The attack that targets your accounting, not your servers
Most security advice is about keeping attackers out of your systems. Business email compromise is unsettling because it often involves no system intrusion at all. An attacker studies your business — sometimes from public information, sometimes from a mailbox they quietly took over — and then sends a single, plausible email: the CEO urgently needs a wire sent before a deal closes, or a familiar vendor writes to say "we've changed banks, please update our payment details." Finance does exactly what it is supposed to do — pay a legitimate-looking request — and a five- or six-figure payment lands in a fraudster's account. By the time anyone questions it, the money has been moved through three banks and is unrecoverable.
BEC consistently tops the list of costliest cyber incidents not because it is sophisticated, but because it bypasses technology and targets a trusted business process. It is a social engineering attack aimed squarely at the people who move money, and the lean team is an ideal target: a small finance function, founders who really do send urgent payment requests, and rarely a formal verification step between an email and a wire.
The three plays that account for most losses
BEC is not one trick but a small family of them, and recognizing the pattern is most of the defense:
- Vendor/invoice fraud (the "banking details changed" email). The attacker poses as a real supplier you already pay and asks you to update their bank account on file. The next legitimate invoice gets paid — to the attacker. This is the most common and most expensive variant precisely because the payment itself looks completely routine, which is exactly the pattern a vendor-payment fraud monitor is built to flag: a sudden bank-routing change on an established vendor.
- Executive impersonation (the "CEO" wire request). A spoofed or lookalike address mimics a founder or finance lead and pressures a junior employee to push an urgent, confidential wire — leaning on authority and time pressure so the target won't pause to verify.
- Payroll diversion. An email purporting to be from an employee asks HR or payroll to redirect their direct deposit to a new account. Watching HR and payroll changes together is precisely the kind of cross-product payroll-fraud signal — a direct-deposit change paired with an off-pattern request — that catches this before payday.
Notice the common thread: every variant changes where money goes and relies on you not independently confirming the change.
The one control that defeats most of it
There is a single process control that, applied consistently, stops the large majority of BEC losses: out-of-band verification of any change to payment details or any unusual payment request. If a vendor "changes their bank," or an executive "needs an urgent wire," you confirm it through a channel other than the one the request arrived on — a phone call to a previously known number, not the number in the email signature.
- Never verify a request using contact details from the request itself. The attacker controls that channel. Call the number you already had on file before the email arrived.
- Require dual approval above a dollar threshold. Two people sign off on large or unusual payments, so no single fooled employee can move serious money alone — the same least-privilege and separation-of-duties instinct that governs system access, applied to your bank.
- Make "slow down" culturally safe. BEC weaponizes urgency and authority. A junior employee must feel free to delay a "CEO" wire to verify it without fear — which is a training and culture problem as much as a process one, and lives in the same place as your broader security awareness and phishing-resistance work.
Write this down as a real payment-controls policy, because a verification step that lives only in one person's head evaporates the day they are on vacation — the same reason security policies have to match practice to be worth anything.
Harden the email layer underneath
The process control is primary, but the technical layer makes the impersonation harder to pull off:
- Authenticate your email so others can't spoof your domain. Properly configured SPF, DKIM, and DMARC make it much harder for an attacker to send mail that appears to come from your domain — directly blunting the executive-impersonation play.
- Lock down the mailboxes that move money. A finance or executive mailbox protected by phishing-resistant MFA and watched for account takeover denies attackers the most dangerous foothold: a real internal mailbox to send from, which makes their fraud nearly indistinguishable from legitimate traffic.
- Flag external lookalike domains.
yourcompany.covsyourcompany.com, or display-name spoofing, is the classic BEC vehicle — the kind of brand-and-domain monitoring that catches an impersonation campaign while it is still being staged.
Treat money movement as a monitored surface
The most powerful place to catch BEC is where the fraud actually completes: the payment stream itself. A platform that already watches your banking and payment data can audit it for exactly the anomalies BEC produces — a new payee, a sudden bank-routing change on an established vendor, an off-hours or off-pattern transfer, a payroll account redirect — and raise each as a finding with context before, or immediately after, the payment clears. Wiring those signals into the same triage and alerting pipeline as the rest of your program means a suspicious wire is a loud, owned, time-boxed alert rather than a line item someone notices on next month's reconciliation. And when one does get through, it is not a routine ticket — it is an incident: contact your bank immediately to attempt a recall, preserve the email, and check for related compromise.
One honest caveat: a platform can monitor your payment and payroll streams for the anomaly patterns BEC produces, surface them as findings, and keep an audit trail of how each was handled — it watches and flags. It does not approve your wires, sit between finance and the bank, or stop a payment on its own; the verification call, the dual-approval step, and the decision to hold a transfer are operational controls your team owns. It does not make you compliant or recover stolen funds, and how to respond to an actual fraud loss is a question for your bank, law enforcement, and counsel — not software.
Business email compromise skips your servers entirely and attacks the process that moves your money, using a single convincing email and a sense of urgency. The defense is mostly human: verify every payment-detail change and unusual request out-of-band on a number you already had, require dual approval above a threshold, and make it safe to slow down. Then harden the email layer with SPF/DKIM/DMARC and locked-down finance mailboxes, and monitor the payment stream itself so a fraudulent wire is a loud alert — not a surprise on the next reconciliation.