Business Email Compromise: the costliest scam
BEC is one of the most expensive scams for companies. We explain how invoice fraud and the 'urgent CEO transfer' work — and how to stop them.
Not every costliest attack looks spectacular. Business Email Compromise (BEC) is a scam with no malware and no encryption — just an email that convinces someone in the company to make a transfer to a criminal’s account. It’s one of the most expensive categories of fraud for businesses, because it targets processes and trust, not technology.
The two most common variants
The “urgent CEO transfer”. A finance employee receives a message supposedly from the board: “I’m in a meeting, I urgently need a transfer done, it’s confidential.” Pressure, authority and secrecy switch off the usual verification.
Invoice fraud. The criminal impersonates a regular supplier and reports a “change of bank account number”. The next invoice is paid — into the fraudster’s account. This variant is often preceded by a mailbox takeover, which we cover in our piece on KSeF and gov.pl phishing.
Why it works
- Authority and haste. A request “from the CEO” with time pressure discourages questions.
- Realism. With a compromised mailbox, the attacker knows the context — names, tone, the history of the correspondence, payment deadlines.
- A process gap. If changing an account number doesn’t require independent confirmation, one email is enough to redirect the money.
How to defend — process before technology
BEC is defused mainly by procedure, not a tool:
- Second-channel verification. Confirm every account-number change and every unusual transfer by phone — on a previously known number, not from the email.
- A four-eyes rule for payments above a threshold.
- A clear “stop and check” path — an employee must have the right to hold an “urgent” transfer without fear of a manager’s reaction.
The technical layer that helps
- SPF, DKIM and DMARC make it harder to impersonate your domain.
- Flagging emails from outside the organisation and detecting look-alike domains (typosquatting).
- MFA on mailboxes — a compromised inbox is fuel for BEC.
The key takeaway: with BEC, the payment procedure is the security system. A company that verifies account changes through a second channel is resilient even to a very convincing email. If you’d like to test the resilience of your processes, get in touch.
Sources and further reading: CERT Polska, FBI IC3 — BEC.