Business email compromise (BEC) is one of the most damaging forms of cybercrime because it targets trust, not technology.
This guide explains how to spot business email compromise early and recognize the signs before a fraudulent payment, invoice, or data request succeeds.
What Is Business Email Compromise?
Business email compromise is a social engineering attack in which an attacker impersonates a trusted executive, vendor, employee, or partner to trick someone into sending money, revealing sensitive information, or changing payment details.
The Federal Bureau of Investigation (FBI) identifies BEC as a major global fraud threat, especially in organizations that rely on email for approvals, invoices, and wire transfers.
Unlike malware-heavy attacks, BEC often uses legitimate-looking messages, stolen credentials, and carefully timed requests.
That makes it especially important to understand the behavioral, technical, and process-based indicators that can reveal an attack.
How to Spot Business Email Compromise in the Inbox
Most BEC attacks leave subtle clues.
The message may look normal at first glance, but details often expose the fraud if you know what to check.
Check the sender address carefully
Attackers frequently use lookalike domains, subtle spelling changes, or compromised accounts.
A message that appears to come from a CEO, finance director, or supplier may actually originate from an address with extra characters, a changed top-level domain, or a slightly modified reply-to field.
- Misspelled company names in the domain
- Unexpected changes in the reply-to address
- Free email services used for business requests
- Domain substitutions such as .co instead of .com
Watch for urgency and secrecy
BEC messages often pressure recipients to act quickly and avoid verification.
Common language includes requests that are “time sensitive,” “confidential,” or “for your eyes only.” The goal is to override normal controls and discourage staff from calling back or escalating the request.
Look for changes in payment instructions
A classic BEC tactic is invoice fraud or payment diversion.
The attacker may ask you to update bank details, redirect a wire transfer, or pay a new account because “our banking changed.” Any change to supplier payment information should be treated as suspicious until independently confirmed through a trusted channel.
Notice unusual tone, grammar, or formatting
While some BEC emails are polished, others reveal fraud through awkward phrasing, generic greetings, or formatting that does not match the sender’s usual style.
Even when grammar is clean, the tone may be slightly off, such as being unusually formal, abrupt, or inconsistent with the executive or vendor it claims to represent.
Common Business Email Compromise Scenarios
Understanding common scenarios helps you spot patterns faster.
BEC is not one type of message; it is a set of impersonation tactics adapted to different business workflows.
CEO fraud and executive impersonation
In CEO fraud, an attacker impersonates a senior leader and asks an employee in finance, HR, or operations to send a wire transfer, purchase gift cards, or share payroll data.
These requests often bypass normal approval processes by invoking authority and confidentiality.
Vendor and invoice fraud
Attackers monitor real business relationships and send an email pretending to be a supplier.
They may attach a fake invoice or ask for bank account updates.
If the request arrives near month-end, during travel, or around a contract renewal, it deserves extra scrutiny.
Payroll diversion and employee data theft
Some BEC attacks target human resources or payroll departments, requesting changes to direct deposit details or W-2 forms.
These attacks can lead to identity theft, tax fraud, and employee harm in addition to financial loss.
Account takeover and internal impersonation
When attackers gain access to a real mailbox through stolen credentials or phishing, they can reply within existing email threads.
Because the account is legitimate, the messages may appear trustworthy unless you notice subtle anomalies such as a sudden request for payment, odd login alerts, or a new signature block.
Technical Indicators That May Reveal an Attack
Human judgment is essential, but technical signals can also expose BEC.
Security teams and alert employees should examine these indicators when suspicious email arrives.
- Login activity from unfamiliar locations or devices
- Mailbox forwarding rules created without approval
- Suspicious OAuth app permissions
- Recent password reset requests
- Multiple failed login attempts followed by success
- Email authentication failures in SPF, DKIM, or DMARC
These signs can indicate that an account has been compromised and is being used to send fraudulent internal requests.
If a message comes from a real mailbox but the account behavior is unusual, treat it as a potential incident rather than a normal email.
Why BEC Is Hard to Detect
Business email compromise works because it exploits normal business behavior.
Companies routinely exchange invoices, approve payments, share payroll data, and respond to leadership requests under time pressure.
Attackers study those workflows, then mimic them closely enough to blend in.
Many BEC campaigns also avoid attachments and malicious links, which helps them bypass traditional security tools.
Instead of triggering antivirus or spam filters, the email relies on persuasion and process weaknesses.
That is why internal verification controls matter as much as email security software.
Verification Steps That Stop BEC
The most reliable defense against BEC is out-of-band verification.
Never rely on the same email thread to confirm a payment or banking change.
- Call the requester using a known phone number from your records, not the number in the email.
- Verify bank changes through a trusted vendor portal or signed contract process.
- Require dual approval for wire transfers and high-value payments.
- Confirm executive requests with an assistant, office line, or internal directory.
- Pause any request that creates pressure, secrecy, or exception handling.
Organizations that use strong verification workflows reduce the chance that a single deceptive email can bypass controls.
Even a brief delay for validation can prevent a major financial loss.
Best Practices for Employees and Security Teams
Spotting BEC is easier when awareness is paired with process discipline.
A security-conscious organization trains employees to question unusual requests without slowing legitimate work.
- Use phishing-resistant multi-factor authentication, such as FIDO2 security keys, where possible.
- Limit external mailbox forwarding and monitor rule changes.
- Protect executive accounts with stronger access controls.
- Maintain verified contact lists for vendors and internal approvers.
- Train finance and HR teams on BEC scenarios and escalation paths.
- Review payment workflows regularly for gaps that attackers could exploit.
Security teams should also monitor for mailbox compromise, unusual API access, and suspicious inbox rules.
A compromised account can be more dangerous than a spoofed domain because it can reply inside existing conversations and evade casual review.
What to Do If You Suspect Business Email Compromise?
If a message seems suspicious, stop before acting.
Do not reply to the suspicious email to verify the request, and do not click links or open attachments until the sender has been independently confirmed.
Report the message to your IT or security team, preserve the email headers if possible, and notify finance leadership if any payment details were involved.
If money was already sent, immediate escalation matters because banks may be able to freeze or recall funds if contacted quickly.
Organizations should document the incident, preserve relevant logs, and check whether the sender’s mailbox or any associated accounts show signs of compromise.
Fast response can reduce damage and help prevent a follow-on attack.
Key Signs to Remember
- Requests for urgent or secret payments
- Changes to bank details or invoice instructions
- Lookalike sender domains or altered reply-to fields
- Unusual tone, grammar, or formatting
- Executive, vendor, payroll, or wire-transfer impersonation
- Requests that bypass normal approval channels
Knowing how to spot business email compromise comes down to recognizing abnormal pressure, verifying identities outside email, and treating payment changes as high-risk until confirmed.
That habit is one of the strongest defenses against costly fraud.