Skip to content
Breachroad
Back to the blog
Scams

Business Email Compromise: the costliest scam

BEC is one of the most expensive scams for companies. We explain how invoice fraud and the 'urgent CEO transfer' work — and how to stop them.

KR
Karol Rapacz
14 June 2026 · 6 min read
Business Email Compromise: the costliest scam

Not every costliest attack looks spectacular. Business Email Compromise (BEC) is a scam with no malware and no encryption — just an email that convinces someone in the company to make a transfer to a criminal’s account. It’s one of the most expensive categories of fraud for businesses, because it targets processes and trust, not technology.

The two most common variants

The “urgent CEO transfer”. A finance employee receives a message supposedly from the board: “I’m in a meeting, I urgently need a transfer done, it’s confidential.” Pressure, authority and secrecy switch off the usual verification.

Invoice fraud. The criminal impersonates a regular supplier and reports a “change of bank account number”. The next invoice is paid — into the fraudster’s account. This variant is often preceded by a mailbox takeover, which we cover in our piece on KSeF and gov.pl phishing.

Why it works

  • Authority and haste. A request “from the CEO” with time pressure discourages questions.
  • Realism. With a compromised mailbox, the attacker knows the context — names, tone, the history of the correspondence, payment deadlines.
  • A process gap. If changing an account number doesn’t require independent confirmation, one email is enough to redirect the money.

How to defend — process before technology

BEC is defused mainly by procedure, not a tool:

  • Second-channel verification. Confirm every account-number change and every unusual transfer by phone — on a previously known number, not from the email.
  • A four-eyes rule for payments above a threshold.
  • A clear “stop and check” path — an employee must have the right to hold an “urgent” transfer without fear of a manager’s reaction.

The technical layer that helps

  • SPF, DKIM and DMARC make it harder to impersonate your domain.
  • Flagging emails from outside the organisation and detecting look-alike domains (typosquatting).
  • MFA on mailboxes — a compromised inbox is fuel for BEC.

The key takeaway: with BEC, the payment procedure is the security system. A company that verifies account changes through a second channel is resilient even to a very convincing email. If you’d like to test the resilience of your processes, get in touch.


Sources and further reading: CERT Polska, FBI IC3 — BEC.

Share this article

Services Book a consultation