When normal everyday people, including most employees at most companies, think about cyber crime it’s the classic stock image they reach for. The hooded faceless hackers staring at an endless stream of binary code, pressing a single key on their keyboard.
In reality that’s not how the bad actors, or hackers, operate and that’s especially the case with Business Email Compromise (BEC) as it’s a simple con to pull off. No blue glow needed.
BEC is one of the most financially damaging online crimes businesses face because at the core of it is a simple confidence trick that even the most savvy employees can fall foul of.
Figures from the FBI show that BEC has been responsible for $50bn in business losses over the past 10 years, making it a lucrative con for those responsible.
The worst part about this is that even with a good cybersecurity set up, there’s no accounting for the human element in the mix – the most unpredictable element of all in cybersecurity.
What is Business Email Compromise and why is it effective?
It’s so common that you’ve already likely seen a variation of the following message appearing to come from the CEO tailored to the target department.
For example – finance:
From: Very Important CEO
To: Busy employeeHi Employee,
I’m tied up in meetings this afternoon and need you to process an urgent payment for me.
We’re finalising a sensitive acquisition and I need this kept strictly between us for now. Can you arrange a same-day transfer of £47,850 to the account below?
Please confirm once it’s done as timing is critical and I don’t want this delayed.
Thanks,
Very Important CEO
Or to someone in marketing:
From: Very Important CEO
To: Busy employeeHi Employee,
Quick one – I’ve just approved a last-minute campaign opportunity that’s come up through a partner.
We need to secure the slot today or we lose it. Can you arrange payment of £18,600 to the supplier below and code it to the Q1 brand budget?
I’m heading into back-to-back meetings so I won’t be reachable, but this needs to move now. Please keep this tight for the moment and I’ll brief the wider team once it’s locked in.
Thanks,
Very Important CEO
As you can see Business Email Compromise (BEC) is a type of fraud where criminals impersonate a trusted contact such as a CEO, finance director, supplier, or partner to trick an employee into transferring money or sensitive information.
You’ll often see it across a few different variations, including:
- CEO Fraud – An urgent request from the boss asking for a payment or favour (like the examples above)
- Invoice Fraud – Fake invoices or updated bank details sent to finance teams to action
- Supplier Fraud – Emails pretending to be from existing vendors with asks for sensitive information
- Account Compromise – When a real mailbox is taken over and used against the business
It works for the fraudsters as there’s no malicious attachment that gets flagged. There’s no dodgy link taking you to a suspicious site. Just a well-timed, well-written email that tests the thinking of a stressed out employee. That’s exactly why these attacks slip past traditional security controls as there’s nothing technical to detect.
Why the CEO Fraud play works: The psychology behind the scam
Attackers rely heavily on two psychological aspects to commit these crimes:
1. Urgency
I need this done in the next 30 minutes.
I’m about to step into a meeting.
This is confidential, don’t loop anyone else in.
Urgency shuts down critical thinking which leads people to stop checking and start acting.
2. Authority (CEO Fraud in particular)
This taps into a well-known psychological concept called authority bias which is the tendency to comply with requests from someone who appears senior or powerful.
If an email looks like it’s from the CEO, many employees will prioritise speed over scrutiny and that’s exactly what the criminals are aiming for.
For example, CEO fraud often involves junior finance employees being targeted precisely because they’re less likely to challenge a senior request.
How invoice fraud gets past even the most senior employees
One of the most effective BEC tactics is invoice fraud because it’s not a one-off email blast but plays the longer game, which catches people out.
It usually involves:
- Attackers gaining access to a mailbox (often via phishing)
- They silently monitor emails for weeks (sometimes months)
- They learn:
- Who pays who
- Typical invoice amounts
- Billing cycles
- Tone and language used
- At the perfect moment, they strike with an invoice that looks completely legitimate with the correct branding, correct timing, correct amounts, but with new bank details.
The result?
By the time anyone realises, the money is gone.
Your human firewall: Training employees to spot the signs
As BEC is a form of social engineering, your first line of defence will always be your employees. But how do you get them to spot the signs that everything may not all be as it seems when they’re distracted with other tasks, trying to juggle 12 things at once and are thinking about what they want for lunch?
Good phishing awareness training focuses on spotting subtle red flags, such as:
- A sudden change in tone or writing style
- Slight grammatical errors or awkward phrasing
- Unexpected requests involving money or secrecy
- Pressure to bypass normal processes
- Emails that feel off but are hard to explain
- Something weird in the email address
Teaching employees to trust their instincts and to pause rather than panic when something feels weird is critical if you want to properly protect against phishing attacks and Business Email Compromise.
Also, implementing proper processes with your employees in mind. Such as ensuring that any request to change bank details must be verbally verified over the phone using a known and verified phone number.
Your suppliers and customers will appreciate the extra security steps in place.
Technical controls that support (not replace) your people
Of course technology still matters and supports the user awareness training, it just can’t do all the work on its own. But some key controls that help reduce BEC risk include:
- Multi-Factor Authentication (MFA) on email accounts
- Monitoring for unusual login behaviour
- Email filtering tuned specifically for BEC patterns
And most importantly:
Ensure that you’ve implemented DMARC (Domain-based Message Authentication, Reporting, and Conformance). DMARC helps prevent attackers from spoofing your domain which means that the scammers can’t easily send emails that look like they came from your organisation.
It won’t stop every BEC attack, but it significantly raises the bar and reduces impersonation risk.
Training investment vs fraud loses
The effects of BEC on business won’t be going away any time soon. In fact, as technology and awareness evolves it gets more sophisticated and more targeted.
But the good news is that it’s also highly preventable but properly training your employees on what to look out for, what to do if something is not right and who to report these issues to within the organisation.
If you want to strengthen your human firewall and reduce the risk of BEC, phishing, and invoice fraud, talk to us about employee security awareness training at https://incursion-security.co.uk/.