Business Email Compromise (BEC) is a highly sophisticated digital fraud scheme that exploits trust in corporate communications to obtain illicit financial gains. Unlike conventional cyberattacks that often employ malware or exploits, BEC is characterized by social engineering approaches and identity impersonation, inducing victims to carry out fraudulent financial transfers or disclose information classified as sensitive (ENISA, 2022).
It is an emerging threat since the 2010s, evolving from simple “phishing” scams into complex schemes of executive and supplier impersonation. The innovative aspect of BEC lies in its reliance on the exploitation of human trust rather than purely technical vulnerabilities, which has enabled these attacks to circumvent many traditional information security defenses (ENISA, 2022; Abnormal, 2025).
In recent years, BEC has consolidated itself as one of the forms of cybercrime with the greatest global financial impact. Official reports demonstrate its escalation: the FBI’s Internet Crime Complaint Center (IC3) reported US$ 2.7 billion in losses related to BEC in 2022 alone, based on 21,832 complaints registered that year (FBI, 2023). This amount represented approximately one quarter of all cybercrime losses reported in the United States in 2022, second only to cryptocurrency investment fraud (FBI, 2023).
Methods
This study was conducted through exploratory and descriptive research, adopting a qualitative and documentary approach. Secondary data were collected from reliable and specialized sources on BEC in order to delineate its evolution, impact, and operational characteristics. Institutional reports were consulted, including the annual reports of the FBI’s Internet Crime Complaint Center (e.g., Internet Crime Report 2022 and 2024) and related public alerts, which provide statistics on incidents and financial losses (FBI, 2023; FBI, 2024). Publications from international cybersecurity agencies were also examined, such as ENISA’s Threat Landscape report (European Union Agency for Cybersecurity) and Europol threat assessments (e.g., the Internet Organised Crime Threat Assessment) concerning email fraud schemes (ENISA, 2022; Europol, 2019).
Additionally, a bibliographic review was conducted in academic databases (IEEE Xplore, Scopus, Google Scholar) to identify recent scientific studies on BEC. Peer-reviewed articles discussing the principles, techniques, and impacts of BEC were included, such as Papathanasiou et al. (2023), as well as literature on social engineering and related electronic fraud. The research also considered threat intelligence reports and market studies produced by security companies, such as Verizon’s annual Data Breach Investigations Report (DBIR) and white papers from specialized email security vendors (Verizon, 2022; Cloudflare, 2022). These sources provided quantitative data (number of incidents, estimated losses, prevalence of attack vectors) and qualitative analyses of real cases and evolutionary trends in BEC.
Selection criteria prioritized information published between 2018 and 2025, ensuring currency and contemporary relevance. Global and regional data (North America, Europe) were included, with emphasis on consolidated statistics and illustrative examples of notable cases. As limitations, it is noted that incident and loss figures are based on data reported to authorities; underreporting exists, as many organizations may not publicly disclose BEC incidents for legal or reputational reasons. Furthermore, this study did not conduct primary data collection (such as interviews or experiments), focusing instead on documentary analysis of existing sources. Despite these limitations, triangulation of multiple reliable sources seeks to ensure a comprehensive and well-grounded view of the BEC phenomenon.
The adopted methodology therefore constitutes a descriptive documentary analysis, qualitative in nature, supported by secondary quantitative data. This approach allows BEC to be contextualized within the digital fraud landscape and enables the extraction of consolidated patterns and evidence from the literature and technical reports, providing a theoretical–practical foundation for the discussion of results.
Results
Prevalence and Financial Impact
The collected data confirm that BEC is currently one of the most financially damaging forms of cybercrime. According to the FBI (2023), BEC complaints registered in 2022 totaled 21,832 incidents in the United States, with losses exceeding US$ 2.7 billion, making it the second type of crime with the highest losses reported to IC3 that year — second only to cryptocurrency investment fraud (FBI, 2023). This amount represented a significant increase compared to 2021, following a multi-year upward trend in losses caused by BEC. Globally, between 2013 and 2023, the scam is estimated to have exposed victims to more than US$ 55 billion in potential losses (FBI, 2024). BEC has been reported in all 50 U.S. states and in at least 186 countries, with fraudulent transfers traced to bank accounts in more than 140 different countries — notably, intermediary banks in Hong Kong, the United Kingdom, China, Mexico, and the United Arab Emirates appear among the frequent destinations of diverted funds (FBI, 2024). These figures illustrate the transnational dimension of the threat and suggest the operation of globalized criminal networks behind many BEC schemes.
