Business Email Compromise (BEC): How to Spot and Stop Attacks in 2026

The FBI's 2025 IC3 report recorded $2.9 billion in BEC losses — more than ransomware, more than any other cybercrime category. Unlike most attacks, BEC doesn't need malware. It just needs a convincing email and someone who wires money, changes a bank account, or hands over credentials without double-checking. Here's how these attacks work, the red flags to catch them, and the nine controls that prevent them.

What Is Business Email Compromise?

Business email compromise is a fraud scheme where attackers impersonate a trusted party — your CEO, a supplier, your HR department, or a legal team — to trick employees into taking a harmful action. That action is usually one of:

• Wiring money to an attacker-controlled account
• Paying a fake invoice with updated banking details
• Handing over W-2s or employee PII (tax fraud)
• Forwarding credentials or granting access
• Purchasing gift cards and sending redemption codes

The defining feature: there is no malicious link, no attachment, no malware. It's pure social engineering delivered via email. That's why traditional spam filters and antivirus software catch almost none of it.

The 5 BEC Attack Types

How Attackers Prepare a BEC Attack

BEC is not random. Attackers spend days or weeks on reconnaissance before sending a single email:

1. LinkedIn research: Identify the CFO, accounts payable staff, and HR contacts. Map reporting structures.
2. Domain reconnaissance: Find your domain, check DMARC records (if p=none or missing, your domain can be spoofed freely). Register lookalike domains.
3. Email pattern enumeration: Confirm email format (firstname.lastname@, f.lastname@, etc.) using tools like Hunter.io or leaked breach data.
4. Calendar and OOO timing: Attackers send wire fraud emails when the CFO is traveling, in a conference, or on holiday — reducing the chance the target will call to verify.
5. Account compromise (advanced): In some cases, attackers compromise a real email account first and read months of threads before inserting themselves into an active supplier conversation.

Red Flags in BEC Emails

• Unusual urgency + secrecy: "Process this immediately" combined with "don't mention this to anyone" — the two most reliable BEC markers.
• Request for a new or changed bank account: Legitimate vendors rarely change banking details mid-relationship. Any bank change should trigger a phone verification.
• Email from a lookalike domain: [email protected] instead of [email protected]. The display name looks right; the actual sending address doesn't.
• Reply-to address differs from the from address: Classic indicator of spoofing. Check both in your email client.
• Request to bypass normal process: "Skip the normal PO process for this one." The process exists specifically to catch BEC.
• Gift card requests: No legitimate executive asks employees to purchase and forward gift card codes. Ever.
• Unusual send time: A "CEO email" sent at 2 a.m. from their personal device while traveling — when they're unavailable to verify — is a common pattern.

9 Controls That Stop BEC

The DMARC–BEC Connection

Of all nine controls, DMARC enforcement is the single highest-leverage technical change. Here's why it matters so much:

The transition from p=none → p=quarantine → p=reject should be gradual, monitoring reports at each stage to ensure legitimate senders aren't accidentally blocked. See our full guide: DMARC p=reject vs p=quarantine — which policy should you set?

What to Do If You Receive a Suspicious Email

• Do NOT reply to the email — even to ask if it's legitimate (you're replying to the attacker)
• Do NOT call any phone number provided in the email
• Use a pre-stored contact number to call the apparent sender directly
• Forward the suspicious email to your IT or security team as an attachment (not forwarded normally)
• Check the actual sending address — not just the display name
• Check the reply-to address if it differs from the from address
• If a payment was already sent, call your bank immediately — recovery is only possible within hours
• File a complaint with the FBI's IC3 (ic3.gov) if money was transferred

BEC in M365 and Google Workspace Environments

Most BEC attacks in 2026 involve a fully compromised Microsoft 365 or Google Workspace account — not just a spoofed address. Once an attacker has access to a real inbox, they can:

• Read existing email threads and inject themselves naturally into ongoing supplier conversations
• Set up silent forwarding rules to monitor communications indefinitely
• Send from the legitimate address (bypassing all DMARC and anti-spoofing controls)
• Create inbox rules that hide their own sent emails and delete replies
• Access calendar invites to time wire fraud requests when key approvers are unavailable

This is why account security in M365 and Google Workspace is inseparable from BEC prevention. Weekly audits of forwarding rules, OAuth app access, and unusual sign-in locations catch compromised accounts before attackers can do damage. Workspace Posture Pro runs these checks automatically every Monday and alerts you to anything suspicious.

BEC Prevention Checklist

• DMARC record set to p=reject (or actively transitioning from quarantine)
• SPF record published and all legitimate sending sources included
• DKIM configured for your primary domain and all email-sending services
• Out-of-band verification required for all wire transfers above your threshold
• Dual-approval process in place for direct deposit / payroll changes
• External email banners enabled in M365 / Google Workspace
• Impersonation protection enabled and executives' names configured
• Lookalike domain monitoring active (alerts on new registrations)
• Monthly audit of email forwarding rules across all user accounts
• Finance and HR teams trained on BEC-specific scenarios (not just generic phishing)