Most people picture cyberattacks as malware or hacking. Business email compromise is different — and that’s exactly why it’s so costly. A BEC attack usually contains no malicious attachment and no obvious bad link. It’s a carefully written message, often impersonating a CEO, a supplier or a colleague, that persuades a real person to do something harmful: pay a fake invoice, change bank details, or send sensitive data.
Because there’s nothing technically “malicious” to detect, these messages routinely sail past traditional email security.
The scale of the problem
BEC is one of the most expensive categories in all of cybercrime. The FBI’s Internet Crime Complaint Center recorded $2.77 billion in reported BEC losses from 21,442 complaints in 2024 — roughly $129,000 per complaint — and the true figure is almost certainly higher, since many incidents go unreported. [1]
Per-incident, the damage is severe: IBM’s 2025 figures put the average BEC attack at around $4.67 million. [2] And it’s growing — analysts at Verizon attribute 58% of financially motivated phishing breaches to BEC, and other 2025 reporting tracked a roughly 54% rise in BEC volume versus two years earlier. [3]
How a BEC attack unfolds
- Research. Attackers study the target — org charts on LinkedIn, supplier relationships, the finance team’s names. The message will reference real people and real projects.
- Impersonation. They spoof or closely imitate a trusted sender — an executive, a vendor, a lawyer. Sometimes they’ve already compromised a real mailbox and simply reply within an existing thread.
- Pressure. The request is urgent and plausible: “We’re closing this acquisition today, wire the deposit now,” or “Our bank details changed, please update before the next payment run.”
- Payout. Money moves to an account the attacker controls, then is rapidly dispersed. By the time anyone notices, recovery is hard.
Why filters miss it
Traditional email security looks for known-bad signals: malicious attachments, links to blocklisted sites, mail that fails authentication. A well-crafted BEC message often has none of these. The link, if any, may lead to a brand-new page. The sender may be a real, compromised account. The “payload” is psychological, not technical.
How to defend the people who are targeted
BEC defence is about catching intent and context, not just bad files:
- Deeper analysis of high-risk mail. Examine the headers (does the sender domain really align?), the writing style, and whether the sender’s domain is newly registered or subtly misspelled.
- Verification at the point of doubt. Give people a one-click way to check a suspicious message in their inbox, rather than relying on a gut call under pressure.
- Out-of-band confirmation. Any change to payment details or any unusual transfer should be confirmed by a second channel — a phone call to a known number, never the one in the email.
- Protect the high-value targets specifically. Executives and finance staff are the bullseye and deserve a stronger tier of scrutiny.
Built for the targets attackers want most
SafeToOpen Email Security verifies suspicious mail in one click, with Deeper Analysis tuned for targeted and BEC-style attacks.
How Email Security works →The takeaway
BEC succeeds because it attacks judgement, not technology — and because a clean-looking email gives traditional filters nothing to grab. Defending against it means analysing context and intent, protecting your highest-value people with extra care, and building a culture where verifying an unusual money request is normal, not awkward.