What is business email compromise (BEC)?

Key takeaways

• BEC is the highest-dollar-loss category in cyber incidents for mid-market manufacturers. The FBI consistently reports it as the single largest line item in commercial cyber loss data.
• The attack is procedural, not technical: most BEC operations succeed through workflow exploitation, not malware.
• Five variants account for almost all losses: vendor invoice fraud, CEO fraud, payroll diversion, M&A or attorney impersonation, and direct account takeover.
• Recovery probability drops fast: 24 to 72 hours is the realistic window before funds are unrecoverable.
• Defense is workflow-first: two-person, out-of-band approval for high-loss actions, vendor-information governance, and phishing-resistant authentication. Training alone does not work.

How does a BEC attack unfold from reconnaissance to payout?

A BEC operation runs through five stages. The technical sophistication is usually low; the workflow understanding is high.

1. Target selection. Attackers select organizations with visible payment volume and visible business relationships. Public sources (LinkedIn for finance staff, SEC filings, vendor case studies, trade press) build the target list. Mid-market manufacturers fit the profile: meaningful payment volume, manageable defending team, public business relationships.

2. Foothold or impersonation setup. Two paths.

• Account takeover: a spear phish or vishing call captures credentials and MFA codes, or an OAuth consent grant gives the attacker mailbox access without credentials. The attacker reads email for days or weeks to learn workflow.
• Impersonation: a lookalike domain registered, display name spoofed, or a partner's already-compromised mailbox used to send from a legitimate-looking sender. Vendor-mailbox compromise at the supplier side is increasingly the dominant variant; the manufacturer's own controls do not see the foothold.

3. Workflow reconnaissance. The attacker learns the organization's payment cadence, vendor list, approval thresholds, communication style, who handles what, and when (month-end, vendor-onboarding cycles, executive travel). Often this is the longest stage, two to six weeks.

4. Execution. A pretext message sent at the right moment, to the right recipient, with the right reference: a vendor invoice with bank-account change, a CEO wire request before a flight, a payroll-direct-deposit update from an HR-impersonation, an attorney's M&A wire instruction during a deal window. The message is structurally indistinguishable from legitimate correspondence.

5. Payout and exfil. The wire is initiated. Funds route through one or more mule accounts, typically with quick onward transfers. Within 24 to 72 hours the funds are usually outside the reach of normal recovery channels.

The five most common BEC variants

ARG sees the same five variants account for the overwhelming majority of mid-market manufacturer losses.

1. Vendor invoice fraud. A real, recurring vendor's invoice is duplicated with the bank account changed. Sometimes the vendor's mailbox is compromised and the change is sent from the genuine sender; sometimes a lookalike domain handles it. AP processes the payment in the normal cycle. The real vendor follows up about non-payment weeks later. Highest-frequency variant; often the highest dollar value because vendor wires are routine and large.

2. CEO fraud. A wire request from "the CEO" to the CFO, controller, or finance lead, often paired with a voice cloning call for confirmation. Pretext references known confidential business (an acquisition, a customer escalation, a regulatory issue). See What is a deepfake CEO scam?.

3. Payroll diversion. An HR or IT impersonation requests a direct-deposit change for one or more employees. The next payroll cycle routes wages to the attacker. The employee notices when their paycheck does not arrive. Lower per-incident loss, but the same compromise can be repeated across multiple employees.

4. M&A or attorney impersonation. A pretext message from an attorney or M&A counterparty during an active deal window. The wire is for "earnest money", "due diligence costs", or a closing payment. Loss per incident is often high (six- to seven-figure range).

5. Direct account takeover with insider workflow. The attacker controls a finance or executive mailbox directly and sends from inside. Hardest variant for the defending team to catch, because the email is genuinely from the legitimate sender; only workflow-level controls survive.

Why mid-market manufacturers are disproportionately targeted by BEC

Four structural reasons:

1. High payment volume, predictable cadence. A 200-person manufacturer processes hundreds of vendor wires monthly, many of them five- to six-figure. Predictable cycles (month-end, quarter-end) make timing easy for attackers.
2. Public vendor relationships. Manufacturers publish customer logos, supplier case studies, and trade-show partner lists. The vendor target list is essentially open source.
3. Lean finance teams. Mid-market AP usually runs with one to three people. Two-person approval is often informal or undocumented. The bypass works at the procedural level.
4. Underdeveloped vendor-information governance. Vendor contact details, bank accounts, and approver lists often live in ad-hoc places (an HR sheet, an old email thread, the AP person's memory). The single source of truth needed for verification often does not exist.

The combination produces high per-attempt success rates and high per-success dollar values. BEC operators allocate effort accordingly.

Examples of BEC losses in manufacturing

Patterns ARG sees repeatedly in mid-market manufacturer engagements (anonymized):

• Recurring $180k vendor wire diverted with one digit changed. A long-standing tooling supplier's invoice was duplicated by a compromised vendor-side mailbox. The bank account differed by a single digit. AP processed the wire because the email came from the genuine sender. Loss recognized when the real vendor's controller followed up about non-payment three weeks later.
• $450k CEO fraud wire during an acquisition discussion. A spear phish to the CFO referenced an acquisition the executive team had been discussing. The CFO routed the wire that Friday afternoon, believing it was attorney escrow. A voice cloning call confirmed the request mid-day. Funds unrecoverable after the weekend.
• Payroll diversion across 14 employees. An HR impersonation submitted direct-deposit changes through the actual payroll portal (credentials harvested by an OAuth consent grant). The next cycle routed wages for 14 employees to mule accounts. Recognized by employees on payday.
• $120k tax-payment redirection. A pretext from "the controller" with new IRS wire instructions during quarterly tax payment window. The wire went out within two hours of the request.
• Vendor-onboarding fraud during an M&A integration. During the integration of an acquired plant, the unified AP team received vendor information from "the legacy AP team". One of the records was fabricated; subsequent wires routed against it.

