Business Email Compromise (BEC)

Critical SeverityRisingBusiness Email Compromise (BEC)Verified 2026-02-28

Scammers impersonate executives, vendors, or attorneys via email to trick employees into wiring money or redirecting payments. $2.77B in losses across 21,442 complaints in 2024 (FBI IC3) — the 2nd highest loss category. The 'Scripted Sparrow' group alone sent 6.6M automated BEC emails in September 2025.

Annual Losses

$2.77B in 2024 (FBI IC3) — 2nd highest loss category; cumulative 2022-2024 losses nearly $8.5B

Avg Loss / Victim

$129K avg per complaint (IC3 derived); $137K avg per U.S. incident (Hoxhunt Phishing Trends Report, Jan 2026); IC3 Recovery Asset Team has 66% success rate freezing fraudulent transfers

Primary Vector

Email impersonating executives, vendors, or attorneys

Peak Season

Year-round; spikes around quarter-end financial closings and real estate closings

How It Works

An attacker compromises or spoofs a business email account — typically a CEO, CFO, vendor, or real estate attorney — and sends a convincing email directing an employee to wire funds, change payment details, or share sensitive data. The emails are meticulously timed (often during travel or busy periods) and reference real transactions. The 'Scripted Sparrow' group industrialized this in 2025, using automation to generate 6.6 million personalized BEC emails per month with AI-generated PDF invoices indistinguishable from real corporate documents.

1Attacker researches the target company: org charts, vendor relationships, pending deals, executive travel schedules
2Email account is either compromised (via phishing the executive first) or spoofed using a lookalike domain
3Attacker sends email as the CEO, CFO, vendor, or attorney with an urgent payment request or account change
4Email references real projects, invoices, or transactions to appear legitimate
5Employee in accounts payable or finance wires money to the attacker's account
6Funds are quickly moved through multiple mule accounts or converted to cryptocurrency
7In the real estate variant: attacker intercepts closing instructions and substitutes their own wire details

Example Scam Messages

Hover or tap the highlighted text to see why each element is a red flag.

EXAMPLE 1

From: ceo@company-inc.comRed flag: Spoofed or compromised email — always verify wire requests through a separate communication channel (spoofed) To: accounts.payable@company.com Subject: Urgent - Wire Transfer Needed TodayRed flag: Urgency + inability to verify by phone is the classic BEC setup Hi Sarah, I need you to process a wire transfer of $47,500 to our new vendor for the Q1 marketing campaign. This is time-sensitive — I'm in meetings all day and can't callRed flag: Preemptively blocking the verification step that would expose the fraud. Please use the account details below and confirm once sent. Bank: First National Routing: 021000089 Account: 4458891234 Thanks, Michael Chen, CEO

“Urgent - Wire Transfer Needed Today” — Urgency + inability to verify by phone is the classic BEC setup

“I'm in meetings all day and can't call” — Preemptively blocking the verification step that would expose the fraud

“ceo@company-inc.com” — Spoofed or compromised email — always verify wire requests through a separate communication channel

EXAMPLE 2

From: billing@vendor-solutions-group.com Subject: Updated Payment Information — Invoice #VS-2026-1847 Dear Accounts Payable, Please note that our banking details have changed effective immediatelyRed flag: Payment detail changes via email are the #1 BEC variant — always verify by calling the vendor at a known number. All future payments should be directed to: Bank: Pacific Trust Account: 7723091456 Routing: 122000247 Please update your records and apply this to the outstanding invoice #VS-2026-1847 ($128,400Red flag: High-value single transaction — BEC attacks target the largest payments they can find). Regards, Accounts Receivable Vendor Solutions Group

“banking details have changed effective immediately” — Payment detail changes via email are the #1 BEC variant — always verify by calling the vendor at a known number

“$128,400” — High-value single transaction — BEC attacks target the largest payments they can find

Red Flags Checklist

Urgent wire transfer request from an executive who 'can't talk right now'

BEC attackers always create a reason why voice verification isn't possible — travel, meetings, poor reception

Vendor sends new bank account details by email

Legitimate vendors announce banking changes through formal written notice and verify by phone. Never change payment details based on email alone.

Email domain is slightly different from the real one

Attackers register lookalike domains: company-inc.com vs companyinc.com, or use .co instead of .com

Request bypasses normal approval processes

BEC emails often say 'handle this directly' or 'keep this confidential' to prevent the employee from following standard procedure

Real estate closing instructions arrive by email with wire details

Title companies are heavily targeted — always call the title company directly to verify wire instructions before sending closing funds

What Real Communication Looks Like

Legitimate wire transfer requests follow established internal approval workflows with multiple sign-offs. Real vendors announce banking changes through formal written notice and confirm by phone. Executives who need urgent transfers still make themselves available for a verification call. Real estate title companies will verify wire instructions by phone and warn you about email-based wire fraud at closing.

What To Do

If you just received this message:

Do NOT wire money based on email instructions alone — always verify by calling the requester at a known phone number (not one from the email)

For vendor payment changes: call the vendor using the phone number on file (not in the email) to confirm

For real estate closings: call the title company directly to verify wire details before sending

Report the email to your IT/security team immediately

Check the sender's email domain character by character for spoofing

If you already clicked or gave information:

Contact your bank immediately — the IC3 Recovery Asset Team has a 66% success rate freezing BEC wires if reported within 48-72 hours

File with FBI IC3 at ic3.gov immediately — speed is critical for fund recovery

Preserve all email headers and correspondence as evidence

Notify your company's legal and executive team

If the compromised account is internal: force password reset and audit all recent emails sent from that account

Where to report:

FBI IC3: ic3.gov (CRITICAL — report within 48 hours for best recovery chance)

Your bank's wire fraud department

FTC: reportfraud.ftc.gov

Your company's IT security team / incident response

Frequently Asked Questions

Can the wire transfer be reversed?

Sometimes. The FBI IC3's Recovery Asset Team successfully freezes about 66% of reported BEC transfers. Speed is everything — report to IC3 and your bank within hours, not days. After 72 hours, recovery chances drop dramatically.

How did they know about our vendor relationship?

Attackers typically compromise an email account first (yours or your vendor's) and silently monitor email threads for weeks or months, learning about pending invoices, payment schedules, and relationships before striking.

Our CEO's actual email account sent the request. How is that a scam?

The CEO's account was likely compromised through a phishing attack. The attacker is sending emails from the real account. This is why out-of-band verification (calling the CEO directly) is essential, even when the email appears 100% authentic.

Sources

FBI IC3 2024 Annual Report ($2.77B BEC losses, 21,442 complaints; BEC ranked #2 by total loss)
IC3 Recovery Asset Team: 3,020 FFKC cases in 2024, $469.1M domestic + $92.5M international frozen (66% success rate)
APWG Q4 2025 Trends Report (136% surge in BEC wire transfer attacks)
Fortra: Scripted Sparrow BEC group analysis (Dec 2025, 6.6M emails/month)
AFP 2025 Fraud and Control Survey (63% of organizations experienced BEC)

Got a suspicious message?

Paste it in and get an instant analysis — free, private, no account needed.

Analyze a Message