Business Email Compromise (BEC) Scams: How One Email Can Cost Your Business Thousands
The Billion-Dollar Scam Targeting Your Business
John runs a construction business.
Like many companies, his team occasionally wires money to suppliers—materials, equipment, subcontractors. It’s routine.
One morning, John’s office manager, Mary, receives an email.
It’s from a supplier they’ve worked with before.
Same name. Same email thread. Same conversation history.
The message is simple:
“Hi Mary — quick update, our payment information has changed. Please use the new banking details on the next invoice.”
It even references prior emails in the thread.
Nothing seems off.
It just so happens they have a large invoice due.
So Mary updates the payment details and sends the wire.
The money never reaches the supplier.
What Just Happened?
John’s company just experienced a Business Email Compromise (BEC).
It’s one of the most financially damaging scams affecting businesses today.
According to the Federal Bureau of Investigation, BEC scams account for billions of dollars in losses each year, making them one of the costliest forms of cyber-enabled fraud.
And unlike many scams, these don’t rely on obvious red flags.
They rely on precision.
How Scammers Pull This Off
BEC scams are not random.
They’re targeted.
Here’s how it typically works:
- They Get Access (or Watch Closely)
Scammers may:
- Compromise a real email account
- Or monitor communications from the outside
They learn:
- Who handles payments
- Who the vendors are
- When invoices are due
- They Wait for the Right Moment
Timing is everything.
They strike when:
- A payment is expected
- A project is active
- A large invoice is due
- They Insert Themselves Into the Conversation
Instead of sending a brand-new email, they often:
- Reply to an existing thread
- Use familiar language and formatting
- Mimic the vendor’s tone
That’s what makes it so convincing.
- They Change One Thing
Just one:
Payment instructions.
Everything else looks legitimate.
Why This Scam Is So Effective
BEC scams work because they:
- Don’t look like scams
- Come from trusted contacts
- Appear at the exact right time
- Create a sense of routine, not urgency
Mary wasn’t careless.
She was doing her job.
The Red Flags (That Are Easy to Miss)
Even sophisticated scams often include subtle warning signs:
🚩 Requests to change payment instructions
🚩 New bank accounts, especially for existing vendors
🚩 Slight differences in email addresses (even one character)
🚩 Messages that discourage verification (“please process quickly”)
🚩 Unexpected changes tied to active invoices
How to Protect Your Business
A few simple controls can prevent most BEC losses:
- Verify Changes — Always
If payment instructions change:
- Call the vendor using a known, trusted number
- Do not rely on the email itself
- Require Dual Approval
For wires or ACH changes:
- Two people should review and approve
- Especially for large payments
- Lock Down Email Accounts
- Use multi-factor authentication (MFA)
- Monitor for suspicious logins
- Train Your Team
Your employees are your first line of defense.
Make sure they know:
- This scam exists
- It looks real
- Verification is expected—not optional
What to Do If Fraud Occurs
If your business sends a fraudulent payment, act immediately:
- Contact your bank to request a wire recall
- Report the incident to the Internet Crime Complaint Center (IC3)
- Document all communication and transaction details
The FBI notes that time is critical—quick action can sometimes help freeze or recover funds.
Protect Your Business from Email Fraud
Trust, But Verify.
BEC scams don’t break into your business.
They blend in.
They look like normal emails.
They sound like trusted partners.
They arrive at the worst possible time.
And they rely on one assumption:
That no one will double-check.
If payment instructions change, slow down and verify.
Because in today’s environment, one email can turn a routine payment into a major loss
At Reliabank, we’re committed to helping your business stay secure, informed, and protected from evolving financial threats.
Sources
Federal Bureau of Investigation – Internet Crime Complaint Center (IC3) 2025 Annual Report – https://www.ic3.gov/Media/PDF/AnnualReport/2025_IC3Report.pdf
Internet Crime Complaint Center – Report Fraud & Learn About Scams – https://www.ic3.gov