Business email compromise—known as BEC—has become the most financially damaging form of cybercrime that organizations face. Unlike ransomware, which announces itself loudly and disrupts operations visibly, BEC is quiet, precise, and frequently successful before anyone realizes what has happened. Funds are transferred to attacker-controlled accounts. Vendor payment details are redirected. Payroll is rerouted. And by the time the fraud is detected, the money is gone.
The FBI's Internet Crime Complaint Center reports that BEC consistently accounts for the largest share of total cybercrime financial losses year after year—in recent years representing losses in the billions of dollars annually from a fraction of the total incident volume. Per-incident, BEC losses routinely dwarf those of other attack categories.
What makes BEC both so damaging and so preventable is its mechanism: it relies almost entirely on deceiving a human employee into taking an authorized action. No malware is required. No system is compromised. The fraud succeeds because an employee—acting in good faith, under what appears to be legitimate instruction—authorizes a transaction or discloses information that should not have been authorized.
That human dependency is BEC's greatest strength as an attack. It is also its greatest vulnerability as a defense target.
How Business Email Compromise Works (And Why It Is Not Standard Phishing)
Unlike spray-and-pray phishing, BEC does not rely on malicious links or attachments—it exploits business processes by impersonating trusted people. BEC attacks follow several well-established patterns, each targeting a different business process or employee role. Understanding these patterns is the starting point for designing training that prepares employees to recognize and resist them.
CEO fraud or executive impersonation. The most widely recognized BEC pattern involves an attacker impersonating a senior executive—typically the CEO, CFO, or president—and sending an email to a finance team employee requesting an urgent wire transfer. The email typically claims the transfer is for a time-sensitive acquisition, a confidential legal matter, or an executive priority that cannot be discussed through normal channels. The urgency and confidentiality framing are deliberate: they bypass normal approval processes and discourage the employee from verifying the request independently.
Vendor payment redirection. In this pattern, the attacker impersonates a known vendor or supplier and sends an email to the accounts payable department informing them that banking details have changed and that future payments should be directed to a new account. The attacker either compromises the vendor's email account directly or creates a convincing spoofed address. For examples of how these deceptive emails are crafted, see our collection of phishing email examples. The victim processes subsequent invoices to the attacker's account, sometimes for multiple payment cycles before the fraud is discovered.
Payroll diversion. The attacker impersonates an employee—often targeting HR or payroll departments—and requests that direct deposit information be updated to a new account. This attack requires minimal financial sophistication and can be executed at scale, targeting multiple employees' payroll simultaneously. The losses per incident are smaller than executive wire transfer fraud, but the attack is harder to detect because individual payroll changes may not trigger the same scrutiny as large wire transfers.
Attorney or legal counsel impersonation. Attackers impersonate lawyers, compliance officers, or regulatory contacts and email employees with requests for urgent financial action or sensitive document transfer. The legal and compliance framing creates compliance pressure that many employees find difficult to question.
Supply chain compromise. The most sophisticated BEC variant involves the actual compromise of a trusted third party's email system—often through dark web credential exposure. The attacker then sends fraud requests from a legitimately compromised account, making email authentication techniques like DMARC and DKIM ineffective because the email is genuinely coming from the expected domain—just from an account the attacker now controls.
Why Technical Controls Cannot Stop BEC Alone
One of the most important truths about business email compromise is that it is specifically designed to evade the technical controls that stop most other email threats.
Email security gateways filter for malicious attachments, known malicious URLs, and suspicious sender reputations. BEC emails typically contain none of these. There is no attachment to scan, no link to check, and in many cases no spoofed domain to catch—because the email comes from a legitimately registered domain that closely resembles the impersonated party, or from a genuinely compromised account.
DMARC, DKIM, and SPF authentication—the email standards that verify whether a message actually came from the domain it claims to represent—are effective against domain spoofing but irrelevant against supply chain compromise or look-alike domain attacks. A BEC email sent from [email protected] (with a hyphen added) passes every authentication check. So does an email from an attacker who has compromised the legitimate CEO's email account.
Multi-factor authentication significantly reduces the risk of account compromise that enables supply chain BEC, but it does not protect against impersonation attacks where no account is compromised. The attacker never needs access to any of your systems to execute a successful wire transfer fraud.
This is why the human layer is not merely an additional BEC defense—it is the primary one. The employee who receives the fraudulent request is, in many BEC scenarios, the only defense that stands between the attacker and a successful fraud.
