Business Email Compromise: The $50B Scam Small Businesses Underestimate
The Most Expensive Email You'll Never Open
Most small business owners think of email-based attacks as "phishing" — the obvious garbage that ends up in spam, the fake DocuSign emails, the password-reset scams. Those are real, but they're not what should keep you up at night.
The attack that should keep you up at night is one where your CFO gets an email from you — really from you, or at least from someone using your name and your domain — asking them to wire $73,000 to a new vendor account. The email is well-written. The phrasing matches how you actually write. The timing is convincing. There's a plausible reason for the urgency. And by the time anyone realizes what happened, the money is gone and the bank can't recover it.
This is Business Email Compromise. The FBI's IC3 reports BEC has caused over $50 billion in confirmed losses globally since 2013, with U.S. losses alone topping $2.9 billion in 2023. The median loss per incident sits around $50,000 — meaningful for an enterprise, often existential for a 25-person business.
If you're running a small business, BEC is the single highest-probability, highest-impact attack you'll face in the next 24 months. This guide is what to actually do about it.
How the Attack Actually Works
BEC is not a hacking attack in the way most people imagine. There's typically no malware, no exploit, no zero-day. It's a social engineering attack that exploits three things almost every small business has: an unprotected email domain, employees who trust internal email, and finance processes that allow same-day wire transfers without strong verification.
The most common variants:
CEO Impersonation. An attacker registers a lookalike domain — breachhorlzon.com instead of breachhorizon.com (note the swapped letter), or uses a free email service with a display name matching your CEO. They email your CFO or accounts payable lead with a request to wire money urgently, "I'm in a meeting, just handle this please." Variants include "we just signed a new vendor contract, here's the wiring info," or "I need you to buy gift cards for a client appreciation event, $5,000 should cover it."
Vendor Impersonation. An attacker compromises a real vendor's email (or impersonates them) and sends your accounts payable team an updated invoice with new wiring instructions. The invoice often matches a real outstanding payable down to the dollar. Your team pays the "vendor" — and the vendor never receives the money. This pattern is harder to detect because the dollar amount and the timing both feel legitimate.
Account Takeover. This is the worst case. An attacker compromises an actual employee's mailbox (typically through credential reuse from a third-party breach, or phishing). They sit in the mailbox for days or weeks, learning your business's pace, your wiring patterns, who has authority to approve what. Then they send a wire request that looks exactly like a real one — because it is a real one, just with the destination changed. They also create inbox rules to hide responses, so the legitimate owner never sees the conversation.
Payroll Diversion. An attacker sends HR or payroll an email from "an employee" asking to update their direct deposit information. By the time the employee notices their paycheck didn't land, the next payroll cycle has already been redirected.
What all four have in common: the attacker doesn't need to break in. They just need to be convincing in an email and then collect a wire transfer.
Why Small Businesses Are the Highest-Value Targets
Enterprises have layered defenses against BEC: trained accounts payable teams, mandatory dual-control for wires, vendor master file updates that require independent verification, threat intelligence subscriptions that flag lookalike domains, and automated impersonation detection in their email gateways. Even when BEC attempts succeed at large companies, internal controls usually catch them before the money moves.
Small businesses have none of that infrastructure. A 25-person business typically has:
- One person handling AP (often the founder's spouse, or the office manager wearing four hats)
- No formal wire verification process — sometimes a phone call, often just an email confirmation
- No email gateway with impersonation protection
- No vendor master file controls
- A domain with weak or missing email authentication (we'll get to this)
Worse, attackers know small businesses are less likely to involve law enforcement quickly — partly because owners don't know they should, partly because the embarrassment of having been scammed delays the call. By the time the FBI gets involved, the funds have been moved through multiple correspondent banks and converted to crypto or cash. The FBI's Recovery Asset Team can sometimes intercept wires within 72 hours, but only if you report fast.
The Four Configuration Changes That Block 90% of BEC Attempts
Most BEC attacks rely on the attacker being able to spoof your domain — either by sending email that appears to be from your domain, or by using a lookalike domain that your employees don't notice. Three DNS records, configured strictly, kill that capability for properly-implementing receivers (which is now most major mail providers).
1. SPF (Sender Policy Framework). A DNS record listing the IP addresses and services authorized to send email on behalf of your domain. If an attacker tries to send from an unauthorized server, receivers can detect the mismatch.
The mistake: leaving SPF set to ~all (softfail) instead of -all (hardfail), or forgetting to include every legitimate sender (your help desk tool, your marketing platform, your invoicing system). Run our SPF checker on your domain to see what you have today.
2. DKIM (DomainKeys Identified Mail). Cryptographic signing of outbound email. Your mail server signs each message with a private key; receivers verify the signature against a public key in your DNS. A spoofed email won't have a valid signature.
The mistake: setting up DKIM on your primary mail platform but forgetting other services that send mail on your domain's behalf. Every service that sends from [email protected] needs to be DKIM-aligned, or it'll fail authentication.
