CIVRA Get Started
Threats explained

What is Business Email Compromise? A plain-English guide for small businesses

June 23, 2026 4 min read The CIVRA Team
The short answer

Business email compromise is a scam where an attacker impersonates someone you trust — a CEO, supplier, or colleague — to trick you into sending money or changing payment details. It usually carries no malware, so spam filters miss it; the defense is verifying any money request through a second channel.

If your business sends or receives a single invoice by email, business email compromise is the threat most likely to cost you real money. It is not a virus and it usually carries no attachment. It is a short, well-written message from someone pretending to be a person you trust — and that is exactly why it works.

What business email compromise actually is

Business email compromise (BEC) is a targeted scam where an attacker impersonates someone with authority — a CEO, a supplier, a bookkeeper — to trick an employee into moving money or data. The FBI consistently ranks it as one of the costliest categories of cybercrime, far ahead of flashier threats like ransomware in total dollars lost.

There are a few common variations:

  • CEO fraud. A message that looks like it is from your owner or director asks an employee to make an urgent wire transfer or buy gift cards.
  • Invoice and vendor fraud. An attacker poses as a supplier you already pay and sends "updated banking details" right before a real invoice is due.
  • Payroll diversion. An email pretending to be from an employee asks HR to change the direct-deposit account.

Why it gets past your spam filter

Traditional email security was built to catch bulk badness — malware, links to known-bad sites, messages blasted to millions of inboxes. BEC is the opposite of bulk.

  • No malicious payload. There is often no link and no attachment to scan, so signature-based filters have nothing to flag.
  • It is low volume and personal. A single, carefully written email aimed at one finance clerk does not look like spam.
  • It abuses trust, not software. The attacker may use a look-alike domain (rn instead of m), a free webmail account, or a genuinely compromised supplier mailbox. The words are normal business English.

In other words, the things that make BEC effective are the exact things that make it invisible to tools designed for mass attacks.

Five signs of a BEC attempt

  1. Unusual urgency. "I need this done before I get on a flight." Pressure is the point — it stops people from checking.
  2. A change to payment details. Any email that updates bank account or routing information deserves a phone call to confirm.
  3. A reply-to that does not match. The display name says your CEO; the actual address is a Gmail account or a domain that is off by one character.
  4. Secrecy. "Don't mention this to anyone yet, it's confidential." Real executives rarely route money around your normal process.
  5. First contact about money. A supplier you have paid for years suddenly emails new instructions out of nowhere.

How small teams actually stop it

You do not need a security department. You need a small number of controls that remove the single point of failure — one person, one rushed decision.

  • Verify out of band. For any payment or banking change, confirm with a known phone number, not by replying to the email.
  • Make a rule, not a judgment call. "We never change vendor bank details without a callback" is easier to follow than "be careful."
  • Turn on multi-factor authentication everywhere. Many BEC attacks start with a stolen password to a real mailbox.
  • Use email security that understands intent, not just payloads. Modern tools analyze sender behavior, domain look-alikes, and the language of a request — the signals that reveal impersonation even when there is nothing to "scan."

CIVRA was built for exactly this gap: the targeted, payload-free email that a spam filter waves through but a finance team should never act on. It flags impersonation and unusual money requests before anyone hits reply.

The cheapest BEC control is a phone call. The second cheapest is software that tells you which emails deserve one.

If you take one thing away: treat every email that moves money as unverified until a human confirms it through a second channel. That one habit defeats most of these attacks on its own — and the right tooling makes it automatic.

FAQ

What is business email compromise in simple terms?

It is a scam where someone pretends to be a person you trust over email — your boss, a supplier, a colleague — to trick you into sending money or sharing sensitive information.

Why don't spam filters stop business email compromise?

Because BEC emails usually contain no malware and no malicious links — just normal-sounding text. Signature-based filters have nothing to flag, and a single targeted email does not look like a bulk spam campaign.

How can a small business prevent BEC?

Verify every payment or banking-detail change by phone using a number you already have on file, require multi-factor authentication on all mailboxes, and use email security that detects impersonation and unusual money requests.

How much does business email compromise cost?

The FBI consistently ranks BEC among the costliest categories of cybercrime, accounting for billions in reported losses each year — far more in total dollars than ransomware.

Stop the email that gets through.

CIVRA catches the targeted phishing and business email compromise your filter misses — built for small teams without a security department.

Start free →

← All posts