What Makes Employees Vulnerable to BEC
Understanding the specific psychological and procedural factors that make BEC effective against otherwise careful employees is essential for designing training that addresses root causes rather than surface symptoms.
Authority compliance. Humans are deeply conditioned to comply with requests from authority figures, particularly in professional contexts. A request that appears to come from the CEO activates this compliance instinct powerfully. Employees who would immediately scrutinize a similar request from an unknown sender apply less critical evaluation when the apparent sender is someone whose authority they are accustomed to respecting.
Urgency and time pressure. BEC emails almost universally create urgency. The transaction must be completed today. The matter is confidential and time-sensitive. Normal approval processes will cause the opportunity to be missed. This urgency is deliberate—it compresses the time available for reflection and verification, and it creates emotional pressure that overrides the careful evaluation that employees might otherwise apply.
Confidentiality framing. Requests that frame the transaction as too sensitive to discuss with colleagues ("please keep this between us for now") are specifically designed to remove the social verification that naturally occurs when employees consult colleagues about unusual requests. An employee who might casually mention an unusual wire transfer request to a colleague over coffee is less likely to do so if the apparent CEO has asked for discretion.
Procedural normalization. Employees who regularly process wire transfers, update vendor details, or change payroll information have established mental models of what these processes look like. A BEC email that mimics the format, tone, and vocabulary of legitimate requests in these categories can trigger the same habitual compliance response that legitimate requests do—without activating the evaluation that would flag it as unusual.
Asynchronous verification gaps. In co-located workplaces, employees can quickly verify unusual requests by speaking directly to the apparent sender. In remote and hybrid environments—or simply in the time-pressured flow of a busy workday—verification requires deliberate effort that competes with the perceived urgency of the request itself.
The Employee Behaviors That Prevent BEC
BEC prevention training is not primarily about teaching employees to recognize phishing indicators. The most effective BEC defense is a set of specific, practiced behaviors that provide a safety check regardless of how convincing the fraudulent request appears.
Out-of-band verification for any payment or banking change. Any request to transfer funds, change payment routing details, update vendor banking information, or redirect payroll should be verified through a separate communication channel before action is taken. This means calling the apparent requestor at a known, independently verified phone number—not a number provided in the suspicious email—and confirming the request verbally.
This single behavior, consistently practiced, would prevent the majority of BEC losses. Its effectiveness does not depend on employees recognizing that an email is fraudulent. It provides a safety check that catches fraud even when the email is convincing.
Dual authorization for high-value transactions. Process controls that require a second authorized approver for wire transfers above a defined threshold provide a human verification layer that does not depend on any individual employee's ability to detect a BEC attempt. Training should help employees understand why this control exists and why circumventing it—even under apparent executive pressure—is never the correct action.
Skepticism toward urgency and confidentiality. Employees should be explicitly trained to recognize urgency and requests for confidentiality in financial authorization contexts as red flags rather than reasons to accelerate compliance. This framing is counterintuitive—in normal professional contexts, responding to urgency and respecting confidentiality are valued behaviors. Training needs to explicitly establish that in the context of financial requests, these signals should trigger heightened scrutiny rather than expedited compliance.
Verification of email address details, not just display names. BEC attacks commonly exploit the gap between the display name shown in an email client (which can be set to anything) and the actual sending address. Employees should be trained to verify the actual sending address on any financial request, understanding that a display name reading "John Smith, CEO" may be attached to an address like [email protected] that has no connection to the organization.
Safe escalation culture. Employees who feel psychologically safe escalating unusual requests—even when those requests appear to come from senior leadership—are a primary BEC defense. Organizations should create explicit norms and protocols that make it clear: verifying an unusual financial request before complying is the correct professional response, not a challenge to authority. Training should reinforce this norm repeatedly and managers should model it visibly.
Designing BEC Simulation Scenarios
Standard phishing simulations test primarily for link-clicking and credential-harvesting vulnerabilities. BEC simulation requires a different approach because the desired behavioral outcomes are different.
A credential harvesting phishing simulation succeeds in its training purpose when an employee learns to recognize and avoid clicking suspicious links. A BEC simulation succeeds when an employee either recognizes the fraudulent request and reports it, or—importantly—follows the correct verification procedure before complying.
BEC simulation scenarios should test the specific behavioral responses described above. Scenarios that present employees with realistic wire transfer requests, vendor payment change notifications, or payroll update requests—formatted to appear legitimate and with appropriate urgency framing—measure whether employees apply verification behavior, escalate appropriately, or comply without verification.
