What is Business Email Compromise and how can you prevent it?

By:Jack Lilley · Sr. Comms & Content Marketing Manager
Published on:September 10, 2025
Last Modified on:June 25, 2026
11 Min Read
Table of contents

How to prevent business email compromise (BEC) in 2026

The short answer

To prevent business email compromise, enforce DMARC at p=reject so receiving servers reject any email that fails authentication, then layer DNS monitoring, brand impersonation detection, payment-verification steps, and staff training on top. DMARC at enforcement stops attackers from sending email that appears to come from your exact domain, which is the foundation of most BEC. The other layers close the gaps that remain once exact-domain spoofing is off the table.

Quick protection guide

What you're stopping

The control that stops it

Red Sift suitable product

Exact-domain spoofing

DMARC at p=reject (with SPF and DKIM)

Red Sift OnDMARC

Lookalike domain impersonation

Lookalike detection and takedown

Red Sift Brand Trust

Subdomain takeover, dangling DNS, parked domain abuse

Continuous DNS monitoring

DNS Guardian (via OnDMARC)

Misconfigurations before attackers find them

AI-opitmized security fix

Red Sift Radar (via OnDMARC)

Expand the table to see in full.

What is business email compromise?

Business email compromise (BEC) is a cyberattack where criminals impersonate an executive, vendor, or trusted partner over email to trick an employee into transferring funds, changing payment details, or handing over sensitive data. Unlike malware-based attacks, BEC emails carry no malicious attachment or URL, so they don't trigger traditional security filters. They work by exploiting human psychology, trust, and urgency rather than a technical flaw.

In 2025, BEC accounted for $3.05 billion in reported losses, making it one of the costliest categories of cybercrime [1]. The reason it keeps paying off is simple economics. A single successful wire-transfer request nets an attacker real money for the price of a well-written email, and the people being targeted are doing exactly what their job asks them to do.

Why are BEC attacks are so dangerous?

Unlike traditional malware-based attacks, BEC schemes exploit human psychology rather than technical vulnerabilities. Attackers meticulously study organizational hierarchies, communication patterns, and business processes to craft convincing impersonation attempts that bypass conventional security controls.

BEC attacks are particularly dangerous because they bypasses the controls most companies rely on.

These attacks:

  • Contain no malicious attachments or links, so they look legitimate and pass conventional filters
  • Exploit trust by impersonating executives, vendors, or partners someone already knows
  • Target high-value moments like wire transfers, invoice payments, and data requests
  • Use social engineering, not technical indicators, which makes them hard to detect after the fact

BEC, email spoofing, and impersonation: how they connect

Email spoofing and email impersonation are the techniques. Business email compromise is the outcome they're used to achieve. Getting the terms straight matters, because the defense for each is different.

Email spoofing is forging the "From" address so a message appears to come from a domain the attacker doesn't own. When an attacker spoofs your exact domain (yourcompany.com), the email is indistinguishable from a real one unless you've published a DMARC policy that tells receivers to reject it.

Email impersonation is the broader category. It includes exact-domain spoofing, but also lookalike domains (yourc0mpany.com), display-name tricks, and compromised accounts. Stopping it takes more than one control.

Here's the practical split. DMARC at p=reject removes exact-domain spoofing entirely, because receiving servers reject anything that isn't authenticated to come from you. Lookalike impersonation needs brand monitoring that finds and takes down domains designed to resemble yours. Compromised-account attacks need multi-factor authentication and inbound filtering. A complete BEC defense covers all three, and most companies only cover one.

The current BEC threat landscape

The statistics paint a sobering picture of BEC's growing impact:

Financial impact

  • BEC attacks cost an average of $4.89 million per incident, making them the second most expensive breach type, and accounted for 73% of all reported cyber incidents in 2024. [2]
  • The average wire transfer request from a BEC attack was $24,586 as of early 2025
  • Over the past three years, reported BEC losses reached almost $8.5 billion in the United States alone [3]

Attack frequency

  • BEC attacks grew by 30% year-over-year as of March 2025 [2]
  • BEC attacks make up more than 50% of all social engineering incidents
  • Even small organizations (under 1,000 employees) face a 70% weekly probability of experiencing at least one BEC attempt

Evolving tactics

  • Wire transfer BEC attacks increased by 24% compared to the previous quarter [4]
  • Attackers increasingly using AI tools to craft more sophisticated and convincing fraudulent communications [1]
  • Vendor Email Compromise (VEC) attacks rose 66% in the first half of 2024 [5]

The five types of BEC attacks

The FBI identifies five common forms of BEC. Knowing which ones target your teams tells you where to focus verification and training.

