NewSecurity Audit Kit — audit your business in 15 minutes.Launch $49· limited time offer
BECbusiness email compromiseCEO fraudwire fraudvendor fraudinvoice scams

Business Email Compromise: The $3 Billion Wire Fraud Scam

Courtney
10 min read
Share
Free Interactive Guide

Free: How to Keep Yourself Safe From Scammers

9 chapters. Reporting checklist. 30-second protection checklist. Read on the site.

Business Email Compromise: The $3 Billion Wire Fraud Scam

It's 4:47pm on a Friday — the worst possible time to slow down and double-check anything. An email lands in accounts payable, signed by the CEO, marked urgent: wire $47,000 to a new vendor account before the bank cuts off for the weekend. The tone is right. The signature block is right. The only thing wrong is that the CEO never sent it.

That's business email compromise, and in 2025 it cost US businesses $3.046 billion in reported losses — the second-highest loss category the FBI tracks, behind only investment fraud — up from $2.77 billion the year before, according to the FBI's 2025 Internet Crime Report. The average complaint involved more than $122,000, and 86% of that money moved by wire transfer or ACH — fast, and usually gone before anyone notices.

How Business Email Compromise Actually Works

BEC isn't really a hacking scam. Most of the time, nobody breaks anything. It's a con that uses real email accounts, real vendor relationships, and real company processes, and just quietly redirects one step in a transaction that would have happened anyway.

It starts with research. Scammers scrape LinkedIn for your org chart, read your company's press releases for names and titles, and watch out-of-office replies for windows when an executive is traveling and harder to reach by phone. Some compromise a real employee or vendor mailbox outright — through a prior phishing email — and just sit inside it for weeks, reading how that person actually writes before sending anything.

Then comes the ask. An email arrives that looks like it's from someone you'd normally act on without a second thought — the CEO, a long-time vendor, HR. It asks for a wire transfer, a change to where a vendor gets paid, or a batch of employee tax forms. It's polished, specific, and usually timed for a moment when double-checking feels inconvenient — end of day, end of quarter, right before a holiday weekend.

Not sure if your message is real? Paste it into Cautellus and get a risk score before you reply.

Scan it free →

The 5 Ways BEC Actually Shows Up

CEO fraud. The classic version — an email impersonating your CEO or CFO, requesting an urgent, confidential wire transfer. The newest wrinkle is that "urgent and confidential" now sometimes comes with a video call to back it up, part of the same wave of AI-enabled impersonation scams showing up everywhere from fake job interviews to romance scams. In the Arup engineering firm case, a Hong Kong finance employee who was suspicious of an email got on a video call with people who looked and sounded exactly like his CFO and colleagues — and sent $25.6 million across 15 wire transfers before anyone realized every face on that call was AI-generated.

Vendor email compromise. A real supplier's email account gets hijacked, and the attacker waits inside an existing invoice thread until the right moment to send a message: "Quick update — please send this month's payment to our new account." Same thread, same tone, same signature block. It's the hardest variant to catch because nothing about the email relationship looks new.

Attorney impersonation. An email claiming to be from outside counsel, usually tied to something real — a pending deal, a lawsuit, an acquisition — marked confidential and time-sensitive, pressuring whoever receives it to wire funds or share sensitive documents without looping in a second person "to protect the deal."

Payroll diversion. HR gets a message that looks like it's from an employee (often a senior one), asking to update their direct-deposit account before the next pay run. The change goes through, and the employee's actual paycheck goes to the scammer instead.

W-2 and tax data theft. Timed for tax season, this version asks HR or payroll for a batch of employee W-2s or other tax documents "for an audit" or "for the accountant." No money moves in this one — the payoff is a stack of Social Security numbers the attacker can use or sell.

Why It Slides Past Your Spam Filter

Traditional phishing defenses look for malicious links, sketchy attachments, or spoofed domains. BEC often has none of those. There's frequently no link to scan and no malware to flag — just a well-written email asking a real employee to do something that looks like part of their normal job. Security researchers have found a large share of BEC emails now show signs of AI generation, which is exactly why they no longer carry the broken grammar and awkward phrasing that used to give phishing away. The email isn't attacking your software. It's attacking the fact that someone in your company has the authority to move money, and trusts the person who appears to be asking.

The Red Flags Hiding in Plain Sight

  • A request to keep it quiet. Legitimate wire instructions don't come with "don't mention this to anyone yet." Secrecy is a control tactic, not a compliance requirement.
  • A sudden change to payment details. A vendor you've paid the same way for two years suddenly has "new" banking information. That's the single most common tell in vendor email compromise.
  • Pressure tied to a deadline that benefits the sender, not you. "Before the bank closes," "before the wire cutoff," "before I leave for the airport" — all designed to get a wire out before anyone can verify it.
  • A reply-to address that doesn't match the display name. The name says your CEO. The actual email address, visible if you tap or hover on it, is something else entirely.
  • An unusual channel switch. An email conversation that suddenly asks you to confirm details over text or a personal number you don't recognize is trying to get you off any channel your company can review later.
  • A request that skips your normal process. If your company has a policy that wires above a certain amount need a second signoff, and the email specifically asks you to skip it "just this once," that's the tell, not an inconvenience.