Each incident represents a measurable workflow gap. Each one is testable in advance.

How to spot a BEC attempt before the wire goes out

For a finance team member who suspects a payment request may be BEC, five reliable signals:

1. The payment request is the first time this bank account appears. New vendor account, new payee account, or a "corrected" bank account on a recurring invoice. New banking details on a routine wire are the strongest signal.
2. The request bypasses normal workflow. A wire approved through email alone instead of the procurement system, a vendor information change submitted via email instead of the vendor portal, a payroll change submitted outside HRIS.
3. The urgency is manufactured. "Today, before close of business", "before the flight", "while the CFO is in this meeting". Real urgency from real executives almost always has a written counterpart and tolerates verification.
4. The communication channel is unusual. Email from a slightly off domain, vendor sending from a personal email "while the corporate system is down", channel switch from email to SMS or WhatsApp.
5. The signer reluctantly cannot be reached for verification. "I'm boarding, just process it". Reluctance to be called back is the signal.

Detection by an individual is useful but not the design. The design is to make BEC fail at the workflow level, not the human level.

Best practices for wire transfer and vendor change controls

1. Two-person, out-of-band approval for any new or changed payee. The approver must be different from the requester, and the approval channel must be different from the request channel. Email approval of an email request is not approval.
2. Callback verification to a directory-sourced number. For any new banking information, AP calls the vendor at a number sourced from the ERP vendor master, not from the request email. Numbers in email signatures or in PDFs do not count.
3. Vendor master controls. Vendor banking information is a controlled record: changes require documentation, approval, and (in the strongest implementations) a verification call back to a pre-existing vendor contact.
4. CEO and executive-impersonation playbook. Finance teams need an explicit playbook that authorizes (and expects) refusal to act on voice or email requests from executives without callback verification. The playbook removes the social cost of saying no.
5. Phishing-resistant authentication. FIDO2 or passkeys on all finance, executive, and AP mailboxes. Push-based MFA is bypassable. See What is phishing-resistant MFA?.
6. Mailbox-rule monitoring. Continuous detection on inbox-rule creation, OAuth grants, and forwarding policy changes catches the post-compromise behavior that precedes the wire request.
7. Documented escalation to fraud-recovery channels. If a wire goes out, the response playbook calls the originating bank within two hours, files an IC3 report, and engages the FBI Financial Fraud Kill Chain. Speed is the only meaningful lever after the wire leaves. See What is an incident response plan (IRP)?.
8. Insurance alignment. Confirm with the cyber broker that the social engineering fraud endorsement requires verification procedures the team actually follows. If the procedures and the endorsement do not match, the claim will be denied.

Business email compromise FAQs

Does cyber insurance cover BEC losses?

Sometimes, but coverage is endorsement-specific and often denied on technicalities. Most BEC losses fall under a social engineering fraud (SEF) endorsement rather than the core cyber policy, and SEF endorsements require specific verification procedures (callback to a directory-sourced number, two-person approval, etc.). Failing to follow those procedures is the most common reason a BEC claim is denied. See What is social engineering fraud (SEF) coverage?.

What is the difference between BEC and account takeover?

Account takeover means the attacker has actually logged into the legitimate account and is sending from it. BEC is the broader category and includes both account takeover and pure impersonation through lookalike domains, display-name spoofing, or thread hijacking from a compromised partner account.

Can multi-factor authentication stop BEC?

Phishing-resistant MFA (FIDO2, passkeys) prevents the account-takeover variant by stopping credential harvesting from succeeding. It does not prevent pure-impersonation BEC, where the attacker never logs in: lookalike domains, vendor mailbox compromises at a third party, and thread hijacking still work. MFA reduces but does not eliminate BEC exposure.

How quickly do BEC funds become unrecoverable?

Recovery probability drops sharply after 48 to 72 hours. Funds routed domestically and caught within 24 hours can often be reversed through the FBI Financial Fraud Kill Chain. Funds routed internationally or caught after several days are usually unrecoverable. The first action after suspected BEC is to call both the originating bank and the FBI IC3 within hours, not days.

How ARG tests BEC resilience end-to-end (technical + procedural)

BEC failures are workflow failures, not detection failures. ARG tests resilience at both layers in every engagement.

The technical layer, operated by James Wall, exercises the email and identity surfaces a BEC attack uses: account takeover via spear phishing and OAuth grants, lookalike-domain delivery against AP and finance mailboxes, mailbox-rule creation and OAuth-grant detection on the defending stack, and continuous detection drift monitoring on identity controls. Findings include where the email security stack catches the lure, where it does not, and where the post-compromise behavior would have been visible to detection had the defending team been watching.

The procedural layer, exercised during on-site engagements and through continuous vishing simulation, tests the actual wire-transfer and vendor-change workflow. ARG operators submit BEC-shaped requests through real channels: vendor invoice variations, CEO-impersonation wires, payroll change requests, attorney-impersonation deal wires. The test ends when the workflow either holds (callback verification, two-person approval, vendor-master controls) or fails (wire would have gone out).

The output is a single integrated finding set: where the technical surface caught the attack, where the workflow caught it, and where neither would have. Remediation maps to the specific control (a configuration change, a workflow change, a policy change, a verification habit). Re-testing in subsequent rounds confirms the remediation held against pretexts the workforce has not seen before.

For founding clients, BEC resilience testing is part of the monthly retainer. Insurance-aligned documentation is generated as a byproduct, ready for renewal underwriting. See What is cyber insurance underwriting?.

Apply as a founding client or see how the engagement works for the full delivery cycle.