Business Email Compromise: How It Works, Red Flags, and How to Detect It

**

What is Business Email Compromise?

Business Email Compromise (BEC) is a fraud typology in which attackers use compromised or spoofed corporate email accounts to deceive employees, executives, or financial counterparties into transferring funds or sensitive credentials to attacker-controlled destinations. It belongs to the broader category of social engineering fraud, and it's the single most financially damaging cybercrime category tracked by U.S. law enforcement.

The FBI's 2023 Internet Crime Report recorded $2.9 billion in BEC losses across 21,489 complaints in the United States alone. The FBI estimates total exposed losses from 2013 to 2023 exceed $50 billion when international cases are counted. BEC works because it targets process, not technology. Most attacks don't require malware. They exploit trust in email, gaps in payment verification procedures, and the psychological pressure of urgency.

Three variants account for most cases. CEO fraud involves attackers posing as a senior executive to direct an employee to initiate a transfer. Vendor impersonation uses spoofed supplier emails to redirect a scheduled payment to a new account. Account takeover uses actual access to a compromised inbox to intercept and redirect payment confirmations, or to initiate new requests from a legitimately owned address. The third variant is the hardest to detect because the email origin is genuine.

BEC proceeds typically move quickly through money mule networks before reaching the ultimate beneficiary. Recovery within the financial system becomes difficult once a transfer clears.

How does Business Email Compromise work?

A BEC attack follows a recognizable pattern across variants, though timing and complexity vary by target.

The attacker begins with reconnaissance. They research the target organization's hierarchy, key vendors, payment processes, and email formats, typically through LinkedIn, company websites, and prior phishing campaigns. Some attackers compromise an email account first and monitor it passively for weeks, learning the cadence of vendor relationships and the timing of upcoming payments.

With sufficient information, the attacker either spoofs a trusted email address using a lookalike domain or sends from the legitimately compromised account. The message targets someone with payment authority, requesting an urgent wire transfer or a change to existing banking details for a scheduled payment.

If the recipient complies, funds go to an account the attacker controls. Those funds typically leave within hours, often through multiple jurisdictions. The layering phase is fast. Recovery rates drop sharply after 24 hours and approach zero after 72.

Illustrative scenario: A controller at a mid-sized manufacturing company receives an email that appears to come from the CFO's address. The email cites a confidential acquisition and requests an urgent $180,000 wire to a law firm's escrow account. The domain is one character off from the CFO's real address. The controller, under time pressure and instructed to keep the matter confidential, initiates the wire. Funds reach a U.S. intermediary account controlled by a money mule, then move internationally within two hours. By the time the real CFO is reached by phone the next morning, recovery is unlikely.

This scenario is not constructed for illustration. It mirrors thousands of documented FBI cases. The confidentiality instruction is standard BEC tradecraft: it exists to prevent the out-of-band verification call that would kill the attack.

BEC occasionally overlaps with authorized push payment fraud when individuals rather than corporate finance teams are the target. The psychological mechanics are identical; the regulatory response differs.

Red flags and indicators

Transaction-level signals

• Wire to a first-time or recently changed beneficiary, particularly an international destination
• Payment amount just below internal approval thresholds
• Instructions to bypass dual-approval controls, citing urgency or executive authority
• Transfer to a domestic intermediary account that immediately forwards funds abroad
• Payment initiated outside normal business hours

Account-level signals

• Email domain closely resembling a known counterparty but not identical
• Inbox rules created to auto-forward or delete emails, found on forensic review
• New device or unfamiliar IP address accessing a corporate account immediately before a payment instruction
• Password reset followed within hours by a large outgoing transfer request
• Vendor banking details changed within 48 hours of a scheduled payment

Network-level signals

• Beneficiary account linked to prior mule activity or flagged in shared fraud databases
• Receiving account opened within the last 30 days with no prior history
• Beneficiary bank in a jurisdiction known for weak AML supervision

Behavioral signals

• Explicit instruction to keep the transfer confidential from other staff or compliance teams
• Pressure to complete the transfer before end of business with no documented business justification
• Email thread that appears forwarded but originates from an external domain on header inspection
• Vendor or executive unreachable by phone for confirmation through an independent channel

Notable real-world cases

Evaldas Rimasauskas and the Facebook / Google BEC (2013-2015)

Lithuanian national Evaldas Rimasauskas ran a multi-year BEC campaign that defrauded Facebook and Google of a combined $121 million. He spoofed a legitimate technology vendor, submitted fraudulent invoices, and directed payments to accounts he controlled in Latvia, Cyprus, Slovakia, Lithuania, Hungary, and Hong Kong. The U.S. Department of Justice sentenced him to five years in prison in November 2019. It remains the largest documented BEC prosecution involving publicly named Fortune 500 victims. Source: DOJ SDNY press release, November 2019.

