Threat Guide
Business Email Compromise (BEC) — SMB Risk Assessment Guide
Business Email Compromise (BEC) is a sophisticated scam targeting businesses that conduct wire transfers or process invoices. Attackers compromise or impersonate business email accounts to redirect payments, request fraudulent wire transfers, or manipulate employees into revealing sensitive information. BEC causes more financial damage than any other cybercrime type.
$2.9B
in BEC losses reported to FBI IC3 in 2024 — #1 cybercrime by loss
FBI IC3 2024 Internet Crime Report
Assess Your Business Email Compromise (BEC) Risk
Free AI-powered assessment — see your exposure in 5 minutes
Assess Your BEC Exposure →
How Business Email Compromise (BEC) Works — Step by Step
- Compromise: attacker gains access to a legitimate business email account via phishing or credential stuffing
- Reconnaissance: monitors email threads for upcoming transactions, payment schedules, and relationships
- Impersonation or takeover: uses compromised account or lookalike domain to send fraudulent payment instructions
- Urgency tactics: creates time pressure to prevent victim from verifying out-of-band
- Payment redirect: instructs victim to change wire transfer destination to attacker-controlled account
- Money mule: funds rapidly moved through multiple accounts to prevent recovery
Business Email Compromise (BEC) Impact on SMBs
Business Email Compromise (BEC) SMB Impact: FBI reports less than 15% of BEC losses are recovered when not reported within 72 hours. Average SMB BEC loss: $125,000.
$2.9B
BEC losses reported to FBI IC3 in 2024
FBI IC3 2024 Annual Report
$125K
Average BEC loss per SMB victim
FBI IC3 2024 Annual Report
<15%
Recovery rate when BEC not reported within 72 hours
FBI Financial Fraud Kill Chain
21,489
BEC complaints filed with FBI IC3 in 2024
FBI IC3 2024 Annual Report
Prevention Controls
Implement these controls to reduce your business email compromise (bec) exposure. Prioritize based on your current gaps.
- Out-of-band verification: always call the requester on a known number to confirm payment changes
- Dual authorization for all wire transfers above threshold ($5,000 is common)
- Email authentication (DMARC with policy=reject) prevents domain impersonation
- Multi-factor authentication on all email accounts
- Employee training on BEC recognition — especially finance and executive assistants
- Payment process policy requiring callback verification for new or changed wire instructions
CyberStackHub Tools for Business Email Compromise (BEC) Risk
Identifies email authentication gaps and authentication weaknesses that BEC attackers exploit
BEC awareness training for finance, HR, and executive staff — the primary targets
Wire transfer verification policy and financial controls policy are the most effective BEC defenses
BEC must be reported to FBI IC3 within 72 hours for recovery — pre-plan your response