A relevant finding is that although the volume of BEC attacks is relatively low compared to spam and phishing campaigns, the financial impact is disproportionate. For example, a Cloudflare (2022) report indicated that malicious BEC emails accounted for only about 1.3% of total observed email attacks, yet were responsible for losses far greater than any other category due to the high value involved in each fraud. Moreover, an increase in the median value of fraudulent transactions associated with BEC has been observed in recent years (ENISA, 2022), indicating that fraudsters are requesting increasingly larger sums in successful attacks. In summary, BEC has consolidated itself as a low-volume, high-impact fraud, ranking among the most costly cybercrimes for corporate victims.
Typical Modus Operandi
The analysis of cases and literature reveals a typical pattern of BEC execution involving multiple stages of social engineering and, occasionally, some form of technical intrusion. In general terms, the attack begins with the compromise or falsification of a legitimate email account. Criminals employ various techniques to achieve this: approximately 41% of BEC incidents begin with traditional phishing — for example, a deceptive email inducing the victim to provide access credentials (Verizon, 2022; ENISA, 2022). Another 25% involve the direct use of illicitly obtained credentials (possibly from data breaches or previous attacks), enabling unauthorized access to legitimate corporate accounts (ENISA, 2022).
In a considerable number of cases, scammers resort to identity impersonation without malware, either through email spoofing (sending messages from an address that imitates a trusted domain) or the creation of deceptive domains very similar to those of partner companies, making fraud detection more difficult. It is important to note that the widespread implementation of email authentication protocols (such as DMARC) has partially mitigated direct spoofing attacks, but does not eliminate scams in which the attacker registers similar domains or compromises real email accounts, scenarios in which the fraudulent message may pass through all traditional security filters.
Once criminals have access to a compromised account or a falsified communication channel, they study the target organization and carefully select the internal victim. Preferred targets are generally employees with access to finances or sensitive information, such as accounts payable staff, financial executives (CFOs), executive assistants, or HR teams (Papathanasiou et al., 2023). Attackers often monitor corporate conversations (when they gain internal access) to identify communication patterns, hierarchies, and ongoing projects, in order to craft highly convincing and contextual messages. Based on this preparation, the scam takes several well-known forms:
- CEO fraud: The scammer impersonates a senior executive (typically the CEO or CFO), sending an urgent email to a finance employee requesting the execution of a significant bank transfer to an alleged supplier or partner. The message emphasizes confidentiality and speed, exploiting executive authority and urgency to discourage additional verification (KnowBe4, 2019; Europol, 2019).
- Invoice fraud: In this variant, criminals pose as a legitimate supplier or service provider of the company. They send a fake invoice or alter the bank details on a real invoice, requesting payment to an account controlled by the fraudster. This tactic often involves compromising the email of a real supplier (or falsifying communications in its name) and leveraging existing business relationships, which makes detection particularly difficult (FBI, 2023; Abnormal, 2025).
- Payroll diversion: Attackers target the Human Resources or payroll department, sending requests to change employees’ bank deposit details. Posing as an employee, the fraudster requests that their salary be redirected to a new account (controlled by the criminals), causing losses to both the employee and the organization until the fraud is discovered (Abnormal, 2025).
- Requests for tax information or sensitive data: In some variations, the initial objective is not an immediate transfer but the acquisition of data that can enable subsequent fraud. A common example in the United States is the request for employee tax forms (W-2), containing personal and financial information that can be used for identity theft or preparation of future scams (FBI, 2019). Such schemes often occur during specific periods (such as tax filing season).
