2013: Business Email Compromise: The $50 Billion Email Scam
There is a type of email scam that doesn’t require hacking. It doesn’t require malware. It doesn’t exploit software vulnerabilities or bypass firewalls. It simply requires a convincing email from someone who appears to be the boss, asking an employee to send money somewhere. Business Email Compromise — BEC — has stolen over $50 billion since 2013, making it the single most financially devastating category of cybercrime in the world. And it works because it exploits the most basic element of workplace behavior: people do what their boss tells them.
How It Works
A typical BEC attack begins with reconnaissance. The attacker researches a target organization using publicly available information: corporate websites, LinkedIn profiles, press releases, SEC filings, and social media. They identify key personnel — the CEO, CFO, controller, accounts payable staff — and learn the company’s organizational structure, upcoming deals, and communication patterns.
Armed with this information, the attacker either compromises a real executive’s email account (through phishing, credential stuffing, or other means) or creates a look-alike email domain. If the target company uses example.com, the attacker might register examp1e.com (with a numeral “1” instead of the letter “l”) or example-corp.com. The spoofed address is close enough that a busy employee skimming their inbox won’t notice the difference.
Then comes the request. The fake executive email — typically impersonating the CEO or CFO — contacts an employee with financial authority. The message creates urgency: “I need you to process a wire transfer immediately. We’re closing the [acquisition/deal/partnership] today and the funds need to be in the escrow account by 3 PM. I’m in meetings all day, so handle this via email only. Don’t discuss this with anyone — it’s confidential until the announcement.”
The email leverages every social pressure available: the authority of the sender (the CEO), the urgency of the timeline (today), the confidentiality requirement (don’t verify with others), and the communication restriction (email only, don’t call). The employee processes the transfer. The money goes to a mule account controlled by the attackers, is quickly moved through multiple accounts across jurisdictions, and vanishes.
The Scale
BEC’s financial toll dwarfs every other category of cybercrime. The FBI’s Internet Crime Complaint Center (IC3) reported that between June 2016 and December 2021, there were 241,206 domestic and international BEC incidents with total exposed losses exceeding $43 billion. By 2023, cumulative losses surpassed $50 billion.
For context, ransomware — the cybercrime that dominates headlines — generates a fraction of BEC’s financial damage. In 2022, IC3 reported $2.7 billion in BEC losses compared to $34 million in reported ransomware losses. BEC steals roughly 80 times more money than ransomware, yet receives a fraction of the media attention.
The average BEC incident involves significantly larger sums than typical fraud. Wire transfers of $100,000 to several million dollars are common. Some individual incidents have involved tens of millions. Ubiquiti Networks lost $46.7 million in a BEC attack in 2015. Toyota Boshoku lost $37 million in 2019. Facebook and Google collectively lost over $100 million to a Lithuanian man who sent them fraudulent invoices impersonating a hardware vendor.
The Five Types
The FBI categorizes BEC into five main variants. CEO fraud is the classic form: an email impersonating the CEO directs an employee to make a wire transfer. Account compromise involves hacking an employee’s actual email account and using it to request payments from vendors listed in their contacts. Attorney impersonation targets employees during sensitive transactions (mergers, acquisitions, real estate closings) by posing as a lawyer managing the deal. False invoice schemes impersonate regular vendors and request payment to updated bank account information. Data theft targets HR departments, requesting employee W-2 forms or personal data for tax fraud.
The vendor impersonation variant is particularly insidious. Attackers monitor a company’s legitimate vendor relationships, then send an email that appears to come from a real vendor, claiming that their banking details have changed. Future payments — which the company was going to make anyway, to a real vendor for real goods and services — are redirected to the attacker’s account. The fraud may not be discovered until the real vendor inquires about missed payments, which could be weeks or months later.
Why It Works
BEC succeeds because it exploits organizational behavior, not technology. Anti-malware software can’t detect it because there’s no malware. Spam filters struggle because the emails are individually crafted, often sent from compromised legitimate accounts, and contain no suspicious links or attachments. The email is just text — a request from an authority figure that looks and reads exactly like a legitimate business communication.
The social dynamics of organizations make BEC uniquely difficult to prevent. Employees are conditioned to respond promptly to executive requests. Questioning the CEO’s instructions is culturally uncomfortable and potentially career-damaging. Time pressure prevents verification. Confidentiality requests prevent consultation with colleagues who might recognize the fraud.
Even organizations with robust financial controls can be vulnerable. Dual approval requirements can be circumvented when both approvers receive the same convincing email. Callback procedures can be defeated if the attacker has spoofed the executive’s phone number or if the employee calls the number provided in the fraudulent email rather than looking up the executive’s number independently.
Fighting Back
BEC prevention requires a combination of technical controls and cultural change. On the technical side, email authentication protocols (SPF, DKIM, DMARC) help prevent domain spoofing. Email security tools can flag messages from look-alike domains or display warnings when an email claims to be from an internal address but originates externally.
The cultural changes are harder but more important. Organizations must establish and enforce verification procedures for financial transactions: any request for wire transfers, payment changes, or sensitive data must be verified through a separate communication channel — a phone call to a known number, an in-person conversation, or a verified messaging platform. The verification step must be mandatory and immune to social pressure, including pressure from the CEO.
Training employees to recognize BEC indicators — urgency, secrecy, unusual requests, slight email address variations — is necessary but insufficient. The most effective defense is a culture where verifying financial requests is normal and expected, not a sign of distrust or insubordination.
The Uncomfortable Truth
BEC exposes an uncomfortable truth about email: the medium itself provides almost no inherent verification of identity. An email that appears to come from the CEO might actually come from the CEO, or it might come from an attacker in another country. Without authentication protocols and verification procedures, there is no reliable way for the recipient to tell the difference.
This fundamental weakness — that email makes impersonation easy and verification hard — has existed since email was created. BEC simply exploits it at industrial scale. Until organizations treat every email requesting financial action with appropriate skepticism, the billions will keep flowing to the wrong accounts.
Infographic
Share this visual summary. Right-click to save.
Related Events
Frequently Asked Questions
What is Business Email Compromise (BEC)?
Business Email Compromise is a type of cybercrime where attackers impersonate a trusted business contact — typically a CEO, CFO, vendor, or lawyer — via email to trick employees into transferring money to fraudulent accounts. BEC attacks rely on social engineering rather than malware, making them difficult to detect with traditional security tools.
How much money has BEC stolen?
The FBI reported that BEC scams caused over $50 billion in losses globally between 2013 and 2022. In the United States alone, the FBI's Internet Crime Complaint Center recorded over $2.7 billion in BEC losses in 2022, making it the most financially damaging category of internet crime by a wide margin.
How do BEC attacks work?
BEC attacks typically follow a pattern: attackers research a target organization using public information and social media. They either compromise a real executive's email account or create a look-alike domain. They then send an urgent email — often requesting a wire transfer, gift card purchase, or change to payment details — to an employee with financial authority. The urgency and apparent authority of the sender pressure the employee into complying.