< Back to Blog
Business Email Compromise

What Is a Business Email Compromise and Why Is It Targeting Your Industry

April 14, 2026

If you have never heard the term Business Email Compromise before, you have almost certainly seen its effects. A vendor sends a legitimate-looking email asking you to update their payment information. A senior employee emails accounting requesting an urgent wire transfer. A client receives an invoice from your company that you never sent. All of these are Business Email Compromise, and it is currently the highest-grossing cybercrime category in the world.

How Business Email Compromise Actually Works

There are two primary forms of BEC. The first involves a compromised email account. The attacker gains access to a legitimate mailbox, monitors communications, learns the business relationships and financial patterns, and then uses that trusted account to send fraudulent requests. Because the email comes from a real account with a real history, recipients have no reason to be suspicious.

The second form involves impersonation without account access. The attacker registers a lookalike domain — swapping a letter, adding a word, or using a different top-level domain — and sends emails that appear to come from a trusted contact. This is less sophisticated but still effective because most people read the display name, not the actual email address.

In both cases the attacker is not hacking a system. They are manipulating a person. The technical entry point is just the means to an end.

Why Professional Services Firms Are Primary Targets

Law firms, accounting firms, financial advisors, and real estate companies are disproportionately targeted for one reason: they handle large financial transactions on behalf of clients and they communicate heavily over email about those transactions.

A law firm handling a real estate closing communicates by email about wire transfer amounts, account numbers, and closing dates. An accounting firm emails clients about tax payments and vendor invoices. A financial advisor communicates about fund transfers and account changes. These are exactly the conversations attackers want to intercept because the financial stakes are high and the transactions are time-sensitive enough that people do not always stop to verify.

The urgency is part of the attack. A closing is happening tomorrow. A payment is due today. The attacker knows that time pressure reduces scrutiny.

The Three Stages of a BEC Attack

Stage 1: Reconnaissance. The attacker identifies the target, researches the business relationships and financial patterns, and identifies the right accounts to compromise or impersonate. This often starts with a phishing email designed to harvest credentials.

Stage 2: Positioning. Once inside or with a convincing impersonation in place, the attacker monitors communications and waits for the right moment. They are looking for an active financial transaction they can intercept or a trusted relationship they can exploit. This stage can last days or weeks.

Stage 3: Execution. The attacker inserts themselves into the conversation, redirects payment information, or sends fraudulent requests at a moment when timing makes scrutiny less likely. By the time anyone realizes something is wrong, the transfer has often already been made.

What Makes BEC Hard to Detect

Traditional email security tools are built to detect malware, malicious links, and known phishing patterns. A BEC attack that uses a legitimate compromised account generates no malware alerts. There are no malicious links to scan. The email passes every authentication check because it is coming from the real account.

The indicators that something is wrong are behavioral, not technical. An inbox rule created at 3am. A login from a city the account owner has never been to. An email thread where the payment instructions changed at the last minute. These require a human being who knows what to look for and has access to the right logs.

What Stops BEC

No single control eliminates BEC risk entirely but several controls together make it significantly harder to execute successfully:

  • MFA on all accounts blocks the most common credential-based entry points
  • Conditional Access policies that restrict logins from unfamiliar devices and locations add another layer
  • Continuous monitoring of inbox rules and forwarding settings catches the persistence mechanisms attackers rely on
  • A clear verification policy for any change to payment instructions — requiring a phone call to a known number before any wire transfer details are updated

The businesses that lose money to BEC are not always the ones with the weakest security. They are often the ones that had reasonable controls in place but had no way to detect that an attacker was already inside, already watching, and already waiting.

If the last time your Microsoft 365 environment was reviewed for hidden inbox rules and anomalous sign-in activity was more than 90 days ago, that gap is worth closing.

Need help securing your environment?

Book a free 30-minute consultation. We will assess your Microsoft 365 environment and tell you where the gaps are.

Book Free Consultation