The training triggered by BEC simulation should address:
The specific scenario type the employee just encountered, with explicit identification of the BEC pattern being used. The correct verification procedure—step by step—that should be applied to requests of this type. The organizational policy governing financial authorization and what it means in practice. The importance of reporting the attempt regardless of whether the employee recognized it immediately, because BEC attempts against one employee are often part of campaigns targeting multiple people.
BEC Training for High-Risk Roles
BEC risk is heavily concentrated in specific roles, and training investment should reflect that concentration.
Finance and accounts payable personnel are the primary targets of wire transfer and vendor payment redirection BEC. They need specific, role-focused training on verification procedures, dual authorization requirements, the specific formats and pretexts commonly used in BEC attacks against their function, and how to respond to executive pressure to bypass normal controls.
HR and payroll personnel face payroll diversion BEC. Their training should specifically address the payroll change request format that attackers use, the verification procedure for employee banking change requests (including what identification verification is appropriate), and the process for reporting suspected payroll fraud.
Executive assistants and administrative staff who manage executive schedules, travel arrangements, and communications are targets of both direct fraud attempts and impersonation vectors—attackers who compromise an executive assistant's account gain a powerful launching point for attacks on the rest of the organization. Their training should address the full range of social engineering risks specific to their position.
Legal and compliance personnel should understand attorney impersonation patterns and the specific BEC pretexts that exploit legal and regulatory compliance authority.
Measuring BEC Prevention Program Effectiveness
Unlike standard phishing simulation, where click rate and reporting rate are the primary behavioral metrics, BEC prevention program effectiveness is measured primarily through process compliance rather than technical indicator recognition.
The key metrics for a BEC-specific training program include: what percentage of employees correctly apply out-of-band verification procedures when presented with a simulated wire transfer request; what percentage escalate unusual financial requests to a supervisor before taking action; what percentage report the suspicious request to the security team; and over time, whether simulated BEC attempts trigger the correct process behaviors more consistently across campaigns.
These metrics are more operationally complex to track than standard phishing simulation outcomes, but they provide a more direct measurement of the specific behavioral capabilities that BEC prevention requires.
The Organizational Case for BEC Prevention Investment
The financial case for investing in BEC prevention training is unusually direct. BEC losses are large, specific, and often unrecoverable—unlike ransomware losses that may be partially covered by insurance, wire transfer fraud is frequently excluded from standard cyber insurance coverage or subject to significant sublimits, because insurers recognize BEC as a human authorization failure rather than a technical security breach.
The cost of a comprehensive BEC-focused training program—even at enterprise scale—is a small fraction of a single successful BEC incident. For organizations in financial services, professional services, real estate, healthcare, or any industry that regularly processes significant wire transfers or vendor payments, the expected value of that investment is among the most favorable of any security expenditure available.
PhishSkill includes business email compromise simulation scenarios designed for finance, HR, and executive support teams—the roles most directly targeted by the costliest form of social engineering fraud. Build the verification habits that BEC cannot overcome.
Related Reading
BEC is where phishing meets financial fraud. For the broader targeted attack context, see Spear Phishing Simulation for Enterprise. If executives are being impersonated in wire transfer requests at your organization, see CEO Fraud and Whaling Attack Prevention. To measure whether training is actually working, see Security Awareness Training ROI. For a breakdown of the psychology behind these attacks, see What is Social Engineering?.
External reference: FBI IC3 BEC Annual Report.
More from the Blog
View all
MFA Is Not Enough: How Phishing Attacks Bypass Multi-Factor Authentication and What Training Can Do
Multi-factor authentication has become a foundational security control, but attackers have evolved techniques to bypass it. Learn how adversary-in-the-middle phishing, MFA fatigue attacks, and vishing for OTP codes defeat MFA—and why training is your only defense.
Insider Threat Awareness Training: Building a Program That Protects Without Eroding Trust
Most insider incidents are accidental, not malicious. Learn the difference between insider threat monitoring and insider threat training, how to build a program that addresses negligent insiders without creating a culture of suspicion, and what truly effective insider threat awareness looks like.
Gamification in Security Awareness Training: Does It Actually Work?
Points, leaderboards, and badges are ubiquitous in security awareness training. But do they actually change behavior, or do they just drive engagement metrics? Explore the evidence behind gamification, when it helps, when it distracts, and how to combine it with simulation-based learning.
Ready to stop phishing attacks?
Run realistic phishing simulations and high-impact security awareness training with PhishSkill's automated platform.