3. DMARC (Domain-based Message Authentication, Reporting and Conformance). The policy layer on top of SPF and DKIM. DMARC tells receivers what to do when SPF or DKIM fails: p=none (do nothing, just report), p=quarantine (send to spam), or p=reject (refuse delivery).
The mistake almost every small business makes: publishing DMARC at p=none and never moving past it. p=none gives you reports of what's going wrong, which is great, but it doesn't actually stop a single spoofed email. The goal is to spend 2-4 weeks at p=none reviewing reports (Postmark and Valimail both offer free DMARC reporting), then move to p=quarantine, then to p=reject.
4. Inbound impersonation protection. Both Microsoft 365 (Defender for Office 365) and Google Workspace include built-in detection for "user impersonation" — emails that look like they're from someone in your organization but aren't. These features are off by default in many tenants. Turn them on. The settings are in Defender → Email & collaboration → Policies → Anti-phishing (M365) and Admin Console → Apps → Google Workspace → Gmail → Safety (Workspace).
When configured strictly, these four controls block the vast majority of BEC attempts at the network layer — your employees never see the spoofed email at all.
The Two Process Changes That Block the Rest
Configuration only goes so far. The attacks that get through are typically lookalike-domain attacks or account-takeover attacks, where the email passes authentication because it's not technically a spoof. For those, you need process.
Wire verification by callback. Any wire transfer to a new beneficiary, or any change to an existing beneficiary's account, requires a verbal callback to a known phone number — not the number on the email. The known number is the one you have on file from before. The callback is from the AP person to the requester, not the other way around. This single policy stops more BEC than any technical control.
Vendor master file change controls. When a vendor emails you with new wiring instructions, that change is treated as a request, not an instruction. The request goes through a verification step (callback to the vendor's main number, or written confirmation from a previously-known contact) before the master file is updated. This blocks the most-expensive variant of BEC — the vendor impersonation that hits real outstanding invoices.
Neither of these requires any technology. They require a written policy, training, and a culture where slowing down a wire to verify is treated as professional behavior, not paranoid behavior.
What to Do This Week
-
Run the free Breach Horizon Exposure Report on your primary domain. It checks SPF, DKIM hints, HTTPS, and other surface-level signals an attacker would inspect first. Takes 30 seconds.
-
Look at your DMARC record. Use our DNS Tools to inspect it. If you don't have one, publish one at
p=nonewith theruareporting tag pointed at a DMARC reporting tool. If you've been atp=nonefor more than a month, schedule the move top=quarantine. -
Write a one-page wire verification policy. Include the callback requirement, the new-beneficiary verification, and a no-blame clause that explicitly encourages employees to delay wires when something feels off. Have everyone in finance sign it.
-
Train your finance team on the specific patterns. Show them real examples of CEO impersonation and vendor impersonation emails (the FBI's IC3 reports have actual screenshots). Practice the "this might be BEC, what do I do?" scenario.
-
Run a phishing simulation. Free options exist via Google Workspace and M365. Or run our free Phishing IQ Test with your team for a quick baseline.
If a Wire Has Already Gone Out
If you discover a fraudulent wire after it's been sent, you have a very narrow window to recover the funds. The actions, in order:
-
Call your bank immediately. Ask for the wire recall department. The faster the bank issues a SWIFT recall (or domestic ACH/wire recall) request, the higher the chance of recovery.
-
File an IC3 report. Submit at ic3.gov and explicitly mention "BEC" and "Recovery Asset Team." If reported within 72 hours, the FBI can sometimes freeze the funds at the receiving bank before they're moved further.
-
Call your cyber insurance carrier. Most policies include a 24/7 incident response line. They'll engage an IR firm and counsel for you.
-
Preserve everything. Don't delete the emails. Don't reset passwords on the compromised account yet (forensics need an unaltered environment). Don't tell the attacker you've noticed — the longer they think the scam worked, the less likely they are to move the funds.
-
Notify law enforcement locally. A police report is often required by insurance for claim processing.
BEC is one of the few attack types where the first 24 hours matter more than the next 24 weeks. Speed of detection and speed of escalation are everything.
Final Word
Business Email Compromise is, in the end, a trust attack. It exploits the trust your team puts in email, the trust your finance process puts in your CFO's signature, the trust your business puts in vendors who've invoiced you before. You can't eliminate trust from running a business. But you can engineer specific friction at the places where the largest amounts of money move, and you can configure your domain so attackers can't pretend to be you in the first place.
If you do one thing after reading this: run the Exposure Report and check your DMARC record. That single 30-second action surfaces the most common reason BEC succeeds against small businesses. The fix is usually a 10-minute DNS change.
The rest is policy and training — work that's never glamorous, never finished, and worth every minute when the day comes that someone in your business gets a too-urgent email asking for a wire.
See what attackers see — before they do.
Run the free passive scan, get a prioritized fix plan, and close the gaps yourself or have us do it for you.