Unmasking Business Email Compromise: The Costly Cyber Threat and How to Stop It

The cyber threat that just won’t quit is business email compromise (BEC). According to the Association for Financial Professionals’ latest Payments Fraud and Control Survey, over 63% of businesses reported being targeted by BEC fraud, with 79% either falling victim or dodging attempts at payment fraud. That’s a big wake-up call for companies everywhere.

BEC scams are also among the costliest, per the FBI’s 2024 Internet Crime Report released in April, which logged over 21,000 complaints last year. These scams racked up nearly $2.8 billion in losses—a huge slice of the $16.6 billion total cybercrime hit. What’s worse, the average cost per complaint jumped from $74,723 in 2019 to $137,132.03 in 2023, meaning there are fewer victims, but they're losing bigger bucks each time.

Even tech-savvy giants tech giants like Facebook and Google aren’t immune. In 2017, a scammer posing as a trusted electronics vendor tricked their teams into wiring over $100 million to fraudulent overseas accounts, where the funds vanished quickly. Click here for an in-depth look.

There is another aspect of BEC that you should be aware of: it’s not just your business that’s at risk—any partner you work with could be compromised. Once cybercriminals hack a vendor or supplier’s email, they gain access to all their correspondence, using those details to craft scams that look frighteningly real. They might impersonate your trusted contact to redirect a payment or slip into an ongoing email thread to deceive you. That’s why you must assume every business partner could be a weak link and always verify requests through a known, trusted channel.

So, which businesses are most vulnerable? Let’s take a look.

Who gets targeted by BEC attacks?

Who’s most likely to be targeted by business email compromise (BEC) scams? Essentially, any organization using email for financial transactions or sensitive data is at risk. Here’s a closer look:

• Finance and HR Teams: Employees in accounts payable, payroll, or finance roles are prime targets. Scammers often pose as trusted suppliers to deceive staff into updating or changing payment details based on an email.
• Small and Medium-Sized Businesses: Smaller companies are frequent targets due to limited cybersecurity resources or training. The FBI’s 2024 Internet Crime Report notes that BEC scams hit businesses of all sizes, but smaller firms often face significant losses due to fewer defenses.
• Large Corporations: Big organizations aren’t safe either. Their complex supply chains and multiple departments create openings for scams like fraudulent supplier emails or even AI-driven audio cloning to impersonate key staff.
• Senior Executives: Fraudsters often target C-suite email accounts, spoofing or hacking them to send urgent requests that pressure employees to act quickly without verifying.
• Organizations with Weak Controls: Companies without strict verification processes for payment changes or wire transfers are especially vulnerable. The Association for Financial Professionals’ survey previously referenced found 63% of organizations faced BEC attempts, with 79% either falling victim or narrowly avoiding fraud.
• High-Transaction Industries: Sectors like finance, real estate, healthcare, and manufacturing, where large payments or sensitive data are common, are particularly attractive to BEC scammers.

In short, anyone handling financial or sensitive information via email is a potential target. Scammers exploit trust and procedural gaps, so robust verification processes and employee training are critical for protection.

What Are the Most Common Types of BEC Fraud?

Business email compromise scams have become more sophisticated, evolving into a range of clever tactics. One common trick is the bogus invoice scheme. Attackers call or email a business, pretending to be a trusted supplier, and try to redirect invoice payments to their account without a verbal check-in with the usual contact.

Payroll diversion is a BEC phishing scam that aims to divert employee payroll direct deposits to a fraudster’s account. The Human Resources or payroll representative receives a fake email appearing to be from an employee requesting a change to their direct deposit account. The new information redirects the employee’s deposit into a crook’s account or onto a pre-paid card.

Now, there’s a chilling new twist: scammers using AI to clone realistic-sounding audio, fooling employees into thinking they’re talking to a key colleague. These scams build on the classic “CEO/CFO fraud,” like the email example above, where a fraudster poses as an executive to push through a fraudulent fund transfer.

How Can You Guard Against BEC Scams?

Here are key steps to strengthen your defenses against scams:

• Confirm ANY CHANGE to PAYMENT INSTRUCTIONS verbally: Use a known, trusted contact number to verify vendor payment changes or payroll changes before acting.
• Enforce strict payment controls: Prohibit initiating payments based on email or unsecured messaging platforms.
• Require senior approval for large transactions: Mandate authorized sign-off from senior management for transactions above a set threshold.
• Strengthen access security: Implement multi-factor authentication (MFA) for company network access and payment initiation systems.
• Verify new payment details: Always confirm new bank details or payment instructions with a trusted contact via a verified phone number.
• Validate invoices: Match payments to legitimate, verified invoices before processing.
• Scrutinize email links and attachments: Verify the sender before clicking links or opening attachments in emails or texts.
• Check email addresses carefully: Look for subtle discrepancies in the sender’s email address.
• Avoid email-only verification: Do not rely on email replies to confirm payment requests.
• Question urgent requests: Be wary of payment changes pushed with a sense of urgency.

Hancock Whitney provides a variety of tools and resources, like our Fraud Checklist, to help you educate your team and cut your risk. 

Who’s Liable for Business Email Compromise Losses?

Business email compromise (BEC) scams are costly for companies, often leaving someone stuck with a hefty bill. Usually, the business ends up footing the loss, especially if it skimped on security basics or didn’t verify odd payment requests. For example, missing employee training or not verifying an “urgent” wire transfer can make a company an easy target for fraudsters.

Employees might catch some heat too, particularly if they ignore clear protocols or fall for an obvious phishing email. Banks come into play as well—they might investigate fraudulent transactions and try to recover funds, but their liability depends on their policies and case specifics. Vendors can also share the blame, especially if their weak security lets the scammers in. To stay ahead, businesses should strengthen defenses, train staff to spot scams, and consider cyber insurance to cover BEC losses. Knowing who’s responsible helps companies protect their wallets and navigate this tricky landscape.

Stay Current on BEC Threats

With remote work making it tougher to verify if an email from a company executive is legitimate, businesses are wise to take BEC prevention even more seriously and adopt these best practices.

The FBI’s www.ic3.gov offers updated public service announcements on BEC trends to keep you in the loop. Plus, check out our website for more ways to combat BEC and stay one step ahead of scammers. Staying informed and proactive is your best defense in this fast-evolving threat landscape.

We’re ready to review your cybersecurity plan