Despite the rumors that email is dead, it remains the preferred communication method for businesses around the world. It’s also the preferred attack vector for cybercriminals due to its ease of use and low cost, and since the beginning days of email, spam techniques have continued to evolve into a variety of sophisticated threats.

One particularly menacing threat that shows no sign of going away is Business Email Compromise (BEC).
BEC attacks (also known as whaling, spear-phishing or CEO fraud) use various deception tactics to impersonate a trusted contact. They employ a combination of research and social engineering techniques to impersonate business executives, real-estate firms, title companies, law firms, and even the FBI in an attempt to elicit transfers of large sums of money or the exchange of personally identifiable information (PII), which can be used in future BEC attacks and other types of cybercrime.
Victims of BEC attacks are often tricked into believing they are carrying out a routine transaction, such as filling an order with a supplier, transferring funds for an executive, or sending sensitive data to an HR representative.

Business Email Compromise Example
BEC attacks are especially dangerous because they are often sent from valid email addresses using credentials obtained through phishing, brute force attacks, or information obtained in a data breach, and though these tactics have been around for several years now, BEC threats are likely to continue.
Well-crafted BEC attacks pose a serious threat to businesses of all sizes due to their sophistication. They contain no malware, malicious links, or attachments. As a result, in many cases they are often able to bypass spam filters and secure email gateways, making them especially dangerous. And while modern email security software is better equipped to detect these threats using artificial intelligence (AI), these tools are not foolproof, and cyber criminals are also using AI to craft convincing phishing emails. Therefore, vigilance and phishing education are still needed to help protect businesses.
Watch Out for These Common BEC Scams
Some of the most common examples of Business Email Compromise include:
- Real Estate Transactions: During a real estate transaction, criminals may impersonate sellers, realtors, title companies, or law firms to trick the home buyer into transferring funds into a fraudulent account.
- Data and W-2 Theft: Criminals use a spoofed or compromised executive email account to send fraudulent requests for W-2 information or other personally identifiable information to HR staff or others within the business who maintain confidential employee records.
- Supply Chain: Criminals send fraudulent wire transfer requests to redirect funds during a pending business deal, transaction, or invoice payment to an account controlled by organized crime groups.
- Law Firms: Criminals discover information about pending litigation or trusts and impersonate a law firm’s client to change the recipient bank information to a fraudulent account.
The Growing Cost of BEC Attacks
The financial toll of BEC continues to skyrocket:
- $55.5 Billion Lost globally from October 2013 to December 2023 due to BEC scams, according to the FBI’s IC3 report.
- In 2024 alone, the FBI received 21,442 BEC complaints totaling nearly $2.8 billion in reported losses.
- 73% of all cyber incidents reported by businesses in 2024 involved some form of BEC.
BEC now represents one of the top cyber risks faced by businesses of all sizes.
Recent High-Profile Incidents of BEC Scams
Here are a few recent incidents of BEC scams:
1. Valladolid, Spain (2025)
Two individuals were investigated for altering invoice details to divert a €3,100 payment. The funds were recovered due to swift action by authorities. (Source: cadenaser.com)
2. Gold Coast, Australia (2024)
A couple lost AUD $250,000 while purchasing a home after scammers infiltrated their email communications. They managed to recover $80,000, but $170,000 remains missing.
3. South Australia (2024)
A woman was defrauded of over AUD $800,000 during a property transaction due to a single-letter alteration in an email address. Authorities recovered $777,000 after extensive investigations.
4. Victoria, Australia (2024)
A construction company nearly lost over AUD $900,000 after paying a fraudulent invoice sent from a compromised supplier email. Prompt action by the bank led to the recovery of most funds.
Why are Business Email Compromise threats so dangerous?
Business Email Compromise attacks are designed to bypass standard security mechanisms such as spam filters and anti-virus software, and are dangerous for a variety of reasons.
- They contain no malware. BEC attacks normally don’t contain malware. Instead, they use crafty social engineering to trick users into thinking they are legitimate.
- They are able to bypass many spam filters. BEC scams are often well-crafted with no spelling or grammatical errors. As a result, they are often able to bypass many spam filters.
