What is business email compromise (BEC)?

Business email compromise (BEC) is a type of phishing attack that targets organizations, with the goal of stealing money or critical information.

Defend against business email compromise

Business email compromise (BEC) defined

Business email compromise (BEC) is a type of cybercrime where the scammer uses email to trick someone into sending money or divulging confidential company info. The culprit poses as a trusted figure, then asks for a fake bill to be paid or for sensitive data they can use in another scam. BEC scams are on the rise due to increased remote work—there were nearly 20,000 BEC complaints to the FBI last year.¹

Types of business email compromise scams

Email is the starting point for 91 percent of cyberattacks.² Learn about the most common types of compromised email.

Data theft

Sometimes scammers start by targeting the HR department and stealing company information like someone’s schedule or personal phone number. Then it’s easier to carry out one of the other BEC scams and make it seem more believable.

False invoice scheme

Posing as a legitimate vendor your company works with, the scammer emails a fake bill—often closely resembling a real one. The account number might only be one digit off. Or they may ask you to pay a different bank, claiming your bank is being audited.

CEO fraud

Scammers either spoof or hack into a CEO’s email account, then email employees instructions to make a purchase or send money via wire transfer. The scammer might even ask an employee to purchase gift cards, then request photos of serial numbers.

Lawyer impersonation

In this scam, attackers gain unauthorized access to an email account at a law firm. Then they email clients an invoice or link to pay online. The email address is legitimate, but the bank account isn’t.

Account compromise

Scammers use phishing or malware to get access to a finance employee’s email account, such as an accounts receivable manager. Then the scammer emails the company’s suppliers fake invoices that request payment to a fraudulent bank account.

How do BEC scams work?

Here’s what happens in a BEC scam:

1. Scammers research their targets and figure out how to fake their identity. Sometimes they create fake websites or even register companies with the same name as yours in a different country.

2. Once they have access, scammers monitor emails to figure out who might send or receive money. They also look at conversation patterns and invoices.

3. During an email conversation, the scammer impersonates one of the parties by spoofing the email domain. (The email address might be off by a letter or two, or it might be the correct email address “via” a different domain—for example, chris@contoso.com via fabrikam.com.)

4. The scammer tries to gain the target’s trust and then asks for money, gift cards, or information.

Targets of business email compromise

Anyone can be the target of a BEC scam. Businesses, governments, nonprofits, and schools are all targeted, specifically these roles:

1. Executives and leaders, because details about them are often publicly available on the company website, so attackers can pretend to know them.

2. Finance employees like controllers and accounts payable staff who have banking details, payment methods, and account numbers.

3. HR managers with employee records like social security numbers, tax statements, contact info, and schedules.

4. New or entry-level employees who won’t be able to verify an email’s legitimacy with the sender.

The dangers of BEC

If a business email compromise attack is successful, your organization could:

1. Lose hundreds of thousands to millions of dollars.

2. Face widespread identity theft if personally identifiable information is stolen.

3. Accidentally leak confidential data like intellectual property.

As BEC schemes evolve, so do threat protection strategies. In fact, Microsoft blocked 32 billion email threats last year.³ Learn more about Microsoft’s email threat protection solutions.

Business email compromise examples

Example #1: Pay this urgent bill

Say you work in your company’s finance department. You get an email from the CFO with an urgent request about an overdue bill—but it’s not actually from the CFO. Or the scammer pretends to be your repair company or internet provider and emails a convincing-looking invoice.

Example #2: What’s your phone number?

A company executive emails you, “I need your help with a quick task. Send me your phone number and I’ll text you.” Texting feels safer and more personal than email, so the scammer hopes you’ll text them payment info or other sensitive information. This is called “smishing,” or phishing via SMS (text) message.

Example #3: Your lease is expiring

A scammer gets access to a real estate company’s email, then finds transactions in progress. They email clients, “Here’s the bill to renew your office lease for another year” or “Here’s the link to pay your lease deposit.” Scammers recently swindled someone out of more than $500,000 this way.⁴

Example #4: Top secret acquisition

Your boss asks for a down payment to acquire one of your competitors. “Keep this just between us,” the email says, discouraging you from verifying the request. Since M&A details are often kept secret until everything is final, this scam might not seem suspicious at first.

