← All insights
Threats

Business Email Compromise: How One Convincing Email Drains Six Figures

Part of our guide: Phishing, scams & account security

There’s a type of cyberattack that uses no malware, sets off no alarms, and routinely costs Canadian businesses six-figure sums. It’s called business email compromise (BEC) — and it works because it targets your people and your processes, not your software.

It’s also one of the most expensive cybercrimes there is. The losses dwarf most ransomware payouts, yet BEC rarely makes headlines because there’s no dramatic lockout screen — just a payment that quietly went to the wrong account. This guide explains how it works, the forms it takes, a realistic example, and exactly how to stop it.

What business email compromise is

In a BEC scam, an attacker impersonates someone trusted — a CEO, a supplier, a colleague — and uses that trust to trick an employee into sending money or sensitive information. There’s no virus to detect. Just a convincing email and a request that seems legitimate.

That’s what makes BEC so dangerous: many security tools are looking for malware, and there isn’t any. The “payload” is a sentence asking someone to make a payment. To the email gateway, it looks like ordinary business correspondence — because that’s exactly what it is.

The common forms

  • CEO fraud. An urgent message that appears to come from an executive, asking finance to make a wire transfer quickly and quietly.
  • Fake invoice or banking change. A supplier you really do work with emails new banking details — and your next payment goes to the attacker.
  • Payroll diversion. A message “from” an employee asking to update their direct-deposit account before the next pay run.
  • Gift card scams. A “manager” urgently needs gift cards bought and the codes sent over.
  • Attorney or acquisition pretext. A “lawyer” or executive insists on secrecy around a confidential, time-sensitive deal — using confidentiality to discourage the employee from double-checking.
  • Data theft. Not every BEC goes after money directly; some request payroll records or tax forms (like T4s) to enable identity theft and future fraud.

How it usually starts

BEC often begins quietly — sometimes with a phishing email that hands an attacker access to a real mailbox. From inside that account, they read past conversations, learn how your business talks about money, and wait for the right moment. This account takeover is what makes the most damaging BEC attacks so convincing: the fraudulent email comes from a genuine address, in a real thread, written in the sender’s normal style.

Other variations don’t require a break-in at all:

  • Spoofing — forging the “From” name or address so a message merely appears to come from your CEO.
  • Look-alike domains — registering a domain that’s one character off (a swapped letter, .co instead of .com) so a quick glance doesn’t catch it.
  • Thread hijacking — replying into a real, ongoing email conversation at the moment money is about to change hands.

What it looks like in practice

Your accounts-payable clerk receives an email in an existing thread with a long-standing supplier. The supplier writes that they’ve switched banks and asks that this month’s invoice — a real invoice, for the right amount — be paid to new account details. The wording matches how this supplier always writes; the logo and signature are correct. The clerk updates the payee and pays it. Weeks later the real supplier asks where their money is. What happened: the attacker had quietly compromised the supplier’s mailbox, watched the billing cycle, and stepped in at precisely the right moment with the right invoice and new banking details. Nothing about the email looked wrong — because almost nothing about it was wrong, except the account number.

This is why BEC defeats gut instinct: the request is timely, the context is real, and the only safe catch is a process, not a feeling.

How to prevent it

BEC is beaten with process and habits more than technology:

  • Verify out of band. Any request to send money or change banking details gets confirmed by a phone call to a known number — never a number or link from the email itself. This single habit stops the majority of BEC losses. (It’s the same reflex that defeats bank impersonator scams.)
  • Build an approval process. Require a second approver for large payments, new payees, or any change to banking details, so no one person can be talked into a transfer alone.
  • Treat banking-detail changes as high-risk by default. A “we changed banks” email should always trigger verification, every time, no exceptions — that’s the exact moment attackers strike.
  • Turn on MFA. It’s the best defence against the account takeover that often kicks off a BEC attack. Our guide on how to roll out MFA walks through it, and securing Microsoft 365 covers the mailbox side.
  • Use email authentication. SPF, DKIM, and DMARC make it harder for attackers to spoof your domain.
  • Flag external email. A visible “external sender” banner helps staff spot a message that claims to be internal but isn’t.
  • Watch for mailbox tampering. Attackers often set hidden inbox rules that auto-delete or forward messages to cover their tracks — a sign an account is compromised.
  • Manage supplier risk. Your exposure includes your vendors’ security too; our note on vendor and third-party risk explains why.
  • Train the finance team specifically. The people who move money are the real targets — make sure they know these tactics, and make “let me verify that” the expected, blameless response.

The red flags to teach

Train staff to slow down when an email about money shows any of these:

  • Urgency and pressure — “this has to go out today.”
  • A request for secrecy — “don’t discuss this with anyone yet.”
  • A change to payment details — new bank account, new payee, new method.
  • A reply-to address that’s subtly different from the sender.
  • A break from normal process — skipping the usual approvals “just this once.”

Any one of these is reason enough to stop and verify through a known channel.

If it happens to you

Speed matters. Contact your bank immediately — funds can sometimes be recalled if you act within hours. Report the fraud to the Canadian Anti-Fraud Centre, preserve the emails (don’t delete anything), and check whether an account was compromised — including any inbox rules the attacker may have created. Then warn your team and any affected suppliers, since these campaigns often target several people at once. Our guide on what to do after a phishing click covers the account side.

BEC doesn’t make headlines the way ransomware does, but it quietly costs businesses just as much. If you’d like help putting the right defences and processes in place, contact our team.

Have a question about your security?

We're happy to help — book a no-obligation consultation with our team.

Talk to us