Skip to content
2026

Now taking on 4 new clients this year — white-glove onboarding, month to month.

Book a call
HomeBlogCybersecurity

Business Email Compromise: How Small Businesses Get Hit

Conceptual photo of a fishing hook resting on a stack of blank white envelopes, representing email phishing and business email compromise fraud.

Business email compromise is the most expensive cyber scam a small business will face, and there is no malware involved. Someone gets an email that looks like it came from a vendor, the boss, or a client, then wires money or hands over data because the request looks normal. The FBI tracks it as the costliest category of online crime by dollars lost, ahead of ransomware.

The good news: because it relies on tricking a person rather than breaking software, a handful of process changes stop most of it. Here is how the scam works and what actually blocks it.

What is business email compromise?

Business email compromise (BEC) is a fraud where an attacker poses as someone you trust over email and convinces an employee to send money or sensitive information. There is usually no attachment and no virus. The message asks for a wire transfer, a change to bank details, or copies of payroll data, and it reads like ordinary business.

How the scam actually works

Most BEC attacks follow one of a few scripts. An attacker either spoofs an address so it looks close to a real one (yourvendor.com becomes yourvend0r.com), or breaks into a real mailbox and sends from it. Then they wait for a moment that fits.

  • The vendor invoice swap. A supplier you already pay emails to say their banking details changed. The new account belongs to the attacker, so your next payment goes straight to them.
  • The CEO wire request. A message that looks like it is from the owner asks the bookkeeper to move money fast for a deal that has to close today. The urgency is the point. It stops people from checking.
  • Payroll diversion. An email pretending to be an employee asks HR to update direct deposit to a new account before the next run.
  • Data requests. Around tax season, a fake executive asks for W-2s or client records, which feed the next round of fraud.

The numbers are hard to ignore. The FBI's Internet Crime Complaint Center puts global BEC losses at more than $55 billion across roughly 305,000 incidents between October 2013 and December 2023, with a 9% jump in exposed losses in a single year. This is not a rare event that only happens to other companies.

Why do small businesses get hit so hard?

Small companies often have one person approving payments, no formal step to verify a bank-detail change, and email that came with basic filtering and nothing more. A 20-person firm rarely has someone whose job is to notice that a vendor's "new account" request is slightly off. Attackers know this, and they read the same LinkedIn pages you do to learn who signs the checks.

How do you stop BEC?

You beat BEC with verification habits and email controls, not expensive software. Turn on multi-factor authentication everywhere, confirm every payment or bank-detail change by phone using a number you already have, and set up your domain's email authentication so spoofed messages get flagged or rejected. Those three moves block the large majority of attempts.

The full checklist:

  • Multi-factor authentication on every mailbox. This is the single control that stops most account takeovers, the version of BEC where the attacker sends from a real inbox.
  • A verbal callback rule for money. Any request to send a wire, change bank details, or update direct deposit gets confirmed by phone to a known number. No exceptions for "urgent."
  • Email authentication (SPF, DKIM, DMARC). These records tell the world which servers may send mail as your domain, so lookalike and spoofed messages get caught.
  • External-sender tags. A banner marking mail from outside your company makes a fake "from the CEO" note obvious at a glance.
  • Short, regular training. People who have seen a real example spot the next one. This pairs with the broader steps in our guide to the security controls that actually stop attacks.

If money does go out the door, speed matters. Call your bank immediately to request a recall, then report it at the FBI's IC3. Recoveries are far more likely in the first 24 to 48 hours. It is also worth checking whether your policy covers this kind of fraud, which we cover in what small businesses need from cyber insurance in 2026.

By The NetSys Group Team. The NetSys Group has delivered managed IT, cybersecurity, and cloud services since 1998. Our engineers hold degrees in electrical and computer engineering and are certified Microsoft and Cisco instructors, serving businesses across NY, NJ, CT, PA, and Southwest Florida.

Frequently asked questions

Is business email compromise the same as phishing?

It is a targeted branch of it. Ordinary phishing casts a wide net for passwords or clicks. BEC is aimed at a specific person who can move money, and the message is tailored to your business, so generic spam filters often miss it.

Does antivirus stop BEC?

Usually not. Most BEC emails carry no attachment or malicious link, so there is nothing for antivirus to catch. The defense is verification steps and email authentication, backed by multi-factor authentication on your accounts.

What should we do if we already paid a fake invoice?

Contact your bank right away and ask for a wire recall or reversal, then file a report at ic3.gov. Acting within the first day or two gives you the best chance of clawing the money back. Preserve the emails for your bank and insurer.

How much does it cost to protect against this?

Most of the defense is process and configuration, not new spend. Multi-factor authentication and email authentication are usually included with the email platform you already pay for, and the callback rule costs nothing but a phone call.

Want a second set of eyes on your email security and payment process? Book a complimentary risk assessment and we will show you where a fake invoice would slip through today.

Reading is free. So is knowing where you stand.

Turn insight into action.

Take a free cybersecurity or AI readiness assessment, or book a call with a NetSys engineer — no obligation, no runaround.