Business email compromise: the boring fraud that drains SME bank accounts

Most small businesses will never get hit by a nation-state. They will get hit by an invoice.

Business email compromise is the least cinematic attack in the catalogue and, for a typical SME, the one most likely to actually cost real money this year. No ransomware note. No encrypted servers. No CNN coverage. Just a finance clerk who paid a legitimate-looking invoice to a bank account that turned out to belong to someone in another country, and a wire that cleared before anyone noticed.

The FBI's IC3 reports put BEC near the top of every annual loss table, year after year, ahead of ransomware by total dollars reported. It stays there because it works, it scales, and it needs almost no technical sophistication.

How the fraud actually runs

The mechanics are dull, which is the point. Dull does not trip alarms.

An attacker gets into a mailbox, usually through a phished password or a credential bought from an earlier breach. They do not do anything loud. They sit. They read. They set up an inbox rule that auto-forwards or auto-deletes certain messages so the real owner never sees the thread. They learn how the company talks: who approves payments, which supplier is mid-project, what an invoice from accounting actually looks like, the CFO's signoff phrasing.

Then they wait for the right moment. A real invoice comes in from a real supplier. The attacker, now reading the supplier's mailbox or spoofing it convincingly, replies on the existing thread: "we've changed banks, please update our details for this payment." Same logo. Same signature. Correct project reference. The change of account is the entire attack, and it is buried inside a conversation that is otherwise completely genuine.

The other classic variant is the CEO-fraud version. A message from "the CEO," often timed for when they are known to be traveling, asking finance to push an urgent confidential payment for an acquisition or a deposit. Pressure plus authority plus secrecy. People who would never fall for a Nigerian-prince email wire six figures because the boss asked and it felt rude to question it.

There is no payload to detect. That is why your endpoint tooling and your antivirus see nothing.

Why MFA helps but does not solve it

Multi-factor authentication is the single best control against the account takeover that starts most BEC, and you should absolutely have it everywhere. Microsoft's own data has it blocking the overwhelming majority of automated credential attacks, and stolen credentials are the entry point in a large share of breaches. In our model MFA cuts BEC frequency by roughly 30%. Notice the word frequency. It reduces how often an attacker gets into the mailbox in the first place.

It does not touch the spoofing variant where the attacker never needs your account at all. A lookalike domain (your-company.co instead of .com, or a near-identical supplier domain) sails straight past MFA because nobody logged into anything of yours. And MFA fatigue and adversary-in-the-middle phishing kits now bypass weaker second factors anyway, which is why I push phishing-resistant factors where the money is.

The real fix for BEC is not technical at all. It is a process rule that no urgent email can override: any change to payment details, or any payment above a threshold, is verified out of band. You call the supplier on a number you already had, not the one in the email signature. You confirm the CEO's request through a second channel. It is friction, finance teams hate it, and it stops the attack cold because the fraud lives entirely inside one compromised channel. Break the single-channel assumption and the whole thing falls apart.

The money is usually gone

This is the part that surprises people. BEC has terrible recovery economics.

The funds get wired to a receiving account, then almost immediately broken up and moved through money mules, often converted to crypto or pushed across borders within hours. There is no malware to clean up afterwards, but there is also no decryptor to buy back what you lost. The cash is just gone.

Your one real window is speed. If you catch it the same day, a fraud report to your bank can sometimes trigger a recall or a freeze before the money is layered away, and law enforcement (IC3 in the US, Action Fraud in the UK, your local equivalent in the EU) can occasionally help claw it back. Same day matters. Two days later, the realistic expectation is that you are writing it off.

In our SME calibration the base BEC loss anchors near 50,000 USD and scales more weakly with revenue than first-party costs, because wire fraud is bounded by what the attacker can plausibly get approved in one go, not by the size of your IT estate. For a small firm that can still be the difference between a good year and a bad one.

What I would actually do

If you do three things, do these. Turn on MFA everywhere, ideally phishing-resistant where payments are approved. Write a mandatory out-of-band verification rule for any bank-detail change or large payment, and make it so a junior clerk feels safe enforcing it against a "CEO" email. And train finance specifically on the change-of-bank-details play, because that is the one that gets through.

You can see how BEC stacks up against the other losses for your sector and size in the calculator, and the methodology shows the source behind every figure here. BEC rarely makes headlines. It just quietly empties accounts, which for most SMEs is the threat that should keep them up at night.