- They are highly personalized. Scammers take their time researching the victim long before an attack is launched. They scour public websites, social media, and even the dark web to find specific information, including names and background information of company executives. Armed with this information and with knowledge of an executive’s writing style, their emails appear authentic.
What is being done to stop BEC attacks?
Government agencies are actively taking a multi-pronged approach to combat Business Email Compromise (BEC), one of the most damaging and costly forms of cybercrime today. The FBI and other law enforcement agencies have ramped up efforts through initiatives such as Operation Eagle Sweep, a coordinated international crackdown that led to numerous arrests linked to BEC schemes. The Department of Justice (DOJ) is also deeply involved, pursuing charges such as wire fraud and conspiracy while working with foreign governments to extradite and prosecute cybercriminals. International collaboration, often involving Interpol and Europol, is key to dismantling these global criminal networks.
To support victims and minimize losses, the FBI’s Internet Crime Complaint Center (IC3) established the Recovery Asset Team (RAT), which helps victims quickly freeze fraudulent wire transfers. This unit has successfully recovered hundreds of millions of dollars, particularly when incidents are reported promptly. The IC3 also plays a crucial role in raising awareness by publishing public service announcements and annual reports that highlight trends in BEC activity, urging organizations and individuals to report incidents to IC3.gov.
Partnerships between the public and private sectors further strengthen the fight against BEC. The Cybersecurity and Infrastructure Security Agency (CISA) leads the Joint Cyber Defense Collaborative (JCDC), which facilitates threat intelligence sharing between government agencies and private companies. Meanwhile, the Financial Crimes Enforcement Network (FinCEN) works closely with financial institutions to identify suspicious transactions, offering advisories to help banks recognize and report BEC-related activity.
The CISA recommends technical defenses such as Domain-based Message Authentication, Reporting & Conformance (DMARC), DomainKeys Identified Mail (DKIM), and Sender Policy Framework (SPF), along with employee training, multi-factor authentication, and the principle of least privilege. Federal agencies are also adopting Zero Trust Architecture to reduce vulnerabilities from compromised accounts.
Read our blog post to learn more about SPF, DKIM & DMARC to protect against spoofing & phishing
On the legislative front, the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) mandates that organizations in critical sectors report cyber incidents, including BEC, within 72 hours, allowing for a faster and more coordinated federal response. This aligns with the broader goals of the National Cybersecurity Strategy, which prioritizes the disruption of cybercriminal infrastructure and promotes stronger regulation for high-risk sectors. Together, these efforts represent a comprehensive strategy to mitigate the impact of BEC and protect businesses across the country.
On the technical side, email providers and cybersecurity companies are stepping up their defenses. Protocols like DMARC, SPF, and DKIM are helping organizations authenticate legitimate emails and block spoofed ones. At the same time, machine learning tools can analyze email patterns and flag suspicious behavior before it reaches inboxes. Many businesses are also moving toward a zero-trust security model, which limits access and requires constant verification, even for users inside the network.
A big part of the fight against BEC also involves employee education and better company policies. Regular security training, like phishing simulations, can help staff recognize red flags, especially around payment requests or changes to vendor banking details. Businesses are also implementing procedures like dual-approval for financial transactions and confirming requests through separate communication channels, such as a phone call. These steps help prevent someone from acting on a fraudulent email alone.
Click here to learn how to avoid falling victim to BEC attacks
There’s also been a big push toward collaboration. Industry groups and cybersecurity alliances are sharing real-time intelligence about BEC threats so organizations can stay ahead of evolving tactics. Banks, in particular, have set up rapid communication systems to freeze suspicious wire transfers before they go through.
Finally, when BEC incidents do happen, response is critical. Many companies now have playbooks for handling BEC cases, which include steps for containing the attack, alerting financial institutions, and working with law enforcement. When victims act quickly, especially by reporting the incident to the FBI’s IC3 portal, the odds of recovering stolen funds improve dramatically.
While BEC scams are still a major concern, a combination of smarter technology, stronger policies, global cooperation, and increased awareness is helping turn the tide.