What is Business Email Compromise?
Business Email Compromise (BEC) is the simplest, most profitable cybercrime today. Learn how attackers exploit your workflow and why the Second Channel Rule can protect your organization.
Introduction
Two weeks ago, a founder friend called me in disbelief.
His finance team had wired $58,400 to what they thought was a trusted supplier.
The email thread looked real. The tone matched with precision. The invoice number was identical to a legitimate one from earlier that month.
Only one thing was fake: the person on the other end.
This is a Business Email Compromise (BEC) scam. It's the simplest, most profitable cybercrime on the planet.
Proofpoint's 2024 data shows that email-based attacks drove record losses last year. Not malware. Not ransomware. Email!
Why BEC is so dangerous
Here's the scary truth:
BEC doesn't hack your technology. It hacks your workflow.
Attackers study your communication patterns. They learn who approves what. They wait for moments of urgency, fatigue, or routine, and that is when they strike.
The "Second Channel Rule"
So here's the simple framework every team should adopt:
The "Second Channel Rule."
Before approving any financial request or payment change:
Step 1: Verify the sender
Check the domain, the reply-to address, and the subtle details.
Step 2: Verify the request
Call, text, or Slack the person using a known contact method. Not the one provided in the email.
If the email and the call don't tell the same story, you stop.
One 20-second verification could save you six figures and a week of disaster recovery.
Your takeaway today
Trust the relationship. Verify the request. Every time.