Business Email Compromise (BEC): Definition and Use in Compliance

What is Business Email Compromise (BEC)?

BEC is wire fraud carried out through email impersonation. The attacker poses as a CEO, CFO, attorney, or known vendor to trick an employee into sending money or data to an account the attacker controls. There's no malware involved. No technical breach. Just a convincing email from what looks like a trusted address.

The FBI's Internet Crime Complaint Center reported $2.9 billion in BEC losses in 2023, making it the single costliest cybercrime category tracked by IC3 for four consecutive years. The average successful attack extracts roughly $120,000. Corporate attacks regularly exceed $1 million.

BEC takes five main forms:

• CEO fraud: An attacker impersonates the CEO and emails the CFO or treasury team to wire funds for an urgent acquisition.
• Vendor impersonation: The attacker spoofs a known supplier and submits fake payment instruction changes.
• Payroll diversion: The attacker poses as an employee and asks HR to update direct deposit details.
• Attorney impersonation: The attacker poses as outside counsel and pressures finance staff to wire settlement funds before a fake court deadline.
• Data theft: The attacker targets HR teams to extract W-2s or employee PII, which are then sold or used to file fraudulent tax returns.

Unlike account takeover, BEC requires no system breach. The targeted employee's inbox is often never touched. The attack works because of how email is trusted inside organizations, not because of any software vulnerability.

In 2019, Toyota's European subsidiary lost $37 million after an attacker impersonated a company executive and persuaded a finance employee to wire funds to a fraudulent account. No system was compromised. The wire followed a spoofed email that closely mimicked an internal domain.

FinCEN's 2016 advisory classified BEC proceeds as predicate to money laundering, because stolen funds almost always pass through money mule accounts before reaching the criminal.

How is Business Email Compromise (BEC) used in practice?

For a compliance team, BEC shows up in two ways: as a direct threat (an employee wires funds out) or as an inbound fraud (BEC proceeds from another company land at the institution, making it an unwitting mule host).

Both demand a response. The outbound case requires a wire recall and a suspicious activity report. The inbound case triggers transaction monitoring alerts and, when suspicious, a SAR on the receiving account.

Call-back verification is the single most effective preventive control available. Before changing vendor payment details, a staff member calls the vendor at a number on file, not a number in the email. This step blocks most vendor impersonation attacks, because the attacker can't intercept a pre-verified phone call.

On the detection side, compliance teams look for:

• First-time payees receiving large wires
• Sudden IBAN or account number changes on existing vendor records
• Wire requests arriving late Friday afternoon (a known BEC timing pattern)
• Requests citing urgency, confidentiality, or explicit instructions to bypass normal approval channels

When BEC proceeds land inside an institution, network analysis of the receiving account often reveals connections to known mule networks. This can accelerate both the SAR filing and any recovery effort through the FBI's Financial Fraud Kill Chain (FFKC).

The FFKC requires a SAR filed within 72 hours of the transfer. After that window, funds typically move offshore and recovery becomes near impossible. Institutions that wait for a full internal investigation to conclude before filing lose that recovery window entirely. We've seen banks recover over 80% of BEC losses when the 72-hour deadline is met; recovery rates drop below 15% when it isn't.

Business Email Compromise (BEC) in regulatory context

Under the Bank Secrecy Act, both sending and receiving financial institutions must file a suspicious activity report when they have reason to suspect a BEC-related transaction. FinCEN's September 2016 advisory FIN-2016-A003 described BEC proceeds explicitly as a predicate to money laundering. The bank holding the receiving account shares BSA reporting obligations alongside the bank that sent the fraudulent wire. Examiners will ask about customer due diligence on accounts that received BEC funds and whether transaction monitoring flagged the inbound wire.

The FBI processed 21,489 BEC complaints in 2023. Law enforcement expects financial institutions to respond quickly. The FBI's Recovery Asset Team can freeze and repatriate funds through the FFKC, but only if the SAR reaches them within 72 hours.

In Europe, BEC falls within the scope of PSD2, which requires payment service providers to apply strong authentication for push payments. The European Banking Authority has flagged BEC as a driver of authorized push payment fraud losses across member states. The UK's Payment Systems Regulator mandated reimbursement obligations for APP fraud victims starting October 2024. Whether a specific BEC attack qualifies as APP fraud determines which institution bears liability for the loss.

From an anti-money laundering perspective, BEC generates proceeds that need laundering. The money typically moves through a domestic wire to a money mule account, then offshore. This is placement behavior in the classic three-stage laundering model. Examiners reviewing a bank's SAR coverage will check whether BEC-related patterns appear in filed reports and whether detection rules catch them at the right velocity.

Correspondent banks face additional exposure. If BEC funds pass through a correspondent relationship, the correspondent may share reporting responsibility depending on jurisdiction and whether they had constructive knowledge of the fraud.

Common challenges and how to address them

The biggest operational problem with BEC isn't detection. It's speed. From the moment an employee authorizes a fraudulent wire to the moment funds reach the threat actor's account can be under two hours. Traditional SAR workflows that take days don't help.

Most institutions struggle with alert routing. A BEC alert generated by transaction monitoring lands in the fraud queue. The case requires both a fraud investigator (to assess the wire) and a compliance officer (to assess the SAR obligation). When those teams don't share a case management system, information silos form and the 72-hour FFKC clock ticks without progress.

Email security tools have improved, but they're not a complete answer. DMARC, DKIM, and SPF block domain spoofing. They don't block a compromised legitimate account, a lookalike domain (payables@acme-corp.com vs. payables@acme.corp.com), or social engineering that requires no technical bypass at all.

The false positive rate on wire-change alerts is high. Most vendor banking change requests are legitimate. Tuning rules to reduce noise without generating false negatives is a continuous process. A rule that fires on every first-time payee buries investigators. A rule that only fires above $50,000 misses the $49,800 test transfers many BEC actors use to verify accounts before executing the main transfer.

Some institutions have cut BEC losses by 60-70% through a combination of three controls: mandatory out-of-band call-back for any payment instruction change above $5,000; a four-hour hold on first-time payees receiving wires over $25,000; and automated DMARC enforcement on all inbound email domains. This adds latency to legitimate payments, but the accuracy gain is worth it for most corporate banking books.

Related terms and concepts

BEC connects to a wider set of fraud categories that compliance teams track together.

Authorized push payment fraud is the umbrella category in UK regulation. BEC is one variant. Others include invoice redirection targeting individuals and investment fraud where victims authorize their own transfers. The distinction matters for reporting under the PSR's October 2024 mandatory reimbursement rules, which determine which institution bears liability.

Account takeover sometimes precedes BEC. If an attacker gains access to a CEO's email account, they can run BEC from a legitimately authenticated address, bypassing DMARC controls entirely. Behavioral analytics on email send patterns can catch this: a CEO who normally sends five emails a day suddenly issuing wire requests at 11 PM on a Sunday is an anomaly worth flagging.

Deepfake fraud is BEC's next evolution. Instead of email, attackers use AI-generated voice or video to impersonate executives on calls or video conferences. In early 2024, a finance employee at a Hong Kong-based multinational was tricked into paying $25 million after fraudsters appeared on a video conference as colleagues, all rendered with deepfake technology. Deepfake-augmented BEC defeats call-back verification when the callback itself is intercepted by an AI-generated voice clone.

Money mule accounts are the first stop for most BEC proceeds. Monitoring for large inbound wires from corporate senders arriving into personal accounts, or into accounts with no prior transaction history, is a standard counter-BEC detection layer. These accounts form part of mule networks that organized crime groups maintain to move stolen funds across jurisdictions before investigators can act.