1. CEO fraud

Attackers impersonate a senior executive to request an urgent wire transfer or sensitive information. These attacks lean on authority and time pressure to push an employee past normal checks.

2. Account compromise

Criminals gain access to a real employee's email account and use it to request vendor payments or redirect funds. Because the email comes from a genuine account, it's harder to spot and often passes authentication.

3. False invoice schemes

Scammers pose as a supplier and submit a fake invoice or request a change to payment details. Accounts payable teams are the usual target, and the routine nature of vendor payments works in the attacker's favor.

4. Attorney impersonation

Attackers pretend to be a lawyer or legal representative, often targeting junior employees who are less likely to question the request. These tend to coincide with mergers, acquisitions, or other sensitive events.

5. Data theft

These attacks target HR and finance staff to obtain personal information about executives and employees, which then fuels future attacks or gets sold on.

How to defend against business email compromise

You defend against business email compromise with layers, starting at the source and working outward. No single control covers every form of impersonation, so a real defense combines email authentication, DNS hygiene, brand monitoring, payment process, and people.

Layer 1: Stop exact-domain spoofing with DMARC at enforcement

DMARC (Domain-based Message Authentication, Reporting, and Conformance) is the control that removes the foundation of most BEC. At a policy of p=reject, it tells receiving servers to reject any email that fails authentication, so attackers can't send mail that appears to come from your exact domain.

Get there in three moves. Publish SPF and DKIM and confirm they pass and align. Start DMARC at p=none to see who's sending on your behalf. Tighten to p=quarantine, then p=reject once your legitimate senders all authenticate cleanly. A policy of p=quarantine isn't enough on its own, because fraudulent mail still lands in spam folders where a recipient can find and act on it.

Red Sift OnDMARC automates the parts that stall most projects and gets organizations to full enforcement in 6 to 8 weeks. Manual DMARC projects regularly run six months or longer, and many never reach enforcement at all.

Layer 2: Stop lookalike impersonation with brand monitoring

Once your exact domain is locked down with DMARC, attackers move to lookalike domains that resemble yours. DMARC can't help here, because the attacker owns the lookalike domain. Red Sift Brand Trust finds newly registered lookalikes, scores their risk using signals like logo use and page content, and drives takedowns before they're used against your customers.

Layer 3: Close your DNS gaps

Attackers also exploit the parts of your DNS you've forgotten about. Three gaps matter most:

  • Parked domains. Domains you own but don't actively use for email often have no DMARC record, so they can be spoofed freely. Publish a DMARC record at p=reject on every domain you own, active or not.
  • Dangling DNS. A DNS record (often a CNAME) that points to a service you no longer control can be claimed by an attacker, who then sends authenticated email or hosts content on your subdomain.
  • Subdomain takeover. The 2024 SubdoMailing campaign hijacked thousands of subdomains belonging to major brands by exploiting exactly these gaps, then sent phishing that passed SPF, DKIM, and DMARC because it came from legitimate infrastructure.

DNS Guardian, built into OnDMARC, monitors your DNS continuously for dormant subdomains, dangling CNAMEs, and takeover risk. For a deeper walkthrough of layered domain defense, see our guide to defending against domain impersonation.

Layer 4: Verify the money

Authentication stops the impersonation. Process stops the loss when an attacker gets through another way, like a compromised account. Require out-of-band verification (a phone call to a known number) for every payment change and wire transfer. Use dual-control approval above a set threshold. Build a clear escalation path so a suspicious request gets a second look without slowing the business to a crawl.

Layer 5: Train the people in the firing line

Finance, HR, and executive assistants are the most-targeted roles, so train them on the specific scenarios they'll see, not generic awareness slides. Run phishing simulations. Make it easy to report a suspicious email and make sure nobody gets punished for flagging one that turns out to be real.

How to check if your domain is being spoofed

To check if your domain is being spoofed, run a free DMARC check with Red Sift Investigate and review your DMARC aggregate reports for sending sources you don't recognize. The check takes about 30 seconds and shows whether your SPF, DKIM, and DMARC are set up and whether your policy is actually blocking unauthenticated mail.

DMARC aggregate reports are the real tell. Once you're collecting them, they list every source sending mail that claims to be from your domain. Sources you can't account for are either shadow IT you didn't know about or someone spoofing you. A monitoring tool turns those raw XML reports into a readable sender list so you can act on them. For a step-by-step approach, see our guide to identifying and preventing email spoofing.

How Red Sift OnDMARC stops BEC at the source

Red Sift OnDMARC is an automated DMARC application that helps organizations reach enforcement quickly and keep it there. It prevents BEC by removing the attacker's easiest path, which is sending mail from your real domain.