- Gift card scams: In this variant, the fraudster, posing as an executive, requests that an employee purchase large quantities of gift cards (e.g., retail or prepaid credit cards), allegedly to reward clients or employees, asking that the card codes be sent by email. These codes are quickly resold or used by criminals, resulting in direct financial loss to the organization (FBI, 2023).
Regardless of the modality, some common elements stand out in the BEC modus operandi. Messages typically convey a tone of urgency and secrecy, pressuring the recipient to act quickly (“this is extremely urgent and confidential”). Fraudsters exploit time zone differences or send communications at strategic times — for example, late on a Friday afternoon — to hinder immediate validation through other channels (ENISA, 2022). In more advanced cases, criminals supplement deception with spoofed voice phone calls (vishing) to confirm instructions: there are reports of phone number spoofing using the company’s number or even audio generated by artificial intelligence imitating a director’s voice, aiming to reinforce the credibility of the request (Interpol, 2022; Abnormal, 2025).
In addition, criminals have used compromised or manipulated videoconferencing platforms — for example, joining Zoom or Teams meetings with fake profiles or frozen videos — to impersonate executives and reiterate payment requests during virtual meetings (FBI, 2022). These developments demonstrate the continuous evolution of BEC, with the adoption of new technologies (such as deepfakes) to enhance fraud and make it even more convincing.
Attack Vectors and Intrusion Techniques
The nature of BEC means that privileged attack vectors are those that exploit trust and legitimacy in existing corporate communication channels. Corporate email remains the primary medium, being targeted both by phishing attacks (for credential theft) and by pure social engineering attacks (forged messages without malicious content). As evidenced, fewer than half of BEC incidents involve a malicious link or attachment — unlike traditional phishing — which means there are often no obvious technical indicators for security filters (ENISA, 2022).
In many cases, the attacker is already inside the email account of someone within the organization or a partner (via account compromise) and sends the fraudulent message from a legitimate address, making detection even more challenging. The absence of malicious payloads (malware or suspicious URLs) is deliberate, as it allows the email to bypass conventional security solutions such as secure email gateways, which focus on identifying viruses, dangerous attachments, or domains on blocklists (Abnormal, 2025).
However, there are cases involving the use of auxiliary malware in the BEC context. Keyloggers and remote access trojans (RATs) may be deployed (for example, via an initial phishing attack) to capture credentials and compromise email inboxes or to spy on communications and identify future fraud opportunities (Papathanasiou et al., 2023). These malware tools are typically readily available on underground forums, requiring low investment and moderate technical knowledge, which facilitates criminal access to BEC campaigns. Nevertheless, once access or the desired information is obtained, the final step of the fraud (the transfer request) is conducted without triggering security mechanisms, relying solely on email communication and psychological manipulation.
Beyond email, attackers may also exploit vulnerabilities in organizational processes. For example, many BEC attacks take advantage of gaps in verification procedures: organizations that do not adopt dual-verification policies for payments (such as verbal confirmation with the requester) or that lack multiple approval levels for high-value transfers become easier targets. The COVID-19 pandemic and the increase in remote work created a favorable environment for BEC, as they reduced in-person communication and reinforced reliance on email for urgent decisions, making isolated employees more susceptible to fraudulent requests that appear to originate from leadership (Papathanasiou et al., 2023).
Finally, the research results indicate that criminal groups specialized in BEC have diversified their tactics for laundering and moving stolen funds. Initially, fraudulent payments were directed to bank accounts controlled by the scammers (often accounts belonging to “money mules” or shell companies). In recent years, there has been an increase in the use of custodial accounts linked to cryptocurrency exchanges or digital payment services to receive diverted funds (FBI, 2023). This practice complicates tracing efforts, as criminals rapidly convert and split the amounts into cryptocurrencies, making recovery even more complex. The FBI (2023) observed in 2022 a growth in BEC fraud involving instructions to send money directly to cryptocurrency platforms, reinforcing the need for vigilance in this domain as well.