Tips to prevent BEC

Follow these five best practices to stop business email compromise:

Use a secure email solution

Email apps like Office 365 automatically flag and delete suspicious emails or alert you that the sender isn’t verified. Then you can block certain senders and report emails as spam. Defender for Office 365 adds even more BEC prevention features like advanced phishing protection and suspicious forwarding detection.

Set up multifactor authentication (MFA)

Make your email harder to compromise by turning on multifactor authentication, which requires a code, PIN, or fingerprint to log in as well as your password.

Teach employees to spot warning signs

Make sure everyone knows how to spot phishing links, a domain and email address mismatch, and other red flags. Simulate a BEC scam so people recognize one when it happens.

Set security defaults

Administrators can tighten security requirements across the entire organization by requiring everyone to use MFA, challenging new or risky access with authentication, and forcing password resets if info is leaked.

Use email authentication tools

Make your email harder to spoof by authenticating senders using Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting, and Conformance (DMARC).

Adopt a secure payment platform

Consider switching from emailed invoices to a system specifically designed to authenticate payments.

Business email compromise protection

Help protect your organization with solutions to detect suspicious email like Microsoft Defender for Office 365, which can:

1. Automatically check email authentication standards, detect spoofing, and send emails to quarantine or junk folders.

2. Use AI to model each person’s normal email patterns and flag unusual activity.

3. Configure email protection by user, domain, and mailbox.

4. Investigate threats, find out who’s being targeted, detect false positives, and identify scammers in Threat Explorer.

5. Check domain-wide email patterns and highlight unusual activity with advanced algorithms in Spoof Intelligence.

Learn more about Microsoft Security

Six tips to make email safer

Follow these email security best practices to help protect against BEC.

Read the tips

Understand the gift card scam

Read actual emails from scammers trying to pull off a BEC scam so you’re prepared.

Discover their tactics

Go inside a BEC attack

Learn how scammers operate in this real-life business email compromise scam.

Get the details

Prevent password spray attacks

Learn how to stop this email attack and find out who at your organization is vulnerable.

Read the post

What CISOs should know

Learn about the state of security awareness training and how to educate your team about phishing.

How MFA prevents phishing

Take one of the fastest and easiest steps to thwart BEC scams: turn on multifactor authentication.

Learn more

Meet the Digital Crimes Unit

Learn how Microsoft’s cybercrime team counteracts BEC with product innovation, research, and AI.

Discover the DCU

Frequently asked questions

File a complaint with the FBI’s Internet Crime Complaint Center (IC3). Report the email through your email provider by marking it as junk or spam. If your email doesn’t have that option, tell your supervisor.
Phishing is just one part of business email compromise. BEC is the umbrella term, a type of attack that often includes phishing, spoofing, impersonation, and fake invoices.fake invoices.
Protect business emails by following email security best practices like using a secure email provider, turning on multifactor authentication (MFA), choosing a strong email password and changing it often, and not sharing personal details online. If you’re an administrator, consider email security solutions like Defender for Office 365, configure the security settings, and monitor activity for anomalies.
Detect BEC scam and fraud by noticing anything unusual, like an email sent outside of business hours, misspelled names, a mismatch between the sender email address and the reply-to address, a sense of urgency, strange links and attachments, or changes to payment or billing info. You can also detect BEC scams by checking your email account’s deleted emails and forwarding rules to see if your account has been compromised. If your email app flags certain emails as suspicious or unverified, that’s another way to detect BEC scams.
Email spoofing is forging an email address so it looks like an email came from someone else. Spoofed emails can look like the real thing but be from a different domain that isn’t obvious until you inspect it (chris@contoso.com via fabrikam.com) or have subtle misspellings (chris@cont0so.com) or be from a different domain altogether (chris@fabrikam.com).

1. FBI. “Internet Crime Report 2021.” Internet Crime Complaint Center. 2021.

2. Ganacharya, Tanmay. “Protecting against coronavirus themed phishing attacks.” Microsoft Security blog. March 20, 2020.

3. Microsoft. “Digital Defense Report.” October 2021.

4. US Department of Justice. “Rhode Island Man Pleads Guilty to Conspiracy to Launder Funds of Email Compromise Fraud Targeting Massachusetts Lawyer.” July 15, 2020.