  • Fast path to enforcement. OnDMARC gets customers to p=reject in 6 to 8 weeks by translating aggregate reports into a clear sender dashboard.
  • Dynamic Services. Manage SPF, DKIM, DMARC, and MTA-STS from one interface, which removes configuration errors and solves the SPF 10-lookup limit without manual record surgery.
  • DNS Guardian. Continuous DNS monitoring that catches subdomain takeover, dangling DNS, and SubdoMailing-style abuse before attackers can use them.
  • Radar. AI-driven analysis that flags misconfigurations and gaps before they become an incident.

DMARC or a secure email gateway: which stops BEC?

This trips a lot of teams up, so it's worth being precise. DMARC and secure email gateways solve different halves of the problem.

DMARC (email authentication)

Secure email gateway (SEG)

What it protects

Your domain's outbound identity

Your inbound inbox

Where it acts

At receiving servers worldwide

At your mail perimeter

Stops exact-domain spoofing of you

Yes, at p=reject

No

Stops lookalike domains

No (brand monitoring tool needed)

Partial (often struggles)

Stops inbound malware and links

No

Yes

Role in BEC

Removes the impersonation at source (protecting your brand and customers)

Filters what reaches your team in their inbox

Expand the table for full details

A gateway filters the bad mail arriving in your inbox. DMARC stops attackers from using your domain to hit everyone else, including your customers and partners, who never see your gateway. For BEC that impersonates your brand, DMARC at p=reject is the control that removes the attack at its source. The two work together, they don't replace each other.

BEC prevention by industry

Different sectors face different BEC pressure, so the emphasis shifts.

  • Financial services are high-value targets and carry strict fraud-prevention obligations, so stricter verification on every transaction is the priority.
  • Healthcare gets hit for both fraud and data theft, across sprawling networks of facilities and third-party vendors.
  • Manufacturing is targeted through complex supplier networks and large invoice values, which makes supply-chain communication the weak point.
  • Legal services hold confidential client information and move client funds, so protecting privileged communication matters as much as the money.

Measuring success: BEC prevention metrics

Track these to know your defense is working, not just installed.

Technical metrics

  • DMARC policy enforcement rate (target: 100% of domains at p=reject)
  • Authentication pass rate for legitimate senders
  • Reduction in delivery of unauthenticated mail

Operational metrics

  • BEC attempts detected and blocked
  • Employee reporting rate for suspicious emails
  • Time to verify and process legitimate payment requests

Business metrics

  • Reduction in fraud losses
  • Improvement in email deliverability (a side benefit of clean authentication)
  • Time saved by automating authentication management

How BEC is evolving

BEC keeps changing, and the defense has to keep pace.

  • AI-powered attacks. Criminals use text generators to write flawless impersonation and voice cloning to back it up on a phone call. Deepfake video is emerging in higher-value schemes.
  • Multi-channel attacks. BEC is spreading beyond email into SMS, voice, and collaboration tools, so the impersonation defense has to extend with it.
  • Supply-chain targeting. Vendor email compromise keeps climbing, with attackers exploiting partner relationships to bypass your direct defenses. Push your vendors toward DMARC too.

Your BEC prevention roadmap

Here's a sequence that gets you protected without boiling the ocean.

Week 1: see where you stand

  • Run a free DMARC check with Investigate and document every source sending on your behalf
  • Put out-of-band verification in place for wire transfers today, before anything technical
  • Brief finance, HR, and executive assistants on the five BEC types

Months 1 to 2: lock down the domain

  • Deploy OnDMARC and begin the move to enforcement
  • Reach p=reject on your primary domain and publish DMARC on parked domains
  • Stand up phishing simulations and a clear reporting path

Months 3 to 6: complete the picture

  • Extend protection to all subdomains and turn on DNS monitoring
  • Add lookalike detection with Brand Trust
  • Add BIMI once you're at enforcement, which improves deliverability and brand recognition as a bonus

References

[1] FBI IC3 report. "FBI Internet Crime Report 2025." https://www.ic3.gov/AnnualReport/Reports/2025_IC3Report.pdf

[2] Hoxhunt. "Business Email Compromise Statistics 2025 (+Prevention Guide)." https://hoxhunt.com/blog/business-email-compromise-statistics

[3] NACHA. "FBI's IC3 Finds Almost $8.5 Billion Lost to Business Email Compromise in Last Three Years." https://www.nacha.org/news/fbis-ic3-finds-almost-85-billion-lost-business-email-compromise-last-three-years

[4] Trans Union. "Rising Incidents of BEC and Wire Fraud: Tales from the Front Lines." https://www.transunion.com/blog/bec-wire-fraud-incidents 

[5] Business Email Compromise Statistics https://hoxhunt.com/blog/business-email-compromise-statistics 

Is your organizaion protected against Business Email Compromise?

