The Raptoric Journal/Offensive Security
Offensive SecurityJun 16, 2026 · 11 min read

Business email compromise (BEC): how to spot it and stop it

Business email compromise is one of the most financially damaging attacks. An attacker poses as an executive or a supplier and asks for a payment. Here is how to recognize it and prevent it.
A finance specialist verifying a payment request by phone while reading email on a computer.
Written by
R
Raptoric Offensive Security
Share
LinkedInX / TwitterCopy link

Business email compromise, or BEC, is an attack in which someone poses as a trusted person, most often an executive, a finance lead, or a supplier, and convinces an employee to make a payment or change payment details. Unlike mass phishing, BEC is targeted, well prepared, and often carries no link or attachment at all, which is exactly why technical defenses struggle to catch it. That is also why it ranks among the most financially damaging attacks on companies.

BEC is a money-focused form of phishing and social engineering. We measure how resilient your staff are through simulations as part of offensive security.

How BEC works

The attacker first gathers information about the company, who approves payments and who the suppliers are, usually from public sources. They then send a convincing message from an address that closely resembles a real one, or from an account they have taken over, urgently asking for a payment. The message leans on authority and a deadline to strip the victim of time to think. The money moves to the attacker's account and disappears fast.

Types of BEC fraud

The attack takes a few recognizable forms.1

FormWhat it looks like
CEO fraudA message supposedly from the executive asks for an urgent, confidential payment.
Fake supplier invoiceThe attacker poses as a supplier and asks to change payment details.
Account takeoverThe attacker uses a real, compromised employee account.
Payroll diversionA request to change the bank account where an employee's salary is paid.
The most common forms of business email compromise.

Warning signs

BEC messages almost always carry the same signals: urgency and pressure, a request for confidentiality, a change to payment details, a small difference in the sender address, and a departure from the usual procedure. Each of those signs should trigger a check, not a reaction.

How to prevent BEC

The defense is procedural above all, because the attack targets people and process, not technology.

  1. 01
    Verify through a second channel
    Confirm every payment or change of payment details by phone on a known number, never the one in the message.
  2. 02
    Dual approval
    Require two people to approve any payment above a threshold.
  3. 03
    Protect accounts
    Turn on multi-factor authentication for email to prevent account takeover.
  4. 04
    Train the team
    Teach finance staff to read pressure and urgency as signs of fraud.
  5. 05
    Clear procedures
    Define and rehearse the procedure for changing payment details.

How Raptoric helps

Through simulated social engineering we measure how resilient your teams are to BEC and give you concrete recommendations, as part of offensive security. Book a scoping call.

Frequently asked questions

How is BEC different from ordinary phishing?
Classic phishing is mass-scale and relies on links or attachments. BEC is targeted, carefully prepared, and often carries no link at all, which is why technical defenses struggle to catch it. It relies on authority and urgency instead.
How do you defend against BEC if there are no links or malware?
Procedurally. The strongest defense is verifying every change of payment details through a second channel, requiring dual approval for payments above a threshold, and training staff. Technology alone does not stop BEC.
Does multi-factor authentication help?
Yes, especially against account takeover. MFA on email stops an attacker from using a stolen password to send messages from a genuine account, which is one of the most dangerous forms of BEC.
What should we do if the payment has already gone out?
Contact the bank immediately, because the funds can sometimes be stopped, then report the incident and preserve the evidence. If personal data is also affected, check whether you have a duty to notify the relevant data protection authority.

Sources

  1. 1ENISA. ENISA Threat Landscape. European Union Agency for Cybersecurity, 2024. Link
  2. 2CISA. Avoiding Social Engineering and Phishing Attacks. Cybersecurity and Infrastructure Security Agency, 2021. Link
Want this tested on your own systems?
Our team will scope it with you on a 30-minute call.
Book a scoping call
Keep reading
All insights →