The Rise of Business Email Compromise (BEC) Attacks: How Cybercriminals Are Raiding Business Bank Accounts
Business email compromise attacks aren't making headlines the way ransomware does, but they're quietly costing small and mid-sized businesses anywhere from $16,000 to over $150,000 per incident — and in most cases, the money is gone for good. If your team handles vendor payments, wire transfers, or payroll, this is the threat you need to understand right now.
What Makes BEC Different From Regular Phishing
Most people have a mental image of a phishing attack: a suspicious email from a stranger asking you to click a link or enter your password. Business email compromise is something more dangerous, because it doesn't look suspicious at all.
BEC attacks are highly targeted. Instead of blasting a generic message to thousands of inboxes, attackers focus on specific businesses, specific employees, and specific financial relationships. The goal isn't to trick just anyone — it's to trick the right person at the right moment into moving money to the wrong place.
The attack typically starts with a phishing email designed to gain access to someone's email account. Once an attacker is inside, they don't immediately do anything obvious. Instead, they go quiet. They read through months of email threads, learn who your vendors are, what projects are underway, how your team communicates, and which employees handle payments. They're building a map of your business from the inside.
The "Chime-In" Tactic: How It Actually Plays Out
Once an attacker understands your business well enough, they make their move using what's known as the chime-in tactic. They set up filters so that emails from a specific vendor or contact go to a folder you'll never see. Then they jump into an existing email thread — one with real history, real context, and a name you trust completely — and send a message as if they're that person.
Because the email lives in an active conversation with someone you've worked with for years, it doesn't raise flags. There's no reason to question it. That's precisely the point.
The Two Most Common Scams
The fake invoice and bank change. You receive an email from a vendor you've paid dozens of times before. They let you know that their company has switched banks and ask you to update their payment information before sending the next invoice. It's a routine request. You've built a real relationship with this vendor. So you make the change, process the payment — and the money goes directly to the attacker.
The employee payroll scam. An attacker impersonates one of your own employees — often someone in a department that doesn't interact with payroll daily — and emails HR or finance to request a change to their direct deposit information. The request looks internal, sounds legitimate, and gets processed. The employee's next paycheck goes to an account they'll never see.
In both cases, the reason these scams work is the same: trust. The attack exploits relationships that took years to build, weaponizing familiarity against you.
The Financial Reality — And Why Your Bank Can't Help You
When businesses discover they've been hit, one of the first calls they make is to their bank. Unfortunately, that call rarely ends well. Banks are generally not liable for these losses because, technically, an authorized employee approved the transfer. From the bank's perspective, the transaction was legitimate. It was your employee, using proper credentials, who made the change and initiated the payment.
Fraud recovery is equally grim. Once funds leave your account, attackers move them quickly through a chain of other accounts, often across international borders. The odds of recovering the money are, in most cases, slim to none. By the time the fraud is discovered and law enforcement is notified, the trail has gone cold.
This is why prevention isn't just important — it's the only real option you have.
How to Protect Your Business
Defending against BEC attacks requires both technical measures and, more importantly, clear administrative policies that your team actually follows.
On the technical side, continuous employee training is one of the most effective tools you have. Staff who understand how these attacks work are far more likely to pause before acting on a suspicious request. Two-factor authentication adds another layer of protection and should be in place for any account involved in financial processes. That said, it's worth knowing that sophisticated attackers can bypass 2FA through a technique called session token hijacking — meaning technical defenses alone aren't enough. Work with your IT provider to ensure specific protections against this are in place.
On the administrative side, this is where the strongest defenses live. No technical control is as effective as a policy that requires two people to sign off on any change to banking or routing information. If one person can't process a vendor bank change alone, the whole attack falls apart.
Pair that with voice verification. Any time a financial change is requested — a new bank account, a routing number update, a payroll redirect — call the person making the request using a phone number you already have on file. Not the number listed in the email. Not a number the requestor provides. A number from your existing records, from a previous conversation, from a business card. If the request is legitimate, that phone call takes thirty seconds. If it isn't, that call stops a six-figure loss.
For employee payroll changes specifically, require a physical written form submitted in person. This single policy makes the employee impersonation scam nearly impossible to execute remotely.
Finally, build a culture of "manage by exception" within your team. Any request that seems out of the ordinary — a vendor changing banks, an employee updating direct deposit, an unusual urgency around a payment — should automatically slow down, not speed up. Urgency is a manipulation tactic. When someone is pressuring your team to act fast, that's exactly the moment to pause.
Take a Hard Look at Your Internal Procedures
Business email compromise works because it exploits trust and routine. The solution isn't paranoia — it's process. Clear, consistently enforced policies around financial changes will stop the vast majority of these attacks before they cost you anything.
If you're not sure whether your current email security setup would catch a compromise attempt, or if you want to review your internal procedures against current best practices, reach out to the Tech Rage IT team for a cybersecurity audit. We'll take a look at how your business handles these risks and help you close the gaps before someone else finds them.