Discussion
The findings of this study broadly corroborate the existing literature and clarify why BEC remains such an effective and challenging threat in the field of information security. Unlike traditional cyberattacks that exploit technical flaws in systems, BEC exploits human and procedural vulnerabilities of the target organization. Its effectiveness is grounded in classic social engineering principles: the exploitation of authority, urgency, and trust. As noted by ENISA (2022), BEC attacks do not require complex backdoors or malware — criminals literally succeed by “asking” the victim to hand over the money, capitalizing on the assumption of legitimacy. This paradigm shift (trust-based attacks rather than technical exploitation) explains why conventional security controls often fail to detect or prevent BEC. Perimeter solutions such as spam filters, antivirus software, and intrusion detection systems were designed to identify malicious code and anomalous traffic, not to discern a seemingly legitimate email with fraudulently induced content (Abnormal, 2025). Consequently, BEC evades technological defenses and targets the human link in security, which is typically the most error-prone.
The literature emphasizes that organizational and behavioral factors contribute significantly to vulnerability to BEC. Many companies lack strict policies for verifying atypical financial requests, or such policies are not properly communicated and enforced. In hierarchical corporate environments, employees tend to avoid questioning orders from superiors, especially when framed as urgent. BEC attacks exploit this cultural dynamic: fear of contradicting an apparent executive requesting an immediate transfer, combined with pressure to “solve the problem,” often suppresses critical judgment. Edwards et al. (2017) observe that persuasion and psychological manipulation techniques employed in advanced frauds—such as persuasive language, creation of plausible scenarios, and exploitation of goodwill—play a central role in the success of scams. In the BEC context, criminals impersonate trusted figures (a CEO, a regular supplier), mimicking their communication style and referencing internal details (obtained through espionage or social media), which dramatically increases the credibility of the fraud in the eyes of the victim.
Another aspect discussed is the resilience and continuous evolution of BEC in the face of countermeasures. Authorities have intensified efforts to dismantle BEC rings — for example, international law enforcement operations (such as “Operation Delilah” mentioned by Interpol) have resulted in the arrest of multiple individuals involved in email fraud schemes (ENISA, 2022). In addition, since 2018 the FBI has maintained a dedicated BEC asset recovery task force (the Recovery Asset Team), which in some cases succeeds in freezing or reversing transfers if the fraud is reported promptly. Despite these efforts, criminals adapt quickly: they diversify transfer routes (including cryptocurrencies), use false identities and financial mules across jurisdictions, and, as discussed, are incorporating new technologies (such as generative AI to create flawless emails and deepfakes for voice and video) to increase the reach and sophistication of scams (Abnormal, 2025). These trends suggest that BEC will continue to evolve and exploit both technological and human gaps.
Mitigation Strategies and Implications
Given this panorama, it becomes evident that BEC mitigation strategies must be multidimensional, involving technology, processes, and human factors. From a technological standpoint, although BEC is not inherently a technical attack, there are useful countermeasures: rigorous implementation of email authentication protocols such as SPF, DKIM, and DMARC can hinder simple spoofing of legitimate domains, forcing attackers to adopt more costly methods (Jakobsson, 2016). Furthermore, security vendors have been developing solutions based on Artificial Intelligence and behavioral analysis that learn normal communication patterns and detect subtle anomalies in emails—such as changes in an executive’s writing style or unusual requests—flagging potential compromise (Abnormal, 2025). These tools, integrated via API with Microsoft 365 or Google Workspace, can analyze contextual signals (such as suspicious logins in the sender’s account, recently created email forwarding rules, etc.) and flag potential BEC attempts before they reach the recipient. While promising, such solutions are still in early adoption and do not replace the need for human awareness.
In terms of organizational processes, companies should establish clear controls: out-of-band confirmation policies for relevant financial transactions (for example, any transfer request above a certain threshold must be verified by phone or videoconference directly with the requester, using previously known contact details and not those provided in the email). Dual-approval mechanisms for payments (segregation of duties, where the requester and approver are not the same person) also reduce the risk of a single point of failure. Internal simulations and response tests (similar to simulated phishing exercises) can be extended to BEC scenarios, assessing whether employees would follow correct procedures when faced with an anomalous request from “management.”
