threat level: human

~ / business email compromise

man bec-red-flags

Business Email Compromise

The invoice and wire-transfer fraud that costs businesses the most, and how to stop it.

$3.05B reported BEC losses in 2025 (FBI IC3, 2025).

By the numbers

  • $3.05B reported BEC losses in 2025 (FBI IC3, 2025)
  • $55B+ global BEC losses, 2013 to 2023 (FBI IC3, 2024)
  • 62% of breaches involve the human element (Verizon DBIR, 2026)

Spotting the fraudulent request

  • A change to payment details by email. New bank or wire instructions for an invoice, a vendor, or payroll.
  • A look-alike or spoofed sender. A domain off by one letter, or a display name that matches a real executive.
  • Urgency plus secrecy. A rush wire that asks you to skip the usual approval or keep it quiet.

Where it hides

  • A hijacked email thread. A reply that continues a real conversation from a compromised mailbox.
  • Vendor and invoice fraud. A trusted supplier 'updates' their bank account just before a large payment.

Accounts and money to protect

  • Mailbox rules you did not set. Auto-forwarding or hidden inbox rules an attacker uses to watch and bury replies.
  • Gift-card and payroll diversion. Requests for gift cards, or a change to an employee's direct-deposit account.
  • Free-mail and look-alike domains. A staff or vendor 'request' from a personal address or a one-character-off domain.

Do and don't

Do

  • Verify every bank-detail change by calling a number you already have on file.
  • Require a second approver for any new or changed payment details.
  • Enable MFA on all email accounts and alert on new inbox-forwarding rules.
  • Confirm vendor changes with a known contact, never the email thread itself.

Don't

  • Do not trust payment instructions that arrive only by email.
  • Do not use a phone number or link from the suspicious message to 'verify'.
  • Do not let urgency or an executive's name skip the approval step.
  • Do not release a payment before the callback is complete, even under a deadline.

The one move

Confirm every payment change by calling a number you already have, never one from the email, and require a second approver for new or changed bank details. A genuine vendor expects the callback.

If it happens

  1. Call your bank immediately and request a wire recall. Speed decides recovery.
  2. Reset the password and revoke sessions on any compromised mailbox, then delete rogue rules.
  3. Preserve the emails and full headers for investigators.
  4. Report to ic3.gov within hours, and warn affected vendors and staff.

Go deeper

For the bigger picture, read what is social engineering and how to spot a phishing email. See these warning signs in real cases in the weekly briefings.

Frequently asked questions

// guides/bec-red-flags --help
What are the red flags of business email compromise?

Watch for a change to payment details by email, a look-alike or spoofed sender, urgency plus secrecy, a hijacked email thread, plus any pressure to act fast, skip a check, or keep it secret.

What is the one move that stops it?

Confirm every payment change by calling a number you already have, never one from the email, and require a second approver for new or changed bank details. A genuine vendor expects the callback.

What should I do if it already happened?

Call your bank immediately and request a wire recall. Speed decides recovery. Reset the password and revoke sessions on any compromised mailbox, then delete rogue rules. Preserve the emails and full headers for investigators. Report to ic3.gov within hours, and warn affected vendors and staff.

get the weekly briefing watch the briefings see what your visit reveals ->