How organizations combat business email compromise

September 22, 2025 | 4 minute read

Key takeaways

  • Educate all employees to exercise skepticism when they receive an unusual request via email, even when the email appears to come from someone they report to or know.
  • Encourage all employees to never bypass identity access controls or share their login credentials.
  • Remember that fraudulent emails and email scams may be the first step in complex cybercrime campaigns, such as ransomware or theft of valuable company data.

Business email compromise (BEC) is a specialized phishing technique that targets individuals with the intent of tricking them into sending money or sharing sensitive information. It remains one of the most lucrative types of cybercrime, with losses reaching almost $3 billion in more than 21,000 cases reported to the FBI in 2023.1

 

The methods perpetrators use in BEC have changed as technology and business processes have evolved. But this crime still depends on establishing and exploiting trust. Perpetrators may impersonate people who work for the same organization, often a boss, senior executive or consultant, such as legal counsel, or an established vendor or customer. They leverage persuasive social engineering tactics to convince people of their identities and the legitimacy of their requests.

 

Developments in artificial intelligence (AI) and account hacking have made some BEC scams very difficult to detect. But the best defense is still a workforce that is alert to this persistent threat and able to balance efficiency with security objectives.

Common BEC frauds

Criminals often tailor their BEC scams to the organization and individuals they target by adding highly specific details based on internet research. However, most scams fall into these broad categories:

 

Invoice and payment scams. The criminal impersonates a vendor or customer and requests payment on an outstanding invoice or that future payments be sent to a new account. The email may contain a malicious link or attachment that can direct the recipient to a phishing site or download dangerous malware.

 

Urgent request from a supervisor. An employee receives an email appearing to be from their supervisor or a top executive, requesting they immediately send a gift or payment to a recipient. In some cases, the criminal may first request switching over to texting or even video conferencing before they make the request. They may then deploy AI to generate text or video feeds to make the interaction even more convincing.

 

Whaling. This is a campaign that targets a specific, high-level executive for financial gain, data theft, or to inflict reputational damage on the person or company. Many begin via BEC tactics.

 

Data requests/theft. The scammers may request personally identifiable information (PII) belonging to employees or customers, which they use to conduct subsequent financial scams that target those individuals.

 

Commodities requests/theft. Scammers pose as purchasing departments for established vendors, make large purchases on credit and arrange for shipment of goods that are never paid for.

 

Whatever the method, the criminals count on an email recipient being fooled or not noticing that there is something unusual about the origin of the email or recipient. This is the point where the social engineering — or coercion — begins. 

How to help protect your organization from BEC

As with every type of cybercrime, there is no absolute defense against BEC. But a combination of tools, enforced policies and employee engagement can minimize the risks. Specific defenses can include:

 

Investing in email filters. Sophisticated BEC attempts can evade even the best security tools, especially since generative AI has enabled scammers to produce more convincing and error-free text. However, email scanners and filters can sometimes detect mail from spoofed accounts and flag anomalous communications for independent review.

 

Deploying and maintaining strong identity access and account privilege management. Identity and access management (IAM) and privileged access management (PAM) are methods that make it more difficult for unauthorized users to exploit stolen credentials to initiate BEC attempts. Used in conjunction with multifactor authentication (MFA) or biometrics, these protections can be effective assuming organizations don’t set and forget them. Review and enforcement of these policies is critical.

 

Redundant payment approvals. Anomalous requests or changes to payment information should require extra layers of review and approval.

 

Employee training and awareness. Any successful BEC attempt depends on eluding controls or deceiving an employee. Organizations should regularly train all employees (especially key employees such as those responsible for accounts payable and receivables) and make awareness of BEC and cyberthreats a part of company culture.

 

BEC is likely to persist in a business environment that depends on speed, convenience, and friction-free transactions between vendors and customers and partner organization. A key to a strong defense is encouraging every employee to slow down processes when they detect anything unusual about an email communication. “Trust but verify” is still advice that supports strong cybersecurity fundamentals and good business outcomes. 

1 FBI, IC3 Report 2023.

Back to Homepage

Explore more

Security & Information Management

Phishing. Vishing. Smishing. Keeping up with threats from scams, fraud and cyberattacks is difficult. Our resources and insights can help you protect your company and customers.

Important Disclosures and Information

Bank of America, Merrill, their affiliates and advisors do not provide legal, tax or accounting advice. Consult your own legal and/or tax advisors before making any financial decisions. Any informational materials provided are for your discussion or review purposes only. The content on the Center for Business Empowerment (including, without limitations, third party and any Bank of America content) is provided “as is” and carries no express or implied warranties, or promise or guaranty of success. Bank of America does not warrant or guarantee the accuracy, reliability, completeness, usefulness, non-infringement of intellectual property rights, or quality of any content, regardless of who originates that content, and disclaims the same to the extent allowable by law. All third party trademarks, service marks, trade names and logos referenced in this material are the property of their respective owners. Bank of America does not deliver and is not responsible for the products, services or performance of any third party.

 

Not all materials on the Center for Business Empowerment will be available in Spanish.

 

Certain links may direct you away from Bank of America to unaffiliated sites. Bank of America has not been involved in the preparation of the content supplied at unaffiliated sites and does not guarantee or assume any responsibility for their content. When you visit these sites, you are agreeing to all of their terms of use, including their privacy and security policies.

 

Credit cards, credit lines and loans are subject to credit approval and creditworthiness. Some restrictions may apply.

 

Merrill Lynch, Pierce, Fenner & Smith Incorporated (also referred to as “MLPF&S" or “Merrill") makes available certain investment products sponsored, managed, distributed or provided by companies that are affiliates of Bank of America Corporation (“BofA Corp."). MLPF&S is a registered broker-dealer, registered investment adviser, Member SIPC, and a wholly owned subsidiary of BofA Corp.

 

Banking products are provided by Bank of America, N.A., and affiliated banks, Members FDIC, and wholly owned subsidiaries of BofA Corp.

 

“Bank of America” and “BofA Securities” are the marketing names used by the Global Banking and Global Markets division of Bank of America Corporation. Lending, derivatives, other commercial banking activities, and trading in certain financial instruments are performed globally by banking affiliates of Bank of America Corporation, including Bank of America, N.A., Member FDIC. Trading in securities and financial instruments, and strategic advisory, and other investment banking activities, are performed globally by investment banking affiliates of Bank of America Corporation (“Investment Banking Affiliates”), including, in the United States, BofA Securities, Inc., which is a registered broker-dealer and Member of SIPC, and, in other jurisdictions, by locally registered entities. BofA Securities, Inc. is a registered futures commission merchant with the CFTC and a member of the NFA.

 

Investment products:

Are Not FDIC Insured Are Not Bank Guaranteed May Lose Value