Check for free with Red Sift Investigate
Jack Lilley
Jack Lilley
Sr. Comms & Content Marketing Manager

Jack leads content, PR, GEO, and email security research at Red Sift.

FAQs

What is Business Email Compromise (BEC)?

BEC is a cyberattack where criminals impersonate an executive, vendor, or trusted partner over email to trick an employee into transferring funds, changing payment details, or sharing sensitive data. Unlike malware-based attacks, BEC emails contain no malicious attachment or link, so they don't trigger traditional security filters. They exploit trust, authority, and urgency rather than a technical flaw. In 2025, BEC accounted for $3.05 billion in reported losses [1].

How do I defend against business email compromise?

To defend against business email compromise, enforce DMARC at p=reject so receiving servers reject any email that fails authentication, then layer DNS monitoring, brand impersonation detection, payment verification, and staff training on top. DMARC at enforcement removes exact-domain spoofing, the foundation of most BEC. The other layers close the gaps that remain, like lookalike domains, compromised accounts, and forgotten subdomains. Red Sift OnDMARC helps organizations reach full enforcement in 6 to 8 weeks.

What are the main types of BEC attacks?

The FBI identifies five types:

CEO fraud: impersonating executives to request urgent wire transfers.

Account compromise: hijacking a real employee email account to request vendor payments or redirect funds.

False invoice schemes: posing as suppliers to submit fake invoices or change payment details.

Attorney impersonation: targeting lower-level employees by pretending to be legal representatives, often during events like mergers.

Data theft: targeting HR to obtain personal information about executives and employees for use in future attacks.

How big is the BEC threat right now?

According to the FBI's 2025 Internet Crime Complaint Center (IC3) Annual Report, BEC losses reached $3.05 billion in 2025, making it the second costliest cybercrime type after investment fraud. IC3 received 24,768 BEC complaints in 2025, a 15.5% increase from 21,442 in 2024.

Over the past three years (2023-2025), reported BEC losses in the US totaled approximately $8.76 billion. Wire transfers and ACH payments account for 86% of BEC transaction types, making financial verification procedures critical. BEC attacks also disproportionately impact older adults, with victims aged 60+ reporting $568 million in BEC losses in 2025 alone. AI is accelerating the threat: businesses reported over $30 million in losses to AI-enabled BEC scams in 2025, with criminals using chat generators and voice cloning to create more convincing impersonation attempts.

Why is DMARC at p=reject essential for stopping BEC?

DMARC enforcement at p=reject prevents attackers from sending emails that appear to come from your domains, eliminating the foundation of most BEC attacks. Even p=quarantine still allows bad actors to cause harm because fraudulent emails may still reach recipients' spam folders where they can be found and acted upon. Red Sift OnDMARC helps organizations reach full enforcement in 6-8 weeks through automated email authentication, Dynamic Services for managing SPF, DKIM, DMARC, and MTA-STS from a single interface, DNS Guardian to prevent subdomain takeovers and dangling DNS exploits, and AI-powered insights from Red Sift Radar to identify misconfigurations before attackers can exploit them.

What does a complete BEC prevention strategy look like?

Three layers of defense are needed.

Technical controls: deploy DMARC at p=reject, enable multi-factor authentication (using phishing-resistant methods where possible), and implement AI-driven email filtering with behavioral analytics.

Process controls: require out-of-band verification for all payment changes and wire transfers, implement dual-control approval for financial transactions above set thresholds, create incident response plans with communication protocols for banks and law enforcement, and conduct regular security assessments.

Human-centered defenses: run role-specific training for high-risk departments (finance, HR, executive assistants), conduct regular phishing simulations, foster a culture where employees report suspicious emails without fear of consequences, and ensure leadership models good security behaviors.

How do I check if my domain could be spoofed?

To check if your domain could be spoofed, run a free DMARC check with Red Sift Investigate and review your DMARC aggregate reports for sending sources you don't recognize. The check shows whether SPF, DKIM, and DMARC are configured and whether your policy is blocking unauthenticated mail. Aggregate reports then list every source sending as your domain, so anything you can't account for is either shadow IT or an attacker.

How are BEC attacks evolving?

AI-powered attacks: criminals are using AI tools to craft more convincing fraudulent communications, and deepfake voice and video calls are emerging as part of BEC schemes.

Multi-channel attacks: BEC is expanding beyond email to include SMS, voice calls, and collaboration platforms, requiring security measures across all communication channels.

Supply chain targeting: Vendor Email Compromise attacks rose 66% in the first half of 2024, with attackers increasingly exploiting vendor and partner relationships to bypass direct defenses.