Business Email Compromise for SMBs

-

The $55 billion scam hiding in plain sight

The most dangerous cyber scam for many small businesses does not look like a hack.

It looks like work.

An email from a vendor asking to update payment details. A message from the owner asking for an urgent wire. A client note requesting a change in remittance instructions. A lawyer, accountant, or contractor following up on a transaction that feels routine enough to process quickly.

That is what makes business email compromise so dangerous. It hides inside normal business behavior. The FBI says BEC is one of the most financially damaging online crimes, and in September 2024 the FBI’s Internet Crime Complaint Center reported domestic and international exposed losses of $55.5 billion tied to BEC incidents from October 2013 through December 2023. FBI IC3 PSA

The threat is not fading. The FBI’s 2024 IC3 data says there were 21,442 BEC complaints in 2024 with adjusted losses of more than $2.7 billion. FBI IC3 brochure

That is why BEC deserves more attention from small and midsize businesses. It is not dramatic in the way ransomware is dramatic. It does not always shut the lights off. It does not always announce itself with obvious malware or locked files. Often, it simply convinces someone to do something expensive.

What business email compromise actually is

The FBI defines BEC as a scam in which criminals send an email message that appears to come from a known source making a legitimate request. It may involve a compromised or spoofed email account, and the request often relates to a transfer of funds or sensitive information. FBI

That definition matters because it explains why BEC is so effective. The attacker is not trying to look suspicious. The attacker is trying to look ordinary.

A good BEC attack does not feel like a cyber event. It feels like business operations happening at speed.

Why SMBs are especially vulnerable

Small businesses run on trust, urgency, and limited layers of review. One person may handle invoices, payroll, wire approvals, vendor coordination, and customer communications in the same day. Leaders move fast. Employees know one another well. Requests are often informal because informality is efficient.

That same efficiency creates opportunity for fraud.

If a small accounting team receives a believable note asking to change payment instructions, or if a founder gets what appears to be an urgent legal or vendor message at the wrong moment, the attack does not need a technical exploit to succeed. It only needs the normal workflow to keep moving.

The FBI’s broader fraud guidance says spoofing and phishing are key parts of BEC scams. Attackers may disguise an email address, sender name, phone number, or website URL to make the interaction appear trustworthy. FBI

Why BEC is getting harder to spot

BEC was already dangerous before generative AI entered the picture. Now the environment is becoming even more favorable to attackers.

Microsoft said in March 2026 that threat actors are operationalizing AI to scale malicious activity, including drafting phishing lures, translating content, scaffolding scripts, and enabling voice-based fraud. Microsoft also explicitly warned about AI use in voice cloning for vishing and business email compromise-style scams. Microsoft Security Blog

That means the old signs people were trained to notice, bad grammar, strange phrasing, awkward tone, may matter less than they used to. The messages can sound cleaner. The context can feel more natural. The impersonation can be better. The request can arrive by email, phone, text, or a mix of all three.

BEC is no longer just a fake email problem. It is a trust-manipulation problem.

How BEC usually works

Most BEC attacks follow a recognizable pattern. The attacker studies the business, identifies who can move money or sensitive data, and then impersonates a trusted source at the moment a believable request would make sense.

Stage What weaker SMBs often assume What is actually happening Why it matters
Reconnaissance No one would study a small company closely Attackers review websites, vendors, public roles, and normal payment patterns Small businesses often reveal enough context publicly to make impersonation believable.
Impersonation The fake message will be obvious The sender may spoof a known source or use a compromised account The FBI says BEC messages appear to come from trusted sources. Source
Urgency Employees will pause and verify before acting The request is designed to feel routine but time-sensitive Speed is one of the attacker’s best allies in a lean organization.
Transfer or disclosure The real risk is only malware The business may send money or sensitive data willingly under false pretenses BEC often succeeds without obvious technical disruption.
Follow-on fraud The damage stops at one transaction Attackers may continue impersonation, exploit trust, or target more accounts One successful payment can open the door to more fraud.

The most common BEC scenarios

The classic scenario is vendor invoice fraud. A business receives what appears to be an ordinary payment update and changes banking details without independent verification. Another common scenario is executive impersonation, where the attacker pretends to be the owner, CEO, or other leader and pressures someone into a fast transfer. There are also lawyer impersonation scams, payroll redirection schemes, and email account compromise cases where a real mailbox is used to make fake instructions look even more authentic.

What these have in common is not technical sophistication alone. It is credibility inside an existing business relationship.

The controls that actually stop BEC

The answer is not telling employees to “be more careful.” That is too vague, and it places too much weight on instinct in moments designed to defeat instinct.

1. Require independent verification for payment changes

No vendor banking change, invoice remittance update, or urgent payment request should move forward without a second-channel verification step. That means calling a known number already on file, not replying to the suspicious message itself.

2. Protect the people who can move money

Finance staff, executives, payroll administrators, and anyone with payment authority should have stronger identity protections. If the wrong account is compromised or convincingly impersonated, the business can lose money before anyone realizes a cyber incident occurred.

3. Tighten email and domain trust

Businesses should review spoofing protections, email security settings, suspicious forwarding rules, and anomalies tied to high-risk accounts. The FBI specifically points to spoofing and phishing as central parts of BEC. FBI

4. Train for realistic fraud, not cartoon fraud

If awareness training is built around laughably bad phishing messages, it is not preparing people for BEC. Modern fraud will often look polished, context-aware, and routine. In some cases it may also involve a follow-up text or phone call to reinforce urgency.

5. Slow down high-risk requests on purpose

The right culture is not one where employees obey every urgent request instantly. It is one where employees understand that slowing down a financial or identity-sensitive request is part of doing the job responsibly.

The real SMB question

The practical question is not whether your business knows what BEC is.

The better question is this:

If someone impersonated a trusted source tomorrow and asked your business to move money quickly, what exact controls would stop that payment from going out?

If the answer depends mostly on whether one person “gets a bad feeling,” the control is too weak.

What leaders should do this quarter

Review payment approval workflows. Identify who can authorize wires, vendor changes, payroll changes, and urgent transfers. Create a second-channel verification rule for all financial changes. Strengthen identity protection for high-risk users. Audit email forwarding rules and suspicious mailbox behavior. Refresh fraud training so it reflects polished, realistic scams instead of outdated examples.

And most importantly, make sure the business understands that fraud prevention is not separate from cybersecurity. In the case of BEC, they are the same conversation.

Why this matters now

BEC is dangerous because it avoids the drama that usually makes cyber risk feel visible. There may be no ransomware note. No screaming alert. No locked screen. No immediate outage.

Just a believable request, acted on by someone trying to do their job.

That is why the FBI’s numbers are so striking. More than $55 billion in exposed losses over the long run is not a niche problem. It is a warning about how expensive trust-based fraud can become when businesses assume normal operations are safe by default. FBI IC3 PSA

BEC is not the loudest cyber threat.

It is one of the most believable.

How Veriti Spottr helps

Veriti Spottr helps SMBs understand their external exposure, identify weak points that attackers can exploit, and turn vague cyber concern into practical next actions. In a world where trust can be manipulated through email, spoofing, and compromised accounts, visibility matters.

If your business wants a practical place to start, begin by reducing the number of ways an attacker can impersonate, compromise, or pressure the people your company trusts most.

→ Head to Veriti Spottr for a free external scan


Follow Veriti Spottr on X

Get practical cybersecurity insights, SMB threat updates, and new blog posts.

Follow @veritispottr

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more