Finally, the human factor must be addressed through education and organizational culture. Security training programs need to include specific modules on BEC and social engineering fraud, clarifying that legitimate executives will not be offended by security verifications. Employees must be trained to recognize warning signs: unusual communications outside normal hours, exaggerated urgency, deviations from standard payment procedures, minor spelling errors in domain names or writing style, requests for absolute secrecy, among others (ENISA, 2022). Promoting a culture in which questioning extraordinary requests is encouraged and supported by leadership can be decisive.
Conclusion
In summary, the discussion reinforces that Business Email Compromise represents a distinct threat within the cybersecurity landscape, as it is based on the exploitation of trust inherent to human and commercial relationships, rather than technical breaches. This characteristic makes combating BEC particularly challenging: it requires technology, processes, and people to act in concert to reinforce the weakest link — the human factor.
In light of the results presented, it is concluded that effectively mitigating BEC demands a holistic approach encompassing security awareness, rigorous organizational controls, and the careful adoption of innovative solutions capable of identifying and blocking fraud attempts based on social engineering. Only by combining these efforts will it be possible to reduce the impact of this form of digital crime which, despite not involving sophisticated malware, has proven extremely effective in subverting trust and causing multimillion-dollar losses to organizations.
References
Abnormal (2025) – ABNORMAL. Why BEC Remains the $2.8 Billion Problem CISOs Can’t Ignore. Abnormal Security Blog, 3 set. 2025. Disponível em: https://abnormal.ai/blog/bec-problem-cisos-cant-ignore. Accessed on: 10 Out. 2025.
Cloudflare (2022) – CLOUDFLARE. Cloudflare Security Report 2022 – How to Stop Business Email Compromise. Cloudflare, Mai. 2022. Disponível em: https://cf-assets.www.cloudflare.com/\[…\]HowtoStopBusinessEmailCompromiseMay2022.pdf. Accessed on: 5 Jan. 2025.
ENISA (2022) – ENISA – European Union Agency for Cybersecurity. ENISA Threat Landscape 2022 – Report. Luxemburgo: ENISA, 2022. Accessed on: https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022. Acesso em: 12 Dec. 2025.
Europol (2019) – EUROPOL. Focus on CEO Fraud. Comunicado à imprensa, 22 jul. 2019. Europol Newsroom. Accessed on: https://www.europol.europa.eu/newsroom/news/focus-ceo-fraud. Acesso em: 2 Dec. 2025.
FBI (2019) – FBI – Federal Bureau of Investigation. Public Service Announcement I-082119-PSA: Business Email Compromise – The $26 Billion Scam. Washington, DC: IC3/FBI, 2019. Disponível em: https://www.ic3.gov/Media/Y2019/PSA190910. Accessed on: 10 Jan. 2026.
FBI (2023) – FBI – Federal Bureau of Investigation. Internet Crime Report 2022. Washington, DC: FBI/IC3, 2023. Disponível em: https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf. Accessed on: 15 Nov. 2025.
FBI (2024) – FBI – Federal Bureau of Investigation. Business Email Compromise: The $55 Billion Scam (I-091124-PSA). IC3 Public Service Announcement, 11 set. 2024. Disponível em: https://www.ic3.gov/PSA/2024/PSA240911. Accessed on: 5 Jan. 2026.
Papathanasiou et al. (2023) – PAPATHANASIOU, A.; LIONTOS, G.; LIAGKOU, V.; GLAVAS, E. Business Email Compromise (BEC) attacks: threats, vulnerabilities and countermeasures – a perspective on the Greek landscape. Journal of Cybersecurity and Privacy, v.3, n.3, p.610-637, 2023. DOI: 10.3390/jcp3030029.
Verizon (2022) – VERIZON. 2022 Data Breach Investigations Report. 15ᵃ ed. Verizon Enterprise, 2022. Accessed on: https://www.verizon.com/business/resources/reports/dbir/. Acesso em: 20 Nov. 2025.
