Business email compromise, often shortened to BEC, is a cyberattack where an attacker uses trusted email communication to trick someone into sending money, sharing sensitive data, changing payment instructions, or granting access.
BEC is dangerous because it often looks like normal business. The email may come from a real account. The message may not include malware. The request may sound routine, especially when it is wrapped in urgency, authority, or an existing relationship.
The attacker is not always trying to break a technical control. Many times, the attacker is trying to abuse how people already work.
How BEC Attacks Work
A BEC attack usually starts with research. The attacker learns who approves payments, who manages vendors, who works for the CEO, or who handles payroll and invoices. From there, the attacker creates a believable request.
Some attacks rely on impersonation. Others rely on a real mailbox that has already been compromised. In the more damaging cases, the attacker quietly watches a conversation and then inserts new payment instructions at the right moment.
The best BEC attacks do not feel like attacks. They feel like work.
Common Types of BEC
BEC shows up in several different forms. The tactics change, but the goal is usually money, data, or access.
Why BEC Is Hard to Detect
BEC is hard to detect because it may not contain a malicious file, a suspicious link, or a known payload. A message can pass technical checks and still be fraudulent.
The risk often lives across email, identity, process, and human behavior. A compromised mailbox with no MFA is an identity problem. An invoice approved only by email is a process problem. A trusted sender asking for a rushed payment is a people problem. BEC takes advantage of all of it.
BEC vs. Phishing
BEC is a type of phishing, but it is usually more targeted. Basic phishing often tries to get many people to click a link or open an attachment. BEC usually focuses on a smaller group of people who can move money, approve access, or change sensitive information.
A phishing email may look sloppy. A good BEC email may look like something the recipient has seen a hundred times before.
What Makes BEC Risk Worse
BEC risk increases when attackers have an easier path to trust. Common risk factors include:
How Organizations Reduce BEC Risk
BEC prevention works best when technical controls and business process controls reinforce each other. Email security helps, but it is not enough by itself.
Organizations should require MFA, disable legacy authentication, monitor risky sign-ins, review inbox forwarding rules, train users on financial fraud patterns, and verify payment changes through a second channel. Finance and HR workflows should be designed so one convincing email cannot create a loss.