← All insights Insights

Business Email Compromise: How One Convincing Email Drains Six Figures

May 10, 2026 · Kapa Canada

There’s a type of cyberattack that uses no malware, sets off no alarms, and routinely costs Canadian businesses six-figure sums. It’s called business email compromise (BEC) — and it works because it targets your people and your processes, not your software.

What business email compromise is

In a BEC scam, an attacker impersonates someone trusted — a CEO, a supplier, a colleague — and uses that trust to trick an employee into sending money or sensitive information. There’s no virus to detect. Just a convincing email and a request that seems legitimate.

That’s what makes BEC so dangerous: many security tools are looking for malware, and there isn’t any. The “payload” is a sentence asking someone to make a payment.

The common forms

  • CEO fraud. An urgent message that appears to come from an executive, asking finance to make a wire transfer quickly and quietly.
  • Fake invoice or banking change. A supplier you really do work with emails new banking details — and your next payment goes to the attacker.
  • Payroll diversion. A message “from” an employee asking to update their direct-deposit account.
  • Gift card scams. A “manager” urgently needs gift cards bought and the codes sent over.

How it usually starts

BEC often begins quietly — sometimes with a phishing email that hands an attacker access to a real mailbox. From inside that account, they read past conversations, learn how your business talks about money, and wait for the right moment. Other times they simply spoof an address, or register a look-alike domain that’s one character off.

How to prevent it

BEC is beaten with process and habits more than technology:

  • Verify out of band. Any request to send money or change banking details gets confirmed by a phone call to a known number — never a number or link from the email itself.
  • Build an approval process. Require a second approver for large payments, new payees, or any change to banking details.
  • Turn on MFA. It’s the best defence against the account takeover that often kicks off a BEC attack.
  • Use email authentication. SPF, DKIM, and DMARC make it harder for attackers to spoof your domain.
  • Flag external email. A visible “external sender” banner helps staff spot a message that claims to be internal but isn’t.
  • Train the finance team specifically. The people who move money are the real targets — make sure they know these tactics.

If it happens to you

Speed matters. Contact your bank immediately — funds can sometimes be recalled if you act fast enough. Report the fraud to the Canadian Anti-Fraud Centre, preserve the emails, and check whether an account was compromised. Our guide on what to do after a phishing click covers the account side.

BEC doesn’t make headlines the way ransomware does, but it quietly costs businesses just as much. If you’d like help putting the right defences and processes in place, contact our team.

Have a question about your security?

We're happy to help — book a no-obligation consultation with our team.

Talk to us