Operation reWired (2019)

In September 2019, the DOJ and FBI coordinated a global enforcement sweep targeting BEC networks across 10 countries. The operation produced 281 arrests in the United States, Nigeria, Ghana, Turkey, France, Italy, Japan, Kenya, Malaysia, and the United Kingdom, with $3.7 million in seized funds and approximately $118 million in identified victim losses. It remains one of the largest coordinated international BEC enforcement actions on record. Source: DOJ press release, September 2019.

FinCEN Advisory FIN-2016-A003 (2016)

In September 2016, FinCEN issued a formal advisory warning U.S. financial institutions about BEC schemes targeting their corporate customers and real estate transaction counterparties. The advisory documented attack patterns, listed SAR filing requirements for institutions receiving BEC-related transactions, and set out specific red flags. It remains the primary U.S. regulatory reference for AML teams building BEC detection controls. Source: FinCEN Advisory FIN-2016-A003.

How to detect Business Email Compromise

BEC detection works best when payment flow monitoring and email channel analysis are treated as a single problem. Institutions that separate these two data streams miss cases where email anomalies precede a payment instruction by days.

Rule-based detection provides the baseline. Payment controls should flag any wire to a first-time beneficiary, any beneficiary account change within a defined lookback window before a payment, and any transfer request that includes an explicit instruction to bypass approval controls. Velocity checks on new beneficiary accounts catch repeat attacks within the same institution.

Behavioral analytics adds context. Peer-group comparison identifies when an account's payment behavior diverges from its own historical baseline or from comparable accounts. An employee initiating a $250,000 transfer when their highest prior transaction was $12,000 is a strong signal. Anomaly detection on login behavior flags unfamiliar devices, unusual access times, and geolocation inconsistencies that frequently precede account-based BEC.

Graph-based network analysis is the most reliable tool on the receiving side. BEC proceeds almost always pass through money mule networks before exiting the financial system. Mapping transaction flows from the receiving account frequently reveals a cluster of recently opened accounts receiving funds from multiple unrelated victims. This pattern is structurally similar to smurfing and structuring operations, which often share infrastructure with BEC receiving networks.

Cross-channel correlation of email header metadata, inbox rule changes, and outgoing payment instructions is the strongest signal overall. Institutions with access to both datasets detect BEC significantly earlier than those relying on payment data alone. Where email data is unavailable, concentrating controls at the payment instruction layer with behavioral thresholds and out-of-band verification requirements is the practical alternative.

Which regulations cover Business Email Compromise

BEC triggers reporting obligations under several legal frameworks depending on jurisdiction.

In the United States, the Bank Secrecy Act (31 U.S.C. § 5318(g)) requires financial institutions to file a Suspicious Activity Report within 30 days when a transaction of $5,000 or more involves funds from criminal activity. FinCEN Advisory FIN-2016-A003 specifically directs institutions to file SARs on BEC-related transactions and provides filing guidance. Wire fraud statutes (18 U.S.C. § 1343) apply directly to the perpetrators.

In the European Union, the Sixth Anti-Money Laundering Directive (6AMLD) criminalizes fraud proceeds and extends criminal liability to legal entities. BEC proceeds passing through EU banks trigger Suspicious Transaction Report obligations under national transpositions. The EBA's AML/CFT risk guidelines require banks to assess social engineering fraud as a distinct threat category in their risk assessments.

In the United Kingdom, the Proceeds of Crime Act 2002 and the FCA's SYSC sourcebook require firms to maintain systems capable of detecting and reporting fraud patterns including BEC. The Payment Systems Regulator's mandatory reimbursement framework, effective October 2024, creates direct financial liability for UK banks that fail to prevent authorized push payment fraud, a category that frequently overlaps with BEC in retail and SME banking.

FATF Recommendation 20 requires all member jurisdictions to mandate suspicious transaction reporting. BEC appears by name in multiple FATF typology publications as a high-volume, cross-border fraud pattern requiring dedicated detection controls.

How FluxForce detects Business Email Compromise

FluxForce's Aiden Flux and Nova Sentinel agents monitor transaction flows and account behavior in real time. BEC-indicative patterns get flagged before funds clear. Behavioral analytics compares each payment instruction against the account's historical profile. Network graph analysis maps receiving accounts against known mule infrastructure. Automated SAR drafting captures the full evidence trail for analyst review. The system correlates email anomaly signals with payment flow deviations to surface cases that rule-based controls alone miss. To see how FluxForce handles BEC detection for your institution, request a demo.

**