If This Already Happened to You

Time matters more than almost anything else here. If you've just sent a fraudulent wire, call your bank's fraud department immediately and ask them to request a wire recall — banks can sometimes stop or claw back funds if they act within hours, not days. Then file a report with the FBI's Internet Crime Complaint Center at ic3.gov; IC3's Recovery Asset Team can alert the receiving bank directly, but only while the money is still sitting there. If W-2s or other tax documents went out, notify affected employees immediately so they can place credit freezes and watch for fraudulent tax filings — the earlier they know, the more of that damage they can head off.

How to Not Become the Next Wire Transfer

The single highest-impact fix is a written out-of-band verification policy: any request to move money or change banking details, no matter who it appears to come from, gets confirmed by a phone call to a number you already have on file — never a number in the email. Make this a rule with no exceptions, including for the CEO, and give your finance team explicit cover to enforce it without pushback.

On the technical side, put email authentication in place — SPF, DKIM, and DMARC — so spoofed messages claiming to be from your own domain get flagged or rejected before they reach an inbox. Pair that with a policy of logging into DocuSign or any e-signature platform directly rather than clicking email links, since fake signature requests are a common BEC delivery method for slipping malicious documents past a busy AP team.

Because so much of BEC starts with a compromised email account, hardening the accounts themselves matters as much as training people to spot the ask. A hardware security key like a YubiKey on any account with wire authority or vendor-payment access closes off the credential-phishing path attackers use to get inside a real mailbox in the first place — even if someone's password gets phished, there's no session for the attacker to hijack without the physical key.

None of this replaces training. Our phishing training guide for small businesses covers the five rules every employee should know, and our breakdown of callback phishing and CEO fraud covers the phone-based cousin of this same scam. If a suspicious email lands in your inbox and you want a second opinion before you act on it, run it through Cautellus's email scanner first.

Got something like this in your inbox? Drop it into the scanner — it takes 5 seconds and could save you thousands.

Check it now →

FAQ

Is business email compromise the same thing as phishing? It's related but narrower. Phishing is the delivery method — the email itself. BEC specifically refers to scams that impersonate a trusted business relationship (an executive, vendor, or HR contact) to redirect money or sensitive data, often without any malicious link or attachment involved at all.

How do scammers know so much about our company? Mostly from public sources — LinkedIn profiles, press releases, company websites, and even out-of-office auto-replies that announce when an executive is traveling. Some BEC attacks also start with a genuinely compromised email account, giving the attacker access to real internal conversations to study before impersonating anyone.

We caught a BEC attempt before any money moved. Is it still worth reporting? Yes. File a report at ic3.gov even with no financial loss — it helps the FBI track patterns and can flag your company's information if the same scammer targets you again.

Can our bank always recall a fraudulent wire? No, but speed dramatically improves the odds. Wires recalled within a few hours of being sent have a real chance of being frozen at the receiving bank before the money moves again. Wait a few days, especially if funds crossed into cryptocurrency or moved through multiple accounts, and recovery becomes far less likely.

Does cyber insurance cover BEC losses? Sometimes, but not automatically. Many cyber insurance policies specifically exclude "social engineering" losses like BEC unless you've purchased a separate rider for it. Check your policy language directly, and don't assume general cyber coverage includes wire fraud caused by a convincing email.

We're a small business. Are we really a target? Yes — arguably more than large companies. Smaller businesses often lack a dedicated finance team with built-in second-signoff requirements, making a single convincing email enough to move real money. Attackers don't need a Fortune 500 target when a modest wire from a 12-person company works just as well.

The email that empties an account rarely looks like a threat. It looks like Tuesday's to-do list — which is exactly the point, and exactly why the phone call back to a number you already trust is the habit that actually stops this.

Sources: FBI Internet Crime Complaint Center (IC3) 2025 Annual Report · FBI IC3 Public Service Announcement PSA240911, "Business Email Compromise: The $55 Billion Scam" · CNN Business reporting on the Arup deepfake wire fraud case

Think you've been targeted? Paste any text, link, email, or screenshot into Cautellus for instant AI analysis.

Scan something free →
C

Courtney

Founder, Cautellus · 20+ years in financial services

Two decades in financial compliance, digital security, and fraud prevention. Built Cautellus because the scam detection tools that exist were made for IT departments, not for real people getting weird texts.

Learn more

Keep reading

Support Our Mission

Cautellus is built to protect people from online fraud. Your contribution helps us keep building security tools and resources.

Found This Helpful?

Try Cautellus to analyze suspicious messages, links, and images and protect yourself from fraud.

Try the Scam Scanner