Business Email Compromise (BEC): What it is, why it works, and how to stop it

If you’ve ever received an email that looks like it’s from your executive, a vendor, or even a coworker asking for a quick bank change or an urgent payment, you’ve met Business Email Compromise (BEC). It’s not a noisy, virus-style attack. It’s quiet, targeted social engineering—criminals either spoof a trusted address or gain access to a real mailbox, then blend into everyday business conversations to reroute money or grab sensitive information.

BEC hits organizations of every size, including public entities and special districts. The schemes are simple: change the destination of funds, change the way payroll is deposited, or trick someone into sharing information that lets the attacker keep going.

How the scams usually unfold

Most BEC starts with an email. Sometimes attackers guess or steal a password and set up forwarding rules so they can watch messages without being noticed. Other times, they register a look-alike domain (think enduris.co instead of enduris.us) or change only the “display name” so the message appears familiar at a glance. Then comes the ask—often right before a payment is due.

Common storylines you may see:

A vendor writes: “We changed banks. Please send this month’s payment to the new account below.”
A leader emails from the airport: “Tight deadline—please wire funds now and I’ll explain later.”
HR or payroll gets a request: “New direct-deposit info attached—please update before Friday.”

None of these are inherently suspicious on their own. That’s what makes BEC effective: it leans on timing, trust, and urgency.

Red flags that should slow you down.

Watch for messages that:

Push urgency or secrecy (“handle this quietly,” “need this in the next hour”).
Ask for banking or payment changes by email only, especially right before a scheduled payment.
Come from look-alike domains or personal email accounts.
Feel “off” in tone, grammar, or timing, or insist on bypassing normal procedures.
For IT teams: show missing SPF/DKIM/DMARC alignment or new mailbox-forwarding rules.

Make your organization a hard target.

Think in layers—people, process, and technology—so one mistake doesn’t lead to a loss.

People & process

Build a culture of verification. Call a known number on file (not the one in the email) before you act for any vendor banking change or urgent payment.
Use dual control for new vendors, banking changes, and high-risk payments.
Guard the vendor master. Require a documented reason, independent verification, and (ideally) a short cooling-off period before the first payment to new or changed accounts.
Train the teams most targeted by BEC—AP, payroll, HR, executive assistants—using short refreshers and occasional simulations. Our website has a convenient checklist to keep near workstations.

Technology

Turn on multi-factor authentication (MFA) for email, remote access, and financial systems.
Deploy and enforce SPF, DKIM, and DMARC to reduce spoofing.
Monitor for risky mailbox activity (auto-forwarding rules, impossible travel, unusual sign-ins).
Apply least-privilege access to finance and vendor-management systems and review admin accounts regularly.

If you suspect BEC, act immediately;

Time matters. Do these steps in parallel:

Call your bank’s fraud team and request a recall/hold on the payment. Ask them to contact the receiving bank as well.
Report to the FBI at IC3.gov and notify your local FBI field office. Fast reporting can improve recovery chances.
Secure the account: reset passwords, revoke active sessions, and remove any malicious mailbox rules or forwarding.
Preserve evidence (emails, headers, logs, invoices, change requests) and brief leadership and Enduris.
Notify affected vendors or members and re-verify any pending payments out-of-band.

A quick “Top 5” to share with your team

Never change payment instructions based on email alone—always verify with a phone call to a known number.
Treat urgency as a warning sign, not a reason to skip steps.
Use MFA everywhere, and report any odd mailbox behavior immediately.
Protect your domain with SPF, DKIM, and DMARC.
If something slips through, contact your bank and the FBI IC3 immediately.

This article was written using the following AI tools with moderation by Ryan Wilson.