BEC attacks: The complete guide
A controller wired $64,200 to criminals impersonating her CEO. Learn the two-question rule framework that stops Business Email Compromise attacks.
Last month, a COO shared a story that highlights why Business Email Compromise is the most expensive cybercrime in the U.S.
His controller received a simple email from him:
"Can you send the updated vendor payment today?"
Tone? Perfect. They had pulled phrasing from months of his sent emails. Signature? Identical. Timing? Right in the middle of a chaotic week, when she wouldn't think twice.
She wired $64,200 before lunch.
Except he never sent that email.
This is the quiet, ruthless power of BEC.
No malware. No ransomware. No suspicious links.
Just a criminal studying your communication patterns until they can impersonate you flawlessly.
The FBI reported $2.77 billion in BEC losses in 2024. And that's only what gets reported.
BEC succeeds because it attacks your workflow, not your firewalls.
Here's the framework for every executive team:
The two-question rule
Before acting on any request involving money, credentials, or sensitive data:
- Identity: Does the request actually come from who you think it comes from? (Verify through a second channel.)
- Urgency: Is the message applying subtle pressure to prompt your swift action?
If either feels off, pause.
BEC attacks collapse under verification friction. They rely solely on your reactions, not confirmations.
Tools that analyze sender behavior can flag unusual patterns before you notice them. But the first line of defense is always human judgment backed by processes.
Your takeaway today: Always verify financial or sensitive requests. Use a phone call, Slack, or an in-person check. Never rely solely on email identity.